Data Privacy Program

Report

Info-Tech Research Group Inc. is a global leader in providing IT research and

advice. Info-Tech’s products and services combine actionable insight and
relevant advice with ready-to-use tools and templates that cover the full
spectrum of IT concerns.
© 1997-2021 Info-Tech Research Group Inc.
Instructions
This deck is intended to be used alongside Info-Tech’s Build a Data Privacy Program and Mature Your
Privacy Operations blueprints. It can be used to document your work on select blueprint activities and to
organize all your work in one report to share with your team.

Note: In this template, some slides contain content in square brackets [sample] that’s intended to be edited or replaced with your organization’s specific
information.

Info-Tech Research Group Inc. is a global leader in providing IT research and

advice. Info-Tech’s products and services combine actionable insight and
relevant advice with ready-to-use tools and templates that cover the full
spectrum of IT concerns.
© 1997-2021 Info-Tech Research Group Inc.
[Organization Name] Data Privacy Program Mission
Statement
Date of Report: [December 1, 2021]

• Data privacy has moved beyond being a “nice-to-have” option to a necessary component of any organization, regardless of scope, industry, or governing
privacy law. As [Organization Name] continues to strive to meet the needs of its clients, consumers, and employees, an effective take on data privacy is
necessary.
• [Organization Name] observes that it’s currently in scope of the following governing data privacy/data protection regulations and frameworks:
o [GDPR]
o [CCPA]
• [Organization Name] observes the best practices for privacy as provided by the following frameworks:
o Info-Tech Research Group
o [NIST Privacy Framework 1.0]
• The purpose of [Oranization Name’s] data privacy program is to drive continuous improvement across the organization and to take an inclusive and
integrated approach that enables all business units to adapt privacy best practices as a part of their current operations. The intent is to make privacy a
business-enabler, as opposed to a limiting factor.

Info-Tech Research Group | 3

Data Privacy Overview Privacy Program Overview
July 1 – September 30, 2021

The current state of data privacy at [Organization Name]

67% 33% 22% 43%

Of business processes identified Of these processes have been Of all identified business Of business processes involve
currently involve processing of marked with unsatisfactory processes currently involve the personal data contained under
personal data. retention periods – either processing of “highly- the scope of [Privacy Law
“perpetual” or “unknown.” sensitive” data or Tier 4 Name].
classification as per
[Organization’s Name]’s data
classification standard.

Info-Tech Research Group | 4

[Organization Name] Data
Privacy Performance

Number of Data Privacy Program [# in last 365 days]

Reviews
Number of Data Privacy Program Reports [# in last 365 days]

Privacy Regulatory or Privacy Law Changes

Total Privacy Budget
[# in last 365 days]
$ [total budget allocated]

Program Operating Industry

Number of Privacy/Data Privacy Staff
Number of PII Data Processes
[Industry Name]
[#]
[Refer to Data Mapping

Snapshot Number of Sub-Processors or Joint Controllers

Tool]
[Refer to Data Mapping
Tool]
Data Breach Attempts/Success Percentage [# in last 365 days]
Data Subject Access
DPIAs Performed 2020-2021
2018-2019 Info-Tech Research Group | 5

Period Preceding 2018 (total)

[Organization Name] Org. Structure

CEO

CFO CHRO CMO CIO COO

VP Finance VP HR VP Marketing CISO PO CTO VP Operations

Finance Team HR Team Marketing Leads InfoSec Team DPO Operations Leads

Privacy Team
Info-Tech Research Group | 6
[Organization Name] Privacy Governance Structure

Privacy
What’s Changed? Center of
Excellence
• [Employee Name] leads
PCoE
• Each business unit takes Privacy Rep Privacy Rep Privacy Rep Privacy Rep
accountability for privacy
processes
• [Employee Names] have Marketing/ Information Information
been assigned as Privacy HR
Sales Security Technology
Reps/Champions

