Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
Welcome to module 3.2 metrics
during this module will explore how to plan what metrics to consider for your programme, understand metrics to measure compliance and understand metrics to measure noncompliance.
So planning for the metrics
determine the audience for the metrics is incredibly important.
Typically it's at executive level
or the privacy committee that is going to review the metrics. So you want to make sure that the metrics are put into a report. That is something that
that group or the executives are used to seeing any specific format. It tends to be different for organizations. So make sure you align it with something that they are familiar with,
determine what you are measuring. For example, risk in revenue activities are some examples of what you could be measuring. We'll talk a little bit more about those in the compliance section,
define reporting resources where you're getting your information from what systems you're using to collect the data and understand how information is collected were stored and who or what has access. For example, mobile app data, websites, landing pages, Internet of things, devices, etcetera.
So in the compliance section, when we talk about, metrics collection is an important metric to consider of what type of data and how much you're collecting on a daily or a monthly or quarterly basis. So it's up to your group to determine how to measure the collection of information, which certainly goes to
understanding your overall risk profile of your organization. If you're collecting
more information over time, your risk profile tends to go up. If you're collecting less information over time, that is potentially your risk profile is going down or that your privacy program is really starting to work in making sure you're not collecting any more than you need to conduct business
responses to data subject inquiries is something that you also want to track and uh have metrics associated with.
Again, if you if you're the responses are increasing, that could show that you potentially are doing a better job communicating about your program externally. But if your responses are decreasing, either you've removed a lot of the concerns that are out there
or there could be other factors that went into that. So that's up to you to discuss with your
leadership and your committee or or your team on why that could be occurring using retention disclosures to third parties. Training and awareness tracking is also incredibly important to make sure that you are continuing to assess uh and train your
your staff in regard to your privacy program tracking incidents. Whether it's a breach complaints or inquiries are also important to help you understand what type of resources are needed as well as P. A. And D. P. A. Metrics that may be a result of those reports of those, uh those types of
studies that are done with within your organization or on an organizational department or function uh, to to help you make determinations on what to do to reduce risk or potentially improve uh, the financial situation associated with that process.
Non compliance. So trending analysis is important to attract. As we went back and discussed about compliance, there could be trending analysis is that's done to understand what the uh the the non compliant
efforts could be within your organization. If there's a certain group
that is not being compliant or if there are certain incidents that are continuing to occur, you may want to track those events as a project to get a better handle on
how to avoid a continuation of noncompliant events
privacy program. Return on investment is something that also should be considered, uh, if you're not in compliance with that, you may have a hard time understanding or getting more funding for your program. Uh, you should be working to get a return on investment with your privacy program. And if if there are individuals who are not compliant
that can certainly impact that
program, maturity is another area that it's important to track. If you're not in compliance with the maturity level that you're supposed to be at, that is something that could indicate that there may be need to be an assessment or analysis done to further understand why you are not compliant with your maturity goals
or if you've dropped in your maturity
also resource utilization, understanding what type of resources you have, whether it's systems or individuals or people you've hired to help you if you're not able to keep up with your, your your current workload, that might be an opportunity for you to lobby for additional funds or resources to help you keep up with demand and revenue from data. Solar access is also important to track if for some reason you're sharing data and you have an agreement with a third party to to use information that you've collected. Uh for some reason that is not panning out from the goals that you've uh set with that
With that 3rd party,
you may want to consider making adjustments. So it's important to consider metrics for that function,
metrics should tell a story and ultimately improve a process and this is something that I want to uh make sure that you understand. If you take anything away from this module, understand that the metrics should tell a story based off of the collection, how you analyze and how you report that information to your audience.
Understanding the blank is instrumental during metrics planning to ensure the metrics captured have value.
Is it regulation,
controller or audience?
The answer is audience understanding your audience is something that's incredibly important when you're developing and planning for your metrics.
In this module, we discussed what metrics to consider for your privacy program and reviewed how to use metrics for compliance and noncompliance activities.
Information Disposition Discussion by Bob Johnson
Data Protection Discussion with Lisa Daulby, PhD