Monitoring and Auditing Program Performance

10.1 Metrics

1. This section will assist the privacy professional with general best practices for identifying, defining, selecting, collecting and analyzing metrics specific to privacy.

2. With advances in technology and the corresponding legal obligations, organizations must ensure proper protections are in place and functioning optimally.

3. Tracking and benchmarking through performance measurement is critical to ensure both currency and value.

4. Why Performance Measurements?

   1. Inform different audiences about operations

   2. Help answer specific questions with a targeted metric

   3. Goal - tied to an objective - deliver 100% of privacy notices

   4. Help make informed decisions.

   5. Don’t overdo metrics

10.1.1 Intended Audience

1. There are different audiences for different metrics. Relevant stakeholders are generally those who will use the data to view, discuss and make strategic decisions —or some combination of all three.

2. Typical Audience

   1. CISO

   2. CIO

   3. DPO

   4. HR

   5. CFO

10.1.2 Metric Owner

1. Since metrics continue to change as the business objectives and goals evolve, an individual should be assigned to both champion and own the metric.

2. A metric owner must be able to evangelize the purpose and intent of that metric to the organization.

3. As a best practice, it is highly recommended that a person with privacy knowledge, training and experience perform this role to limit possible errors in interpretation of privacy-related laws, regulations and practices

10.1.3 Analysis

1. Once metrics have been collected, data analysis is conducted. Statistical methods ensure data is interpreted correctly.

2. Analysis:

   1. Trend analysis, is one of the easiest statistical methods to use for reporting data. This approach attempts to spot a pattern in the information as viewed over a period of time. There are many different statistical trending methods, including simple data patterns, fitting a trend (i.e., least-squares), trends in random data (i.e., data as a trend plus noise, or a noisy time series), and the goodness of fit

   2. Cyclical component, shows data over a time period focused on regular fluctuations.

   3. Irregular component, or noise. This analysis focuses on what is left over when the other components of the series (time and cyclical) have been accounted for.

   4. Focusing solely on disasters will lead an organization to be defensive, but using a proactive approach enables the organization to “respond to an unexpected event more quickly and more cost effectively.

10.1.4 Metrics in Action:

1. Reporting to the Board A number of factors have contributed to the elevation of the privacy professional in organizations around the world, but perhaps none have been as influential as the GDPR and its “mandatory DPO.

2. the IAPP undertook, in late 2018, the exercise of creating a template for a DPO report. To do this, it identified all the activities the GDPR mandates for the DPO and created metrics for demonstrating compliance.

10.2 Monitor

1. This section refers to ongoing activities organizations undertake to control, manage and report risk associated with privacy management practices.

2. Monitoring should be done to ensure that the organization is actually doing what they say they are doing—and what they are supposed to be doing.

3. Monitoring should be continual, based on the organization’s risk goals, and executed through defined roles and responsibilities that may include privacy, audit, risk and security personnel.

10.2.1 Types of Monitoring

1. There are different types of monitoring for different business purposes.

10.2.1.1 Compliance

1. Compliance monitoring is focused on the collection, use and retention of personal information to ensure necessary policies and controls are in place for compliance.

10.2.1.2 Regulation Laws,

1. Regulations and requirements are constantly changing, so there is a need to monitor the changes and update policies accordingly.

10.2.1.3 Environment

1. Internal and external environmental monitoring focus on vulnerabilities, which may include physical concerns, such as building access or visitor activities.

10.2.2 Forms of Monitoring

10.2.2.1 Tools

1. Active scanning tools for network and storage can be used to identify risks to personal information and to monitor for compliance with internal policies and procedures.

10.2.2.2 Audit

1. Audits include internal and external reviews of people, processes, technology, finances and many other aspects of business functions.

10.2.2.3 Breaches

1. Breach management practices are more important than ever before, driven by the laws and regulations of countries, states or provinces.

2. Tracking (particularly over time) the type of breach, severity and time to remediation is an important type of monitoring to determine if both training activities and program processes are sufficient.

10.2.2.4 Complaints

1. Complaint-monitoring processes track, report, document and provide resolutions of customer, consumer, patient, employee, supplier and other complaints.

10.2.2.5 Data Retention Records

1. management and data retention should meet legal and business needs for privacy, security and data archiving. In monitoring, looking for potential areas for risk present in retention schedules or practices, such as excessive collection, inadequate controls (access and use), or undue disclosure practices.6

10.2.2.6 Controls

1. Relying on an established set of privacy controls at the operational and program level, this type of monitoring is about assessing the design and efficacy of a given control set. Some governance, risk and compliance (GRC) tools may provide automated means to undertake some or all of these checks, right through to tracking remediation activity.

10.2.2.7 Human Resources

1. Human resources (HR) is responsible for ensuring privacy protections are in place for employee personal information across HR processes. Multinational organizations are required to meet local regulations and the privacy expectations of their employees in all countries in which they operate.

10.2.2.8 Suppliers

1. Outsourcing of operations to suppliers (e.g., subcontractors, third parties) and the use of technology providers (e.g., cloud services) are guided by agreements, which should contain monitoring protection procedures.

10.3 Audit

1. Audits are an ongoing process of evaluating the effectiveness of controls throughout the organization’s operations, systems and processes.

10.3.1 Definition

1. The purpose of a privacy audit is to determine the degree to which technology, processes and people comply with privacy policies and practices.

10.3.2 Rationale

1. Audits may be conducted either regularly, ad hoc, or on demand, depending on the purpose.

2. Privacy audits provide evidence regarding whether privacy operations are doing what they were designed to do and whether privacy controls are correctly managed.

10.3.3 Phases

1. The auditor must have full authority to perform duties; otherwise, the tasks and actions may be challenged and delay the work.

2. Scoping Audit

3. Audit Planning Phase - build a checklist, risk assessment, etc.

4. Audit - meet with stakeholders

5. Reporting - reporting on compliance and noncompliance

10.3.4 Types

1. There are three types of audits:

   1. first-party (internal)

   2. second-party (supplier)

   3. third-party (independent).

   4. The frequency and type will vary based on resources, organizational culture, risk tolerance and demand.

10.3.5 Review

1. The activities described in this section are not useful without time to analyze results. The audit process should have a trigger to signal the privacy officer to step back and evaluate the program, or (ideally), specific pieces of it.