Articles

Data Privacy Metrics: How to Show the Value of Privacy Programs

Written by Matt Davis, CIPM (IAPP) | June 15, 2022

It can be easy for data privacy professionals to become hyper-fixated on metrics like how many data subject access requests (DSARs) they receive, how quickly they resolve DSARs, how many security incidents occur in a given span of time, how many audits they’ve completed, and so on.

It’s important to track data privacy metrics like these — they inform how well you’re doing your job and help you identify ways to do it better. But these are internal metrics. Once your audience expands beyond the privacy team, you may get the sense that you aren’t making an impact with your reports.

In part, this is because these internal data privacy metrics reinforce an assumption: Data privacy is so often seen as a cost center for businesses, something that the business needs but which doesn’t generate revenue.

In reality, data privacy’s contribution to revenue can only be assessed if it’s being measured. Tracking and reporting on the metrics that assess data privacy’s revenue contribution is the key to capturing attention from the rest of the organization.

Doing so will increase the chances that your team gets the resources they need. As a result, you’ll have a stronger, more capable data privacy program.

Why aren’t privacy professionals reporting on value?

Despite their importance, most data privacy professionals aren’t reporting these value-affirming data privacy metrics. According to research from Cisco, 93% of data privacy professionals are reporting on metrics to the board, but only 16% include value and ROI in those reports.

Why is that?

It certainly isn’t because data privacy professionals believe — like others — that data privacy is a cost-sink. The same research from Cisco showed that most privacy professionals believe that investments in their program translate to clear business value:

  • 68% believe privacy investments reduce sales delays
  • 76% believe they build trust with customer
  • 74% believe they enable operational efficiency
  • 73% believe they enable innovation
  • 74% believe they mitigate security losses
  • 73% believe they make their company more attractive to customers


If privacy professionals believe in data privacy’s ROI, why don’t they report on it more?

The problem may be a simple one: Although they believe that data privacy generates ROI, they may not know what metrics can prove it.

Privacy program metrics that show value:

If you’ve only ever reported on things like the number of DSARs you’ve completed or the outcomes of a recent privacy impact assessment (PIA), then you might be at a loss for what sorts of data privacy metrics convey value. Here are some examples to get you started.

Time to vendor onboarding

As a privacy professional, one of the biggest overlaps between your job and revenue generation likely lies in your interactions with vendors. The faster you can assess vendors’ data privacy practices and onboard them, the faster you can get the business the tools and partnerships it needs for growth.

Note that this isn’t something you should prioritize over all else. Speed is good, but not at the expense of security. Rather, your time to vendor onboarding should be a byproduct of your mastery over the vendor evaluation process. If it begins to trend downward, it’s something worth highlighting in your reports. Focusing too much on deliberately shrinking this number, however, can do more harm than good.

Vendor review status

Under the General Data Protection Regulation (GDPR), organizations can face fines of up to €20M or 4% of their revenue (whichever is higher) should one of their vendors breach data privacy requirements. Other regulations impose similar penalties. Thus, speed of onboarding isn’t the sole business concern that data privacy professionals face when evaluating vendors.

In support of decreasing your time to vendor onboarding, it’s essential to report on the number of vendors with completed, in process, and/or planned reviews. This will help you identify bottlenecks in your vendor review process, quantify your capacity, and provide proof of your role in facilitating the business’s partnerships.

Vendor review scores

Some privacy professionals develop rubrics and scoring systems to evaluate their vendors’ risk profile. If a vendor falls beneath a certain threshold, then they might formally recommend against that partnership. Alternatively, they might request certain safeguards be implemented to ensure customer data remains protected.

Tracking vendor scoring over time can serve as a proxy for the overall risk present in your organization’s vendor ecosystem. When combined with metrics on vendor review status and time to vendor onboarding, this metric can inform you whether your vendor onboarding process is mature — and thus, whether the business is growing in a sustainable way.

Projects influenced

As a privacy professional, it’s essential that you contribute to projects early and often in order to achieve privacy by design. Secure and private products, initiatives, and campaigns don’t just happen; your guidance makes them happen. You can provide valuable input to HR and marketing initiatives, new products and features, new tools and systems, and more.

But this sort of input can be invisible to the rest of the organization unless you track it and report upon it.

Furthermore, reporting on the number and nature of projects you’ve consulted on serves as a kind of advertising. Other stakeholders will realize that they have the option of asking you about the privacy aspects of their projects. As a result, your organization’s products, systems, and initiatives will be more secure.

Deals influenced

It’s not just highly regulated industries like healthcare and finance where data privacy matters; every modern business has some level of privacy consciousness. Even day-to-day consumers are asking more questions about what’s happening with their data. As a result, privacy can be an important factor in sales conversations.

Privacy professionals can keep track of the number of deals in which they consult with the buyer on the privacy implications of their decision. Ideally, they can track the number of deals won where a privacy professional was involved versus deals lost and compare that with the overall win:lose ratio when privacy professionals were not involved.

The results could show that privacy is an important factor in closing deals (which is a rock-solid way of showing your contribution to revenue). Or, they could reveal that privacy factors are somehow souring an otherwise good deal, which could uncover improvements that will increase consumer trust.

Cookie consent

Tracking the number of website visitors who reject all cookies or who consent to marketing, analytics, and/or personalization cookies can help inform a wide variety of outcomes relevant to the broader business.

Notably, user consent rates give you a sense of user trust.

Trust is incredibly important to a business and its brand, but it’s highly challenging to measure. To measure trust, companies invest in expensive and time-consuming voice-of-the-customer (VOC) programs or purchase VOC services and insights from a third party. While consent rates won’t give you the full picture when it comes to consumer trust, they can serve as a proxy that’s worth tracking.

Additionally, user consent has a huge impact on your business’s marketing team and their ability to do their jobs. Without cookie consent, marketers have access to far less data to analyze their audience, website performance, campaign performance, and so on. They’ll appreciate it if you track and share consent rate metrics with them. With that info, they might be able to identify problems with the website UI, the brand’s reputation, the reliability of their analytics data, and more.

The key to measuring privacy’s contribution to revenue

Measuring the privacy team’s contribution to revenue, characterizing its efficacy, ensuring that the business has a quantifiable understanding of what it is that you do — these are essential for any successful data privacy professional. But it isn’t possible if your workday is taken up with handling the low-value, transactional tasks that data privacy requires.

It can be easy to spend all day responding to DSAR emails and tracking their status in a spreadsheet. Or, you might get caught up maintaining cookie banner compliance across dozens of different jurisdictions. Or, you might need to spend hours researching a prospective vendor to see if they meet your privacy standards or not.

Fortunately, all of these tasks can be offloaded to data privacy software solutions, so you can spend more time acting on the tasks that contribute to the business’s success and revenue — like consulting on deals, collaborating on projects, and reporting on your team’s activities to the board.

If you’re curious about how data privacy software could free up your time to focus on higher-value tasks, speak with an expert at Osano, or try a free trial of our platform for thirty days.