Metrics for Success: Quantifying the Value of the Privacy Function [Webinar Slides]

1 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

v © TRUSTe Inc., 2016

Metrics for Success: Quantifying

the Value of the Privacy Function

December 8, 2016


Today’s Speakers

Deidre Rodriguez

Director, Corporate Privacy Office

Anthem, Inc

Marcus Morissette

Global Privacy Officer

eBay

Kevin Trilli,

SVP Product,

TRUSTe



Privacy Metrics and Dashboard

Kevin Trilli, SVP Product, TRUSTe


• Speaker Intros

• Metrics and Privacy Organization

• Categories and types of Metrics

• Building / establishing a Monitoring Program

• Challenges and Recommendations

Agenda



Privacy Metrics


Purposes and Categories of Metrics

Target Audience Audience Purpose

Privacy Officer /

Privacy Manager

Internal • Program development

• Organizational Management

Executives / BOD Internal • Communicate overall risk

posture

• Resource requests

Auditors /

Regulators

External • Demonstrate program

accountability and effectiveness

• Transparency


• Initial stage is strategy planning and development

– Requires selecting and planning a set of program activities

– Establish required set of resources

• On-going management

– Program and goal management

– Resource utilization

– Gaps / program maturity velocity

CPO/Privacy Manager:

Program Establishment, Evolution and Budgeting


Example: Privacy Program Management


• Inbound inquiries to privacy team (tickets/advise/projects)

– % utilization

• Policies under management

–Reflective of external and internal laws, regs, policies shows scope

• Assets under management

– Data processing applications and systems

• Projects (risk assessments, PIAs, etc)

– #, state, aging, response time

– risk issues identified and remediated

• Incidents (breach, data release, reg inquiries)

– #, type and risk levels, remediation plan

• All are mapped to each BU to show status across enterprise

–Includes HR, IT and Marketing functional groups as needed

CPO/Privacy Manager: Operational Management


Example: Risk Assessment and Remediation Metrics


• Privacy Program Overview / Budgeting

– Program to Goal (%)

– Overall Resource allocation

– Budget justification

• Risks

– Incidents

– Regulatory enquiries

– Related fines/investigations (vertical)

– Heat Map

Executive / BOD


• Derived from internal metrics/dashboard, but may need

sanitizing

• Have ready on-demand to demonstrate program

– Ideal: Technological system of record that can grow and aggregate

project/project

– Maintained for data integrity

• Basics:

– Database of data processing assets (#, classified by risk) with metadata

– Construction of key data transfers (EU, APEC)

– Consumer metrics (inquiries/disputes and resolution paths)

• Needs to accompanied by evidence/documentation

External Reporting


Example: Asset Inventory characterized by risk



Where to Start


• First socialize with stakeholders / execs

• Determine what matters most / scope

• Prioritize to get started

• Assess current capabilities

Starting a Monitoring Program


•Document your privacy program plan to get ready

–Will you need to develop emails or templates for use during monitoring

(announcement emails, SharePoint sites created, who will be responsible for

what)

–Determine where you will store data and who will have access

–Are there callouts/disclaimers that need to added to metrics?

–When will metrics be produced and by whom

–Stagger monitoring so that it will not create negative impact for the business

–Understand any reporting/monitoring that may be done in the business that will

have potential impact

–Write desktop procedure for how everything will happen A-Z

• Communicate across broader organization

Starting a Monitoring Program



Beginning to Monitor


•Identify lead that will be responsible for monitoring a specific piece of

work

•Put everything on the calendar

–Date you will start sending requests to business

–Date you will analyze data

–Date that you will document findings

–Date you will review metrics

–Date that you will release metrics

–Date corrective action plans will be due

–Any ongoing follow up or re-monitoring to ensure issue has been adequately

addressed

•Keep leadership informed of roll out and any changes to program that

may impact them

Beginning to Monitor



Continuing to Grow Monitoring

Program


•Continue to monitor risks and what matters most

•Identify plan to grow program

–What will be monitored next and why

–Doing it by risk is easiest to explain

–Continue to lobby for resources to expand program

•Continue to collect feedback on metrics

•Document all findings and do follow up on corrective action plans

–This enables you to show leadership the positive impact of your program (what

were you able to find and correct)

•Partner with Internal Audit

•Roll up data by quarter and produce annual metrics

Growing Monitoring Program



Challenges and Takeaways


• How to do actual job but also measure and

document

• Control of data sources that feed metrics

• Dealing with aspects of privacy

management that don’t have easy metrics

Challenges



Deidre Rodrigeuz [email protected]

Marcus Morissette [email protected]

Kevin Trilli [email protected]

Contacts

mailto:[email protected]








Details of our 2017 Winter/Spring Webinar Series will be available shortly.

See http://www.truste.com/insightseries for all the 2016 Privacy Insight

Series and past webinar recordings.

Thank You!

http://www.truste.com/insightseries

Law

Metrics for Success: Quantifying the Value of the Privacy Function [Webinar Slides]