Accountability can be strengthened through program measurements, or metrics, a few panelists said. Vodafone uses a few in-house systems to measure privacy program achievements. The metrics also provide “something we can then show to higher-level executives,” said Chappelle.
One main way Vodafone measures its privacy efforts is by conducting annual assessments to determine how well individual operating units meet the company’s proprietary Privacy Risk Management System (PRMS), according to Amanda Chandler, Vodafone’s global privacy manager, who leads most of the operational side of the company’s privacy program.
The PRMS centers around nine core processes and goals Vodafone considers central in meeting its informational governance objectives, says Chandler, who was not at the conference but spoke to Security Management. The nine categories range from “privacy impact assessments” to “supplier assessments,” and from “data breach incident handling” to the maintenance of a “personal information location register.” The nine areas are also broken down into subcategories and subprocesses.
The assessments, conducted by privacy officers in individual business units, consist of sets of questions aimed at determining how well the units are managing the key PRMS areas. Officers answer each question with a ranking of one through five, with five being the most efficient or effective. Each of the nine categories is also given an overall score. After the assessments, officers discuss ways to improve low-scoring areas with company managers Vodafone calls “board sponsors for privacy.” Officers regularly discuss progress with privacy program executives.
Although officers score the assessments themselves, they generally haven’t overly inflated their scores, says Chandler. One reason is that officers sometimes want to draw attention to areas that might need more resources, she says. Privacy officers can also demonstrate some of their accomplishments when the scores rise over time. When the PRMS, the assessments, and related efforts grow in maturity, Vodafone will use internal auditors to help check the assessments’ veracity across the company, says Chandler.