Operationalizing Data Protection & Privacy: Lesson 21 - Budget, Metrics & Demonstrating Value

Disclaimer:? The views and lesson here are mine alone and do not represent my employer, the LEGO Group, or previous coursework taught at Cleveland State University School of Law.

Throughout this course I’ve written about the need for your DP&P program to demonstrate value.? As a risk and compliance function, DP&P will never be viewed in the same light as product development, marketing, or sales, but that doesn’t mean your program can’t be a valuable component of your organization and differentiator in the market.?

Exhibiting this value to senior executives remains a challenge though, and maintaining solid internal program governance is a good first step.? This should include developing a strategic overview with a sensible organization structure and developing a program scorecard that contains appropriate metrics.? ?Executives want to see their dollars put to good use, and DP&P leaders need to be strong communicators and salespeople to continually prove their team’s worth.?

Senior executives also aren’t just going to increase the DP&P office’s budget and headcount on good vibes and a general appreciation of the DP&P program. ?But if the DP&P office can continually show its executive stakeholders that its program is well organized and their team members are an exceptional business partner, then when additional resources or headcount are needed, budget requests become much easier.?

Let’s discuss a bit further.

1. One of the hardest aspects of operationalizing DP&P is continually demonstrating to your leadership the value of the function.? DP&P professionals innately understand the importance of our roles, but to many executives it’s just another risk and compliance function that requires money and headcount and slows down the business.? It doesn’t matter what’s in the media these days either, as many business leaders have become immune to the data breach scare tactics that worked a decade ago when many companies first built their DP&P function.?
2. The current market conditions for many companies remains problematic as well.? After the rash of hiring during the pandemic when many companies increased their DP&P team size, the past year has seen a precipitous slowdown in the market.? It appears many organizations are operating effectively and efficiently with the resources they have, and any increase in headcount or other resources needs to have a strong business case.?
3. In the face of these headwinds, program management becomes critical and DP&P leaders need to have a clear understanding of their role and be able to communicate it up, down and across the organization.? It would be prudent that the PD&P office maintains a handful of slides about the DP&P program’s mission and strategy as well as the key goals for the year and be ready to use it whenever the opportunity presents itself.? The more allies you have, the better.?
4. One of the easier ways to communicate the DP&P program’s effectiveness is in a monthly scorecard or dashboard.? While scorecards don’t tell the whole story, it can quickly explain some of the essential DP&P components impacting the organization.? Many of these metrics may be directly under the DP&P office’s control, and should be simple to determine, but others may be owned by other functions and the DP&P office will need to work with them to get accurate and reportable data.
5. Some of the potential metrics to include in a monthly scorecard are data subject requests (divided between internal and external requests and average number of days to close a request), personal data incidents (with reportable breaches broken out separately), risk assessments (or DPIAs) performed, percent of applications with completed records of processing activities, third parties reviewed, data processing agreements signed, and percent of employees trained (divided by online and in person).? Not all of these may make sense for every organization, but the DP&P office should consult with executive stakeholders to identify what they want to see and report on it.?
6. At least annually, the DP&P team should review its metrics to confirm they still make sense.? While you might start off measuring one area of your program, after a year or two you could realize that it isn’t providing any real insight into the DP&P program or helping executives understand your value.? In that situation, you should be confident in removing it from your scorecard and perhaps measuring something else.?
7. Maintaining monthly metrics can also serve another purpose by identifying areas that might need additional support and resources.? For example, if you start to see a trend where there is a sustained increase in data subject requests and the time to close those requests increases too, there may be a need to add resources.? Armed with data, DP&P leaders can then develop a compelling business case to request additional headcount or other resources to best support the organization.?
8. Additionally, DP&P leaders should constantly be evaluating their organization’s strategic projects and identify appropriate ways to provide support and counsel.? While you need to be careful not to insert yourself where you don’t belong, when there are new initiatives related to using personal data, it would make sense that the DP&P team be an important contributor.? Examples may include novel personalized marketing campaigns or a new HRMS implementation.
9. Don’t be afraid to leverage existing relationships across the organization to ask for budget and resources when needed.? While it might be easier to go through your direct leadership structure to make these requests, sometimes there may be peers in other functions that have extra budget or headcount that can be applied to support the DP&P program’s goals.? An example could include working with the CISO to add privacy engineers to a team of existing cyber security engineers to broaden the team’s capabilities and therefore better support the organization.?
10. At least annually (and sometimes more often), most heads of DP&P will be asked to present to either the board of directors (or a governance/audit board committee) or an internal risk and compliance executive committee to provide updates on the status of the DP&P program.? These presentations are a great opportunity to demonstrate the DP&P program’s value, and if appropriate, make requests for additional resources. Often, if there is a specific risk that needs to be addressed, someone in the room can help facilitate the resources needed to address it.? But be careful to not overplay that hand, as your credibility could be impacted.?
11. As a DP&P leader you should always be trying to learn how other companies approach similar operational challenges, as there will likely be a time where a senior executive will stop you during a presentation to ask how other companies are approaching the same issue.? ?For example, when seeking additional resources for supporting a privacy by design program, leadership may ask if you know how similarly structured companies approach this challenge.? While you need to be careful not breach any competition laws, benchmarking against peers (and using that information wisely) can be another powerful tool to help secure the resources for the DP&P office.
12. Most senior leaders also want to use benchmarking to help keep your DP&P program from falling too behind or getting too ahead of its peers.? No company wants to be in the bottom quartile when it comes to compliance activities, and similarly, most companies also don’t want to be on the cutting edge of compliance spend either. By developing a comprehensive knowledge of how other organizations approach similar challenges, whether through participating in roundtable events or by attending conferences, you can use that information to demonstrate how your DP&P program maintains a reasonable and appropriate approach to best support the business.?
13. Finally, DP&P leaders should look for opportunities to share their DP&P program publicly with partners, customers, and peers.? While some executives may be apprehensive of sharing how their company manages a risk and compliance function, doing so can reap dividends in good will, also showing how DP&P can be a differentiator in the market.? Just ensure that anything that is shared, whether at a conference, podcast, white paper, or knowledge sharing group, has been approved by your leadership and corporate communications.?