Hello, Can anyone point me in the right direction. I’m searching for a way to identify appropriate KPIs for our privacy program. We’re UK based but impacted by GDPR and CCPA also.
Any experiences or best practices would be highly appreciated. Thanks.
Privacy program KPIs
Share
Dominga Leone
Here are some key ones I use:
– Data subject rights requests received and percentage completed within relevant timeframe
-Number of initiatives which have gone live without a DPIA being initiated or being initiated in unrealistic timeframes.
– Number of data protection complaints, internal and to ICO
-Number of Breaches
-Number reported to ICO
-Percentage of trained employees
-Open issues
I have also developed far more detailed KPI than the above, but it was of limited value.
The key to all of these is that rather that just being numbers they have a RAG status and trend. The trend is important because it allows us to see if things are consistently going in the wrong direction.
steventhomson
We can take some guidance around KPIs from the Accountability Tracker issued by the ICO. The expectations here cover KPIs relating to:
– SAR performance (volume of requests and percentage completed within timescales)
– Training (percentage of staff who have completed training)
– Information security (number of security breaches, incidents and near misses)
– Records management (file retrieval statistics, adherence to disposal schedules, performance of system to index and track paper files)
We also measure the number of other requests (not SARs) and timescales, and number of data breaches (as well as security breaches). We are developing our KPIs around data retention – this is an area that we are finding difficult due to the amount of different places data is stored. Data retention will likely be a suite of KPIs by itself.
Andrea
We use a balance of KPIs and KRI (Key Risk Indicators). So, for example , we might have
KPI: Percentage of data subject rights requests completed within relevant timeframe
KRI: Number of data subject rights requests received (as it might indicate issues elsewhere in the business)
KPI: Percentage of DPIAs reviewed and returned to the originator within x days
KRI: Number of initiatives which have gone live without a DPIA being initiated or being initiated in unrealistic timeframes
Simon
When it comes to privacy and KPIs I think it’s important to remember that ‘performance’ often measures things beyond your control, and it can be as much about workload, but that data can be useful for identifying needs to increase efficiency & effectiveness.
In the past I developed KPIs around responses to FOI and SARs (how many received, effort required per request, % completed in timeframe, % resulting in ICO complaints). Other indicators have included DSPT completion % targets, audit completion targets, number of ‘first’ DPIAs reviewed, number of ‘old’ DPIAs reviewed.