KRIs for a privacy program

Regulators increasingly treat privacy program maturity as an independent compliance obligation, GDPR fines are not primarily for breaches but for processing violations, consent failures, and inadequate data subject rights processes. CCPA enforcement looks at notice, data subject requests, and opt-out mechanisms. The KRIs in this domain measure whether your privacy program is operational, not just documented.

If you are standing this up from scratch, start with how to build a KRI program and the consolidated KRI reference library, which maps every domain to one CIS-aligned catalog.

KRI inventory

1. Privacy impact assessment (PIA/DPIA) coverage rate

What to measure. Percentage of processing activities that present significant privacy risk, new products handling personal data, new data sharing arrangements, significant data processing changes, that went through a completed Privacy Impact Assessment or Data Protection Impact Assessment before implementation.

Why it matters. GDPR Article 35 mandates DPIAs for high-risk processing. Beyond regulatory mandate, PIAs identify privacy risks before implementation, when they're cheapest to fix. Processing that launches without a PIA frequently produces privacy debt that's expensive to remediate and may require regulatory notification if it constitutes a violation.

• Privacy management platform (OneTrust, TrustArc, Osano, Didomi): PIA/DPIA completion records with processing activity linkage
• Product/engineering intake process: PIA requirement in new feature/product launch checklist
• Legal/privacy team: DPIA completion log with sign-off records
• Change management: privacy-impacting changes cross-referenced against PIA completion

How to calculate. (Processing activities assessed via PIA/DPIA before implementation) ÷ (total processing activities requiring assessment per threshold) × 100

Status	Criteria
Green	>95% of high-risk processing with completed PIA; DPIA process embedded in product development workflow; DPO review confirmed for GDPR Art. 35 processing
Amber	80–94%; or PIA process exists but inconsistently triggered; or DPIA completed but DPO review absent
Red	<80%; or no PIA process; or high-risk processing deployed without assessment

2. Records of processing activities (ROPA) completeness

What to measure. Percentage of processing activities documented in the ROPA (required under GDPR Article 30) with current, accurate records, including purpose, legal basis, data categories, retention period, recipient categories, and cross-border transfer safeguards.

Why it matters. The ROPA is the foundational inventory of what your organization does with personal data. Regulators request it early in investigations. Incomplete or inaccurate ROPAs signal to regulators that the organization doesn't know its own data processing, which is itself an indication of systemic privacy program failure. The ROPA also enables breach scope assessment: if you know what you process and where, you can determine breach impact quickly.

• Privacy management platform: ROPA module with completeness scoring per record
• System inventory: systems with personal data confirmed in data discovery cross-referenced against ROPA entries
• Legal basis registry: processing activities mapped to GDPR legal basis (consent, contract, legitimate interests, legal obligation, vital interests, public task)
• DPA registry: data processing agreements with third parties, sub-processor entries in ROPA

How to calculate. (ROPA entries with all required fields completed and reviewed within 12 months) ÷ (total processing activities requiring ROPA entry) × 100

Status	Criteria
Green	>95% of processing activities in ROPA with complete required fields; reviewed within 12 months; new systems trigger ROPA update within 30 days of deployment
Amber	80–94%; or ROPA entries present but incomplete (legal basis missing, retention undefined)
Red	<80%; or ROPA not maintained; or ROPA last updated >24 months ago

3. Data subject rights request (DSAR) fulfillment rate and timeliness

What to measure. Percentage of data subject requests (access requests, deletion requests, portability requests, correction requests, opt-out requests) fulfilled within the legally required timeframe, and the percentage fulfilled accurately and completely on first response.

Why it matters. GDPR requires responses within one month (extendable to three with notice). CCPA requires deletion fulfillment within 45 days. Missed deadlines create regulatory exposure and can result in complaints to supervisory authorities. Incomplete responses, telling a data subject you don't hold their data when you do, can result in enforcement action if the error is discovered.

• DSAR management system (OneTrust, Transcend, DataGrail, TrustArc): request intake date, type, status, response date
• Privacy management platform: DSAR workflow with SLA timers
• Legal team: log of requests received via legal channels (not captured in automated systems)
• Identity/IAM: subject access requests fulfilled through identity platform data export (Entra ID, Okta user data export)

How to calculate.

• Timeliness: (DSARs fulfilled within legal deadline) ÷ (total DSARs received) × 100
• Completeness: (DSARs fulfilled without requiring correction or follow-up) ÷ (total fulfilled) × 100

Status	Criteria
Green	>99% fulfilled within legal deadline; <5% requiring correction; DSAR process includes automated data discovery to ensure completeness
Amber	90–98% within deadline; or manual fulfillment process with known completeness gaps
Red	<90% within deadline; or deadline breaches on GDPR/CCPA requests; or systematic incompleteness in access requests

4. Consent management coverage and validity rate

What to measure. Percentage of consent-based processing activities with valid, specific, informed, and freely given consent collected through a compliant consent management platform, and the rate of consent records that are current (not expired or withdrawn).

Why it matters. Consent under GDPR must be specific, informed, unambiguous, and freely given. Consent collected through a pre-ticked box, bundled with terms of service, or obtained before the data subject understood the processing doesn't meet the standard. The validity rate measures whether your consent records would survive regulatory scrutiny, not just whether a consent checkbox was checked.

