The Sustain Phase

Monitoring & Auditing Privacy Program Performance

This interactive guide explores Chapter 7 of "Privacy Program Management," focusing on the "Sustain" phase of the privacy life cycle. Learn how organizations use metrics, monitoring, and audits to ensure their privacy programs remain effective, compliant, and valuable.

Section 7.1: Metrics

Metrics are the foundation of a sustainable privacy program. They provide objective data to measure performance, demonstrate value, and justify investments. This section breaks down the most popular metrics, how to analyze them (like the PMM), and who they're for.

Most Popular Privacy Metrics

Based on IAPP-FTI Consulting findings, these are the most commonly tracked metrics. A significant portion of organizations (21%) reported using no formal metrics at all.

Core Principles of Metrics

Currency & Value

Must be simple, quantifiable, and correlated to business goals.

Purpose

Inform of success, failure, and progress toward objectives.

Benefits

Normalize concepts, eliminate jargon, and advance program maturity.

ROI Justification

Quantify mitigated risks in financial terms to prove value.

Metric Audiences

Primary

  • Privacy Officers/DPOs
  • Senior Leadership (CIO/CSO)
  • Program Managers

Secondary

  • CFO
  • Training / HR

Tertiary

  • Watchdog Groups
  • Sponsors
  • Shareholders

Analysis Methods: Privacy Maturity Model (PMM)

The PMM provides a scale to measure program maturity, allowing organizations to set a baseline and target. Each level builds on the previous one.

1

Ad hoc

Informal, incomplete, inconsistent processes.

2

Repeatable

Procedures exist, but not fully documented or covering all aspects.

3

Defined

Fully documented, implemented, and covering all relevant aspects.

4

Managed

Reviews are conducted to assess the effectiveness of controls in place.

5

Optimized

Regular review and feedback used for continual improvement toward optimization.

Reporting to the Board

Metrics are vital for DPOs and privacy leaders to demonstrate compliance and program status to the highest management levels. Click the tabs below to see common metric categories reported to the board, often driven by GDPR mandates.

  • Number of reported incidents
  • Number of actual (confirmed) incidents
  • Number of incidents reportable to authorities
  • Number of attempted system intrusions
  • Average investigation and response time for incidents
  • Complaints received from data subjects
  • Data Subject Access Requests (DSARs) received
  • Rectification (correction) requests received
  • Erasure ("right to be forgotten") requests
  • Unsubscribe / opt-out requests
  • Number of Privacy Impact Assessments (PIAs) completed
  • Number of Data Protection Impact Assessments (DPIAs) completed
  • Average completion time for PIAs/DPIAs
  • Number of staff receiving privacy training
  • Percentage of all staff who have completed training

Section 7.2: Monitoring

Monitoring involves ongoing activities to control, manage, and report privacy risk. It's the continuous process of ensuring your organization is adhering to its policies and meeting regulatory goals, helping to detect failures early and drive program improvement.

Types of Monitoring

Compliance

Focuses on collection, use, and retention of personal information to ensure policies and controls are in place and effective.

Regulation

Tracks constant changes to laws and requirements to ensure policies are updated in a timely manner.

Environment

Monitors internal and external vulnerabilities, from physical building access to insider and cybersecurity threats.

Training Data

Tracks and assesses training completion rates by employee and topic to ensure organization-wide awareness.

Forms of Monitoring

Tools

Active scanning tools for networks and storage to identify risks, like PII on public-facing servers.

Audits

Internal and external reviews of people, processes, and technology to evaluate controls.

Breaches

Tracking breach type, severity, and time-to-remediation to assess program sufficiency.

Complaints

Tracking type and origin of complaints as an early indicator of potential regulatory activity.

Data Retention

Monitoring schedules for risks like excessive collection or inadequate access controls.

Controls

Assessing the design and efficacy of established operational and program-level privacy controls.

Human Resources

Ensuring protections for employee data and monitoring compliance-related investigations.

Suppliers

Monitoring third-party performance and compliance with contractual privacy requirements.

Section 7.3: Audits

Audits are a formal, evidence-based process to evaluate the effectiveness of your privacy controls. They are critical for demonstrating compliance and are triggered by regular schedules, system changes, security incidents, or regulatory requests.

The Five-Phase Audit Life Cycle

The Audit Life Cycle is a continuous process that ensures controls are reviewed and improvements are scheduled.

Phase Name Key Activities
1 Plan Conduct risk assessment, set schedule, select auditor, compile checklist.
2 Prepare Confirm schedule, prepare sampling criteria, finalize audit plan.
3 Audit Execute functional goals, meet with stakeholders and process owners.
4 Report Draft formal report, record noncompliance, suggest corrective actions.
5 Follow-up Confirm scope of remediation, schedule activities, and close out the audit.

Types of Audits

The type of audit determines who conducts the review and its primary objective.

Type Conducted By Primary Purpose / Characteristic
First-Party The organization itself (Internal) Supports self-certifications; evaluates internal risk culture and control implementation.
Second-Party The organization (on another entity) (Supplier) Ensures suppliers/subcontractors comply with contractual privacy requirements. Accountability is retained by the data collector.
Third-Party Independent outside source Provides increased credibility; often triggered by regulatory request; aligns to external frameworks (NIST, ISO).