Privacy Program Framework - Section II.C. - Using Privacy Metrics Flashcards
Compliance Metric
Compliance Metrics are intendet to help an organization determine whether its legal and regulatory requirements are being met. They are typically the most straightforward type of metric that privacy professionals utilize, and they typically measure core privacy-related activities.
What do resource utilization metrics attempt to measure?
Whether the organization is using its resources and employees to their highest capacities.
What two factors should be considered when determining what should be included in the “costs” and “benefits” inputs of a return on investment analysis?
(1) The extent to which the costs and benefits being measured are related to the reasons for the program’s implementation;
(2) How value is best defined.
What two categories are generally covered by business resiliency metrics?
(1) Metrics related to the planning aspects of business continuity; and
(2) The effectiveness of business resiliency efforts.
What is an irregular component analysis?
A type of trend analysis that is intended to spot patterns by removing irregular occurrences from the analysis.
Company X wants to know how often customers request data access and measures the number of data subject requests it receives, excluding requests made by employees.
What type of performance measure is most likely to consist of absolute numbers?
A compliance metric.
To be valuable, what characteristics must a privacy metric have?
(1) Measurable;
(2) Meaningful;
(3) Clearly defined (within boundaries);
(4) Able to indicate process; and
(5) Answers a specific question.
How is a secondary audience for a privacy metric defined?
By whether the audience is concerned with specific aspects of a privacy function that are not directly related to privacy qua privacy (e.g., budget).
What is the general unit of measure for a resource utilization metric that analyzes employee utilization?
Time. For example, the availability of employees against the amount of time necessary to complete the tasks or job functions to which the employee is already assigned.
True or False: An accurate return on investment analysis should typically include both direct and indirect costs.
True
True or False: A return on investment analysis is only useful for measuring the value of investing in a privacy program as a whole.
False. A ROI analysis can be used to measure the value returned on investments in individual aspects of a privacy program.
What are some examples of a primary audience for privacy metrics?
- Data Protection Officer (“DPO”) under the GDPR
- Chief Information Officer (“CIO”)
- Chief Information Security Officer (“CISO”)
- Board of Directors, and
- Senior Leadership.
What are some examples of a secondary audience for privacy metrics?
Functional departments, such as the human resources department, or specific employees, such as the Chief Financial Officer (“CFO”).
What are some examples of a tertiary audience for privacy metrics?
Shareholders,
watchdog groups, and
government regulators.
What is the formula for measuring a return on investment?
ROI equals (Benefits minus Costs) divided by Costs.