How is your privacy programme performing?

March 2021

You might regularly review your data policies, carry out staff training, conduct DPIAs when you need to… but how do you monitor the success of your privacy programme?

Let’s take a look at how to track your business’s privacy performance and gain confidence that data compliance is being managed successfully across the wider business.

The ICO is a good starting point – they have some useful tools.

This includes an Accountability Tracker tool which enables you to review and score business performance against each of ten key accountability areas.

In addition to highlighting gaps, the tracker includes its own dashboard (below), which is a useful was to see visually how your business is performing in these areas. For DPOs, this may help with your reports to the Board.


Example of a completed dashboard using the ICO’s Accountability Tracker


However, a word of caution. The level of detail required to complete the Accountability Tracker may prove too time-consuming for some. There’s a total of 330 questions to complete!

Don’t despair, as fortunately the ICO’s Online Self Assessment tool is much simpler and quicker to use. The results may be a little less forensic than the Tracker, but this method can still give you enough information for you score your business performance against each accountability.

It will help you to answer that vital question: ‘Where are we now?’. Using this approach could help you to prioritise your main focus areas and actions.

Bear in mind that certain accountabilities might need to be treated as higher priority than others in your business or sector.

Tracking wider organisational performance

Larger organisations may wish to monitor internal adherence to privacy laws across the key business functions (such as HR, Operations, Marketing and so on), or across multiple sites, countries or regions. This type of assurance activity is becoming increasingly popular, particularly annual reviews.

For example, how do you know the various functions that collect personal data are providing sufficient privacy information across all the data collection touchpoints?

A simple tracking template can help you achieve this. To the best of my knowledge the ICO doesn’t provide anything quite like this, and I would argue it needs to be tailored to the dynamics of your own business.

Getting assurance across your data processors

Many organisations outsource certain processing tasks to third party processors. It’s important to put due diligence in place to ensure your processors are adequately protecting the data you control.

Auditing your programme

Many business are keen to get independent assurance that their privacy programme is up to scratch and performing well. If you don’t have an internal audit team you might wish to bring in an external specialist.