Metrics for Success: Quantifying the Value of the Privacy Function [Webinar Slides]

1
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Metrics for Success: Quantifying
the Value of the Privacy Function
December 8, 2016

2
Today’s Speakers
Deidre Rodriguez
Director, Corporate Privacy Office
Anthem, Inc
Marcus Morissette
Global Privacy Officer
eBay
Kevin Trilli,
SVP Product,
TRUSTe

3
Privacy Metrics and Dashboard
Kevin Trilli, SVP Product, TRUSTe

4
• Speaker Intros
• Metrics and Privacy Organization
• Categories and types of Metrics
• Building / establishing a Monitoring Program
• Challenges and Recommendations
Agenda

5
Privacy Metrics

6
Purposes and Categories of Metrics
Target Audience Audience Purpose
Privacy Officer /
Privacy Manager
Internal • Program development
• Organizational Management
Executives / BOD Internal • Communicate overall risk
posture
• Resource requests
Auditors /
Regulators
External • Demonstrate program
accountability and effectiveness
• Transparency

7
• Initial stage is strategy planning and development
– Requires selecting and planning a set of program activities
– Establish required set of resources
• On-going management
– Program and goal management
– Resource utilization
– Gaps / program maturity velocity
CPO/Privacy Manager:
Program Establishment, Evolution and Budgeting

8
Example: Privacy Program Management

9
• Inbound inquiries to privacy team (tickets/advise/projects)
– % utilization
• Policies under management
–Reflective of external and internal laws, regs, policies  shows scope
• Assets under management
– Data processing applications and systems
• Projects (risk assessments, PIAs, etc)
– #, state, aging, response time
– risk issues identified and remediated
• Incidents (breach, data release, reg inquiries)
– #, type and risk levels, remediation plan
• All are mapped to each BU to show status across enterprise
–Includes HR, IT and Marketing functional groups as needed
CPO/Privacy Manager: Operational Management

10
Example: Risk Assessment and Remediation Metrics

11
• Privacy Program Overview / Budgeting
– Program to Goal (%)
– Overall Resource allocation
– Budget justification
• Risks
– Incidents
– Regulatory enquiries
– Related fines/investigations (vertical)
– Heat Map
Executive / BOD

12
• Derived from internal metrics/dashboard, but may need
sanitizing
• Have ready on-demand to demonstrate program
– Ideal: Technological system of record that can grow and aggregate
project/project
– Maintained for data integrity
• Basics:
– Database of data processing assets (#, classified by risk) with metadata
– Construction of key data transfers (EU, APEC)
– Consumer metrics (inquiries/disputes and resolution paths)
• Needs to accompanied by evidence/documentation
External Reporting

13
Example: Asset Inventory characterized by risk

14
Where to Start

15
• First socialize with stakeholders / execs
• Determine what matters most / scope
• Prioritize to get started
• Assess current capabilities
Starting a Monitoring Program

16
•Document your privacy program plan to get ready
–Will you need to develop emails or templates for use during monitoring
(announcement emails, SharePoint sites created, who will be responsible for
what)
–Determine where you will store data and who will have access
–Are there callouts/disclaimers that need to added to metrics?
–When will metrics be produced and by whom
–Stagger monitoring so that it will not create negative impact for the business
–Understand any reporting/monitoring that may be done in the business that will
have potential impact
–Write desktop procedure for how everything will happen A-Z
• Communicate across broader organization
Starting a Monitoring Program

17
Beginning to Monitor

18
•Identify lead that will be responsible for monitoring a specific piece of
work
•Put everything on the calendar
–Date you will start sending requests to business
–Date you will analyze data
–Date that you will document findings
–Date you will review metrics
–Date that you will release metrics
–Date corrective action plans will be due
–Any ongoing follow up or re-monitoring to ensure issue has been adequately
addressed
•Keep leadership informed of roll out and any changes to program that
may impact them
Beginning to Monitor

19
Continuing to Grow Monitoring
Program

20
•Continue to monitor risks and what matters most
•Identify plan to grow program
–What will be monitored next and why
–Doing it by risk is easiest to explain
–Continue to lobby for resources to expand program
•Continue to collect feedback on metrics
•Document all findings and do follow up on corrective action plans
–This enables you to show leadership the positive impact of your program (what
were you able to find and correct)
•Partner with Internal Audit
•Roll up data by quarter and produce annual metrics
Growing Monitoring Program

21
Challenges and Takeaways

22
• How to do actual job but also measure and
document
• Control of data sources that feed metrics
• Dealing with aspects of privacy
management that don’t have easy metrics
Challenges

23
Deidre Rodrigeuz Deidre.Rodriguez@anthem.com
Marcus Morissette mmorissette@ebay.com
Kevin Trilli ktrilli@truste.com
Contacts

24
Details of our 2017 Winter/Spring Webinar Series will be available shortly.
See http://www.truste.com/insightseries for all the 2016 Privacy Insight
Series and past webinar recordings.
Thank You!

Metrics for Success: Quantifying the Value of the Privacy Function [Webinar Slides]

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Andere mochten auch

Andere mochten auch (7)

Mehr von TrustArc

Mehr von TrustArc (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Metrics for Success: Quantifying the Value of the Privacy Function [Webinar Slides]