Start Measuring Your Privacy Compliance
These five steps will help you measure your privacy compliance.
When it comes to measuring privacy compliance, many people overthink it or make it more difficult than necessary. Nothing is complicated when you break it down into simple, actionable steps. Here are five steps to effectively measuring privacy compliance:
1. Decide what to measure. Are you a mature organization with a privacy program you want to measure? If not, do you have a system, product, or tool? Carefully think about what you want to measure.
2. Determine your why. Do not jump into data collection. After you determine what you’re measuring, ask yourself why. Is it to satisfy your compliance requirement? Is it to showcase your maturity? Or is it just an executive ask? Clarify your ‘why’ and get more information about the data in the report. People would like to see and know why this information will be important to them.
3. Think about your score. Which score system would you like to use? Is it numbered (e.g., one through five)? Is it ‘fair,’ ‘good,’ ‘excellent’? Is it color-coded? The scoring system doesn’t need to be perfect before you begin. Just think about it before you get to the collection of data.
“You can start measuring your compliance program today if you follow these simple steps.”
There are few things to remember when setting it up. First, be mindful of colors. People and regulators get sensitive to colors like red or black. Try to use more neutral colors or ones that aren’t too alarming (yellow, orange, blue, etc.).
Second, if you determine a system and see that it doesn’t work later, don’t be afraid to adjust it. For example, we once used a scoring system numbering one through five, and during the process, we realized that our ‘three’ was more like three minus, three, and three plus. This is an important place to showcase the organizational progress, so we adjusted the score during the process.
Next, think about the top score, and be clear about what it means to you. Is it a realistic or aspirational goal? Nothing is perfect, and things change quickly nowadays, so be aware and make your top score realistic and achievable.
4. Document. Once you establish what you want to do, start collecting data. You can use a framework that will feed your organization. It might be as simple as the Generally Acceptable Privacy Principles (GAPP) or a regulation that applies to your industry (for example, the Health Insurance Portability and Accountability Act, or HIPPA, if you’re in healthcare). If you’re a part of the European Union, it might be the General Data Protection Regulation (GDPR). Get a simple excel spreadsheet, transfer the regulatory requirements into the document, and start measuring your privacy compliance program based on the scoring system you established.
5. Communicate. Now is the time to report your results, and don’t rush. Spend time sharing what you’re measuring, why you’re measuring it, the process, and the results. Adjust your message based on the audience, and make sure they understand you. Don’t underestimate the importance of communication.
People don’t like to be measured, and you’re measuring them. People often misunderstand things and see what they want to see, not how you intend it, so always communicate.
I may have simplified the process, but I also want to illustrate that you can start measuring your compliance program today if you follow these simple steps. As always, if you have questions about this topic or have one in mind you’d like to see us cover in a future video, don’t hesitate to reach out to us. We’d love to help.
*** This is a Security Bloggers Network syndicated blog from "Ask Aleada" Blog - Aleada Consulting authored by Mari Pizzini. Read the original post at: https://www.aleada.co/ask-aleada-blog/2021/6/2/start-measuring-your-privacy-compliance