These days, many privacy-mature organizations err on the side of a Privacy Center of Excellence. This hybrid method combines the best of both centralized
and decentralized structures:
• A centralized privacy for tracking and reporting purposes
• Business unit privacy champions assigned to draw ownership and buy-in from the business units
The privacy reports from each business unit report to the central privacy unit, eliminating the need to hire multiple privacy-specific individuals within the
central team.   Info-Tech Research Group | 7
Next steps and future targets

1 2 3
[Privacy Objective A] [Privacy Objective B] [Privacy Objective C]
Intended Date of Intended Date of Intended Date of
Completion: Completion: Completion:
Actionable Steps: Actionable Steps: Actionable Steps:
1) [Privacy Framework Outputs] 1) [Privacy Framework Outputs] 1) [Privacy Framework Outputs]
2) [Privacy Framework Outputs] 2) [Privacy Framework Outputs] 2) [Privacy Framework Outputs]

3) [Privacy Framework Outputs] 3) [Privacy Framework Outputs] 3) [Privacy Framework Outputs]

Info-Tech Research Group | 8

Governance Some of your goals (e.g. implementation or review)
may only have a single target. Use “n/a” in the
extra box or indicate what the next goal/metric will
be.
Data Privacy Metrics
-Delete this callout before presenting-.

Goal KPI Target Target

(6 months) (12 months) Additional Notes and Comments:
% of in-scope
Review and update privacy policies,
documentation with • [Include any additional and relevant details around metrics
RACIs, etc. annually
completed review here. This may include reference to specific incidents,
% of incidents initiatives, or findings from the Privacy Team.]
Reduce privacy policy violations stemming from privacy
policy violation
% of existing
Incorporate privacy-centric
workflows with signoff
processes into existing workflows
on privacy controls
% of high-risk privacy
Close existing policy or control gaps
control gaps untreated
[Additional metric]

Info-Tech Research Group | 9

Regulatory Compliance
Data Privacy Metrics

Goal KPI Target Target

(6 months) (12 months) Additional Notes and Comments:
% of GDPR
Reduce risk associated with GDPR
compliance roadmap • [Include any additional and relevant details around metrics
non-compliance.
initiatives complete here. This may include reference to specific incidents,
% of HIPAA initiatives, or findings from the Privacy Team.]
Reduce risk associated with HIPAA
compliance roadmap
non-compliance.
initiatives complete
% of relevant incidents
Improve time to report (i.e. to
reported to regulator
regulator)
within target window
% of relevant incidents
Improve time to disclose (i.e. to disclosed to data
data subjects) subject within target
window
[Additional metric]

Info-Tech Research Group | 10

Data Processing and Handling
Data Privacy Metrics

Goal KPI Target Target

(6 months) (12 months) Additional Notes and Comments:
Implement encryption for all % of sensitive data
sensitive data with encryption applied • [Include any additional and relevant details around metrics
Reduce instances of mis- or % of data known to be here. This may include reference to specific incidents,
unclassified data un- or misclassified initiatives, or findings from the Privacy Team.]
% of data types with
retention requirements
Develop data retention schedule
defined in formal
schedule
Map data-collection processes to % of data collection
define legal basis, designated processes with relevant
processor and controller requirements defined
[Additional metric]

Info-Tech Research Group | 11

Data Subject Requests
Data Privacy Metrics

Goal KPI Target Target

(6 months) (12 months)
% of DSARs Additional Notes and Comments:
Improve time to respond to DSARs completed within target
window • [Include any additional and relevant details around metrics
% decrease of DSARs here. This may include reference to specific incidents,
after improving
Reduce volume of DSARs messaging related to
initiatives, or findings from the Privacy Team.]
data collection and
protection practices
% of vendors for which
Streamline process to receive data
data sharing processes
from thirty-party data processors
need improvement
% of standardization
Standardize DSAR-reporting format
phases complete (e.g.
to ensure all appropriate information
review, design, testing,
is provided
finalization)
[Additional metric]

Info-Tech Research Group | 12

Privacy by Design (PBD)
Data Privacy Metrics

Goal KPI Target Target

(6 months) (12 months) Additional Notes and Comments:
Include PBD review for all new % of relevant projects
relevant projects receiving PBD review • [Include any additional and relevant details around metrics
Include PBD review for all existing
% of relevant existing here. This may include reference to specific incidents,
processes with PBD initiatives, or findings from the Privacy Team.]
relevant processes
review completed

