Privacy Program Framework - Section II.C. - Using Privacy Metrics

Question 1

Compliance Metric

Answer 1

Compliance Metrics are intendet to help an organization determine whether its legal and regulatory requirements are being met. They are typically the most straightforward type of metric that privacy professionals utilize, and they typically measure core privacy-related activities.

Question 2

What do resource utilization metrics attempt to measure?

Answer 2

Whether the organization is using its resources and employees to their highest capacities.

Question 3

What two factors should be considered when determining what should be included in the “costs” and “benefits” inputs of a return on investment analysis?

Answer 3

(1) The extent to which the costs and benefits being measured are related to the reasons for the program’s implementation;
(2) How value is best defined.

Question 4

What two categories are generally covered by business resiliency metrics?

Answer 4

(1) Metrics related to the planning aspects of business continuity; and
(2) The effectiveness of business resiliency efforts.

Question 5

What is an irregular component analysis?

Answer 5

A type of trend analysis that is intended to spot patterns by removing irregular occurrences from the analysis.

Company X wants to know how often customers request data access and measures the number of data subject requests it receives, excluding requests made by employees.

Question 6

What type of performance measure is most likely to consist of absolute numbers?

Answer 6

A compliance metric.

Question 7

To be valuable, what characteristics must a privacy metric have?

Answer 7

(1) Measurable;
(2) Meaningful;
(3) Clearly defined (within boundaries);
(4) Able to indicate process; and
(5) Answers a specific question.

Question 8

How is a secondary audience for a privacy metric defined?

Answer 8

By whether the audience is concerned with specific aspects of a privacy function that are not directly related to privacy qua privacy (e.g., budget).

Question 9

What is the general unit of measure for a resource utilization metric that analyzes employee utilization?

Answer 9

Time. For example, the availability of employees against the amount of time necessary to complete the tasks or job functions to which the employee is already assigned.

Question 10

True or False: An accurate return on investment analysis should typically include both direct and indirect costs.

Answer 10

True

Question 11

True or False: A return on investment analysis is only useful for measuring the value of investing in a privacy program as a whole.

Answer 11

False. A ROI analysis can be used to measure the value returned on investments in individual aspects of a privacy program.

Question 12

What are some examples of a primary audience for privacy metrics?

Answer 12

• Data Protection Officer (“DPO”) under the GDPR
• Chief Information Officer (“CIO”)
• Chief Information Security Officer (“CISO”)
• Board of Directors, and
• Senior Leadership.

Question 13

What are some examples of a secondary audience for privacy metrics?

Answer 13

Functional departments, such as the human resources department, or specific employees, such as the Chief Financial Officer (“CFO”).

Question 14

What are some examples of a tertiary audience for privacy metrics?

Answer 14

Shareholders,
watchdog groups, and
government regulators.

Question 15

What is the formula for measuring a return on investment?

Answer 15

ROI equals (Benefits minus Costs) divided by Costs.

Question 16

True or False: The more metrics an organization utilizes the more value an organization derives from the use of metrics.

Answer 16

False. The use of more and more metrics does not always create more value.

Question 17

What is business resiliency?

Answer 17

An organization’s ability to quickly adapt to disruptions and maintain continuous operations in the face of those disruptions.

Question 18

The number of data subject inquiries made and the percentage of employees receiving privacy training are examples of what type of privacy metric?

Answer 18

Compliance metrics.

Question 19

What two factors should be considered when determining what should be included in the “costs” and “benefits” inputs of a return on investment analysis?

Answer 19

(1) The extent to which the costs and benefits being measured are related to the reasons for the program’s implementation;
(2) How value is best defined.

Question 20

What is a return on investment analysis?

Answer 20

A measurement of the financial gain or loss avoidance that results from a project measured against the cost of the program.

Question 21

What two organizations jointly created the privacy maturity model?

Answer 21

The American Institute of Certified Public Accountants (“AICPA”) and the
Canadian Institute of Chartered Accountants (“CICA”).

Question 22

What is a trend analysis?

Answer 22

A performance metric that quantifies and explains trends in data that occur over time.

Question 23

The potential for sampling error is a weakness of what type of privacy metric analysis?

Answer 23

A trend analysis.

Question 24

True or False: Metrics are useful across an organization, and therefore they need not be tailored to specific audiences.

Answer 24

False. Because different audiences are likely to be interested in different aspects of privacy performance, metrics should be tailored to specific audiences.

Question 25

Should privacy metrics be defined internally or externally from an organization?

Answer 25

Metrics should be defined internally to address an organization’s specific needs, rather than relying on external measures of success.

Question 26

In an ROI analysis, the “benefits” input can include what two factors?

Answer 26

Actual gain and losses avoided as a result of the investment.

Question 27

True or False: Privacy metrics increase the maturity level of a privacy program.

Answer 27

True

Question 28

What set of FIPs does the Privacy Maturity Model work hand-in-hand with?

Answer 28

The Generally Accepted Privacy Principles.

Question 29

How is the “ad hoc” level of the Privacy Maturity Model best described?

Answer 29

Procedures or processes are generally informal, incomplete, and inconsistently applied.

Question 30

True or False: Compliance metrics often are good examples of key performance indicators.

Answer 30

True. Compliance metrics are intended to measure whether legal and regulatory requirements are being met, a primary goal of most organizational privacy programs.

Question 31

How is a primary audience for a privacy metric defined?

Answer 31

By whether the audience is directly concerned with the functioning of the privacy program.

Question 32

How is a tertiary audience for a privacy metric defined?

Answer 32

By whether the audience is primarily concerned with the broader functions of the organization and how the privacy function affects these broader goals.

Question 33

What is a cyclical component analysis?

Answer 33

A type of trend analysis that is intended to spot patterns in data at regular fluctuations, such as after a privacy training exercise.

Question 34

Should privacy metrics be subjective or objective?

Answer 34

Objective.

Question 35

What is the general unit of measure for a resource utilization metric that analyzes employee utilization?

Answer 35

Time. For example, the availability of employees against the amount of time necessary to complete the tasks or job functions to which the employee is already assigned.

Question 36

What two organizations jointly created the privacy maturity model?

Answer 36

The American Institute of Certified Public Accountants (“AICPA”) and the
Canadian Institute of Chartered Accountants (“CICA”).

Question 37

What is the general unit of measure for a resource utilization metric that analyzes resource utilization?

Answer 37

Capacity. For example, how much is the resource being used and how much use can it sustain.