Privacy Program Framework - Section II.C. - Using Privacy Metrics Flashcards

1
Q

Compliance Metric

A

Compliance Metrics are intendet to help an organization determine whether its legal and regulatory requirements are being met. They are typically the most straightforward type of metric that privacy professionals utilize, and they typically measure core privacy-related activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What do resource utilization metrics attempt to measure?

A

Whether the organization is using its resources and employees to their highest capacities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What two factors should be considered when determining what should be included in the “costs” and “benefits” inputs of a return on investment analysis?

A

(1) The extent to which the costs and benefits being measured are related to the reasons for the program’s implementation;
(2) How value is best defined.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What two categories are generally covered by business resiliency metrics?

A

(1) Metrics related to the planning aspects of business continuity; and
(2) The effectiveness of business resiliency efforts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is an irregular component analysis?

A

A type of trend analysis that is intended to spot patterns by removing irregular occurrences from the analysis.

Company X wants to know how often customers request data access and measures the number of data subject requests it receives, excluding requests made by employees.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What type of performance measure is most likely to consist of absolute numbers?

A

A compliance metric.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

To be valuable, what characteristics must a privacy metric have?

A

(1) Measurable;
(2) Meaningful;
(3) Clearly defined (within boundaries);
(4) Able to indicate process; and
(5) Answers a specific question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How is a secondary audience for a privacy metric defined?

A

By whether the audience is concerned with specific aspects of a privacy function that are not directly related to privacy qua privacy (e.g., budget).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the general unit of measure for a resource utilization metric that analyzes employee utilization?

A

Time. For example, the availability of employees against the amount of time necessary to complete the tasks or job functions to which the employee is already assigned.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

True or False: An accurate return on investment analysis should typically include both direct and indirect costs.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

True or False: A return on investment analysis is only useful for measuring the value of investing in a privacy program as a whole.

A

False. A ROI analysis can be used to measure the value returned on investments in individual aspects of a privacy program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are some examples of a primary audience for privacy metrics?

A
  • Data Protection Officer (“DPO”) under the GDPR
  • Chief Information Officer (“CIO”)
  • Chief Information Security Officer (“CISO”)
  • Board of Directors, and
  • Senior Leadership.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are some examples of a secondary audience for privacy metrics?

A

Functional departments, such as the human resources department, or specific employees, such as the Chief Financial Officer (“CFO”).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are some examples of a tertiary audience for privacy metrics?

A

Shareholders,
watchdog groups, and
government regulators.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the formula for measuring a return on investment?

A

ROI equals (Benefits minus Costs) divided by Costs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

True or False: The more metrics an organization utilizes the more value an organization derives from the use of metrics.

A

False. The use of more and more metrics does not always create more value.

17
Q

What is business resiliency?

A

An organization’s ability to quickly adapt to disruptions and maintain continuous operations in the face of those disruptions.

18
Q

The number of data subject inquiries made and the percentage of employees receiving privacy training are examples of what type of privacy metric?

A

Compliance metrics.

19
Q

What two factors should be considered when determining what should be included in the “costs” and “benefits” inputs of a return on investment analysis?

A

(1) The extent to which the costs and benefits being measured are related to the reasons for the program’s implementation;
(2) How value is best defined.

20
Q

What is a return on investment analysis?

A

A measurement of the financial gain or loss avoidance that results from a project measured against the cost of the program.

21
Q

What two organizations jointly created the privacy maturity model?

A

The American Institute of Certified Public Accountants (“AICPA”) and the
Canadian Institute of Chartered Accountants (“CICA”).

22
Q

What is a trend analysis?

A

A performance metric that quantifies and explains trends in data that occur over time.

23
Q

The potential for sampling error is a weakness of what type of privacy metric analysis?

A

A trend analysis.

24
Q

True or False: Metrics are useful across an organization, and therefore they need not be tailored to specific audiences.

A

False. Because different audiences are likely to be interested in different aspects of privacy performance, metrics should be tailored to specific audiences.

25
Q

Should privacy metrics be defined internally or externally from an organization?

A

Metrics should be defined internally to address an organization’s specific needs, rather than relying on external measures of success.

26
Q

In an ROI analysis, the “benefits” input can include what two factors?

A

Actual gain and losses avoided as a result of the investment.

27
Q

True or False: Privacy metrics increase the maturity level of a privacy program.

A

True

28
Q

What set of FIPs does the Privacy Maturity Model work hand-in-hand with?

A

The Generally Accepted Privacy Principles.

29
Q

How is the “ad hoc” level of the Privacy Maturity Model best described?

A

Procedures or processes are generally informal, incomplete, and inconsistently applied.

30
Q

True or False: Compliance metrics often are good examples of key performance indicators.

A

True. Compliance metrics are intended to measure whether legal and regulatory requirements are being met, a primary goal of most organizational privacy programs.

31
Q

How is a primary audience for a privacy metric defined?

A

By whether the audience is directly concerned with the functioning of the privacy program.

32
Q

How is a tertiary audience for a privacy metric defined?

A

By whether the audience is primarily concerned with the broader functions of the organization and how the privacy function affects these broader goals.

33
Q

What is a cyclical component analysis?

A

A type of trend analysis that is intended to spot patterns in data at regular fluctuations, such as after a privacy training exercise.

34
Q

Should privacy metrics be subjective or objective?

A

Objective.

35
Q

What is the general unit of measure for a resource utilization metric that analyzes employee utilization?

A

Time. For example, the availability of employees against the amount of time necessary to complete the tasks or job functions to which the employee is already assigned.

36
Q

What two organizations jointly created the privacy maturity model?

A

The American Institute of Certified Public Accountants (“AICPA”) and the
Canadian Institute of Chartered Accountants (“CICA”).

37
Q

What is the general unit of measure for a resource utilization metric that analyzes resource utilization?

A

Capacity. For example, how much is the resource being used and how much use can it sustain.