Increase number of staff able to % of staff approved to

perform PBD review complete PBD signoff

% of PBD reviews with

Improve documentation and record
missing or incomplete
keeping for PBD reviews
documents
[Additional metric]

Info-Tech Research Group | 13

Notices and Consent
Data Privacy Metrics

Goal KPI Target Target

(6 months) (12 months)
Eliminate all data collection % of data collection
practices where consent is not processes where
obtained consent is not collected Additional Notes and Comments:
% of update complete • [Include any additional and relevant details around metrics
(e.g. research,
Update privacy policy requirements gathering, here. This may include reference to specific incidents,
drafting, review, initiatives, or findings from the Privacy Team.]
finalization)
% of update complete
(e.g. research,
Draft cookie policy requirements gathering,
drafting, review,
finalization)
% of relevant
regulations for which
Study regulations to determine
notice/consent
requirements
requirements have been
determined
[Additional metric]

Info-Tech Research Group | 14

Incident Response
Data Privacy Metrics

Goal KPI Target Target

(6 months) (12 months) Additional Notes and Comments:
% of responses
Improve mean time to response occurring within target • [Include any additional and relevant details around metrics
window here. This may include reference to specific incidents,
% of recoveries initiatives, or findings from the Privacy Team.]
Improve meantime to recovery occurring within target
window

Reduce spending on incident % reduction in costs for

response incident response

[Additional metric]

[Additional metric]

Info-Tech Research Group | 15

Privacy Risk Assessments
Data Privacy Metrics

Goal KPI Target Target

(6 months) (12 months) Additional Notes and Comments:
Complete a PIA for all relevant % of relevant projects
projects with a PIA completed • [Include any additional and relevant details around metrics
% of threshold here. This may include reference to specific incidents,
assessment project initiatives, or findings from the Privacy Team.]
Develop threshold assessment to
phases complete (e.g.
determine if PIA needed for project
research, drafting,
testing, finalization)
% of approved
Improve risk assessment techniques initiatives with faulty
risk score
[Additional metric]

[Additional metric]

Info-Tech Research Group | 16

Information Security
Data Privacy Metrics

Goal KPI Target Target

(6 months) (12 months) Additional Notes and Comments:
% of critical patches
Improve deployment time for
fully deployed within • [Include any additional and relevant details around metrics
patches
target window here. This may include reference to specific incidents,
% of sensitive data initiatives, or findings from the Privacy Team.]
Improve security of sensitive data in
transfers using secure
transit
sharing techniques
% of accounts with
Remove unnecessary privileged
unnecessary admin.
accounts
privileges
[Additional metric]

[Additional metric]

Info-Tech Research Group | 17

Third-Party Management
Data Privacy Metrics

Goal KPI Target Target

(6 months) (12 months) Additional Notes and Comments:
% of vendor
assessment service • [Include any additional and relevant details around metrics
Implement vendor assessment completed (e.g. process here. This may include reference to specific incidents,
service for privacy risk workflow, requirements initiatives, or findings from the Privacy Team.]
defined, existing
vendors assessed)
% of vendors with a
Implement data-transfer agreements
defined and sufficient
for all existing vendors
data transfer agreement
% of vendors with
Determine data processor/controller controller/processor
relationship for all existing vendors activities defined and
verified
[Additional metric]

[Additional metric]

Info-Tech Research Group | 18

Awareness and Training
Data Privacy Metrics

Goal KPI Target Target

(6 months) (12 months) Additional Notes and Comments:
% of departments that
Implement privacy training program
have completed privacy • [Include any additional and relevant details around metrics
for all departments
training here. This may include reference to specific incidents,
Certify appropriate security/privacy % of relevant staff able initiatives, or findings from the Privacy Team.]
team members to deliver training to to deliver privacy
end users training.
Develop microlearning materials to
% of needed materials
facilitate once-per-month privacy
developed
training
[Additional metric]

[Additional metric]

Info-Tech Research Group | 19