Privacy Metrics Programs

Privacy management programs must be carefully monitored and adjusted if they are to be relevant and effective. Metrics measure specified activities and return qualitative or quantitative characteristics about an organization’s privacy management program, whether it be about its personal information holdings or an information-related process. A directed “metrics program” is an organized collection of such measurements.

Applying Privacy Metrics

Privacy metrics establish evidence of compliance with legislative or regulatory requirements as well as internal privacy policies and procedures. They help decision-makers enhance organizational governance and support management in making privacy-related decisions.

An organization’s privacy-related activities consist of governance and operational activities. The former may involve identifying privacy risks and making decisions to mitigate those risks through the design and implementation of privacy programs, policies and procedures. Operational activities, on the other hand, involve monitoring an organization’s performance to ensure day-to-day adherence to privacy-related policy and procedures. Privacy metrics can be applied in both activity areas.

Implementing a Metrics Program

In general, there are four phases to implementing a privacy metrics program:

  1. Metrics Development – Define privacy metrics, including benchmarks.
  2. Data Collection – Identify or confirm data sources, ensure that they are accurate and consistent.
  3. Report Development – Develop procedures to record and analyze the metric information. Provide suitable formats for both detailed and summarized reports.
  4. Implementation – Adopt the procedures and reporting requirements.

When designing metrics, consider the organization’s core activities and its privacy-related expectations or objectives. Issues that may be important for one organization may not be of interest to another. Thus, privacy metrics may differ widely between organizations.


Determine what your benchmarks will be. Benchmarks offer a means of comparison against which performance may be measured. As organizational privacy requirements are often unique, internal benchmarks will evolve over time. If there is a high benchmark, a low number/result in the early periods of information collection may not reflect a poor metric. What it does indicate is that there is a need to re-adjust the benchmark to what will be – over time – the historical norm. In certain instances, there may be no benchmark, or there may not be a desire to have a benchmark.


Consider how the metrics report will be structured. This should be influenced by the degree of difficulty in sourcing the information to populate the metrics report. Reporting activities should be considered through the following parameters:

  • Frequency – the time period during which the metric is to be measured (e.g. monthly, quarterly, annually).
  • Collection – this refers to the accumulation and compilation of metrics for privacy management purposes.
  • Reporting – this refers to the collection and analysis of metrics for senior management reports.


It’s important to regularly monitor a privacy metrics program in order to assess the relative maturity of the metrics. Over time, one or more of your metrics may diminish in importance or relevance because of the smooth running of an activity. Others may come to the forefront to take its place. Revise your privacy metrics program as appropriate.

Keep in mind that the metrics chosen for a program should not be advertised, in order to maintain objectivity. Consider the observer effect, in which people will change their behavior when they are made aware of being watched. Publishing metrics will inevitably make employees more aware of actions and may influence reporting.

Examples of Privacy Metrics

Some examples of privacy metrics from various organizations include:

  • Average privacy document “age”
  • Number of days between on-boarding and completion of basic privacy and security training
  • Number of privacy risks that are outstanding after allocated mitigation period
  • Number of completed privacy assessments
  • Number of incidents tracked by origin; by organizational unit; by project; by security level
  • Mean time to initiate response to an incident
  • Mean time to complete response to an incident
  • Percentage of organizational budget dedicated to privacy
  • Percentage of privacy personnel with recognized privacy certifications
  • Percentage of staff receiving privacy training
  • Average cost of an incident
  • Percentage of “high-sensitivity” solutions with encryption, anonymization or pseudonymization capabilities
  • Percentage of “high-sensitivity” solutions with monitored audit trails


A directed privacy metrics program helps organizations monitor the efficacy of their privacy activities. This article examines privacy metrics in terms of application, implementation, benchmarking, reporting and monitoring. Several examples of privacy metrics are also listed.

CIPP Exam Preparation                                      

In preparation for the Certification Foundation Course (Foundations) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Privacy impact on organizational risk (I.C.a.)
  • Management and administration (I.C.b.iv.)
  • Monitoring and enforcement (I.C.b.v.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>