Metrics and Privacy Programs

Now, it is time to use metrics for your privacy programs. It has been a long journey since we started the description of the role of a Privacy Manager and his/her tasks. Do you remember this post? If you have followed our posts, you now have a privacy program in place for your entity. But, could it be improved? Below you can find some metrics that can help you in the evaluation of your effort. Also, you can check the resources available at the IAPP Web page here.



Metrics for Training and Awareness Programs

Primarily, you have to measure the value of your training and awareness initiatives. Here some possible data to collect:

  • first, percentage of employees involved in the annual exercise
  • second, the score of the tests/questions your employees answered to
  • then, some out-of-the-box exercise results and their trends (i.e., phishing tests)
  • lastly, suggestions received from the employees. Maybe they can help you in building a more effective training program next year

Privacy programs and Customers Experience

In a similar manner, it is important to understand how your customers perceived your efforts. Did they perceive the value of your privacy program? You may ask them questions like:

  • Have you ever read our Privacy Notice?
  • Was it easy to find?
  • In your opinion, was it
    • too long?
    • too short?
    • long enough?
  • Do you consider our Privacy Notice written in plain text?
    • If not, please, suggest us any improvements

Metrics and Rights of Data Subjects

Critically important is the management of the rights of the data subjects. As a result, the following questions could be interesting for measuring your programs:

  • In the first place, how many Data Subjects Rights (DSR) requests have you received?
  • Secondly, were they answered in a timely manner?
  • Moreover, who was in charge of the DSR program?
  • Also, did the DSRs slow down your operations?
  • Eventually, could this program be improved?

Privacy Accountability

Now, you should measure the efficiency of your privacy policies and internal procedures as well. Therefore, questions like the followings could be useful:

  • How many internal policies and procedures do you have?
  • When were they reviewed/updated?
  • Have they ever answered all the practical issues in the privacy domain?
  • What was the feedback from the privacy officers on the field?


So far, we have only mentioned few parameters useful to measure the efficacy and effectiveness of your privacy program. Nevertheless, we can adapt the metrics to the specific needs of your entity. Send us an email and we will be happy to guide you in carrying out this task. Your Privacy Manager in Spain, Europe is here to help you!