• Consent Management Platform (OneTrust, Cookiebot, Usercentrics, Didomi): consent record database, consent type, date, mechanism, specific purposes consented to
• Cookie scanning tool (Cookiebot scanner, OneTrust cookie scanner): cookies deployed vs. cookies disclosed in consent banner, gap = undisclosed tracking
• Website/app: consent mechanism audit, is consent collected before processing? Is withdrawal as easy as giving?
• Marketing automation: email subscription records, consent basis and collection method

How to calculate.

• Coverage: (Consent-based processing activities with CMP-collected consent records) ÷ (total consent-based processing) × 100
• Validity proxy: (Consent records with specific purpose + mechanism + date documented) ÷ (total consent records) × 100

Status	Criteria
Green	CMP deployed and integrated with all consent-based processing; cookie audit current; withdrawal mechanism functional and as easy as consent
Amber	CMP deployed but not integrated with all systems; or cookie audit outdated; or withdrawal mechanism present but burdensome
Red	No CMP; or consent collected through bundled terms; or no withdrawal mechanism; or cookies deployed without consent

5. Cross-Border data transfer compliance rate

What to measure. Percentage of personal data transfers to third countries (outside EU/EEA for GDPR; outside certain jurisdictions for other laws) with a valid and current legal transfer mechanism, Standard Contractual Clauses (SCCs), Adequacy Decision, Binding Corporate Rules, or equivalent.

Why it matters. Cross-border data transfers without valid legal mechanisms are a GDPR violation even if the data is technically secure. Transfers to US entities require SCCs or equivalent since the Schrems II ruling invalidated Privacy Shield. Many organizations have vendor relationships and cloud architectures that involve international data transfers they haven't mapped or safeguarded.

• ROPA: cross-border transfers documented with transfer mechanism
• Vendor contracts: DPAs with Standard Contractual Clauses executed for transfers to non-adequate countries
• Cloud provider DPAs: AWS, Google, Microsoft all provide SCCs, confirm executed and current version (post-Schrems II updated SCCs)
• Legal/DPO: transfer impact assessments (TIAs) for high-risk transfers

How to calculate. (Cross-border transfers with valid, current legal mechanism) ÷ (total cross-border personal data transfers identified) × 100

Status	Criteria
Green	100% of identified transfers with valid mechanism; SCCs current version (post-2021 EU SCCs); TIAs completed for high-risk transfers
Amber	Known gaps with remediation in progress; or SCCs executed but pre-2021 version not yet updated
Red	Transfers to non-adequate countries without SCCs; or transfer mapping incomplete (unknown transfers occurring)

6. Privacy breach notification readiness

What to measure. Whether the organization has a documented, tested process for assessing personal data breaches for notification obligation and executing notification within applicable timeframes, including supervisory authority notification (GDPR: 72 hours) and data subject notification (GDPR: without undue delay; CCPA: within 30 days; state laws: 30–72 hours).

Why it matters. Privacy breach notification is a separate obligation from security incident response. It requires a privacy assessment, is this a personal data breach? Does it meet the threshold for notification? Which supervisory authority? Which data subjects?, that security teams often aren't equipped to perform. The process must exist, be documented, and be practiced before an incident, not assembled during one.

• Privacy management platform: breach log with assessment workflow, threshold determination, authority notification records, data subject notification records
• IR plan (cross-reference): privacy breach trigger embedded in security incident classification
• Legal/DPO records: supervisory authority notification filings and timeline documentation
• Tabletop exercise records: breach notification scenario included in privacy or IR exercise

KRI values.

• Breach assessment process: documented decision tree for personal data breach notification threshold determination (yes/no)
• Notification workflow: authority and data subject notification templates and contact information current (yes/no)
• Exercise completion: privacy breach notification scenario exercised within 12 months (yes/no)
• Historical compliance: rate of authority notifications filed within 72 hours for past incidents

Status	Criteria
Green	All three components present and exercised; historical 72-hour compliance >95%; DPO authority confirmed for notification decisions
Amber	Process documented but not exercised; or DPO authority unclear; or templates not current
Red	No documented breach notification process; or past notifications filed late; or no privacy breach assessment capability

7. Privacy training completion rate

What to measure. Percentage of employees in roles with access to or responsibility for personal data who have completed privacy-specific training within the defined training cycle, segmented by role (data handlers, developers, marketing, HR) with role-appropriate content.

Why it matters. Most privacy violations are not malicious, they result from employees who don't understand what they're doing with personal data or why it matters. Training completion rate measures whether the program is reaching the people whose decisions create privacy risk. Role-based segmentation matters because a developer's privacy decisions (logging PII, data retention in databases) are different from a marketer's (consent, email opt-out).

• LMS: privacy training completion records by department and role
• HR system: role-to-department mapping for cohort segmentation
• Privacy management platform: training assignment and completion tracking
• Onboarding records: privacy training in new employee onboarding within 30 days

How to calculate. (Employees in scope with current privacy training completion) ÷ (total employees in scope) × 100 Track by role cohort: developers, marketers, HR, finance (high personal data access roles)

Status	Criteria
Green	>95% overall; >98% for high-access roles; role-specific training content differentiated; new employees within 30 days of hire
Amber	80–94%; or one-size-fits-all training regardless of role
Red	<80%; or no privacy-specific training (only generic security awareness); or developers building with personal data receiving no privacy training

Deriving these KRIs by source type

From Privacy Management Platforms (OneTrust, TrustArc, Osano)

• ROPA completeness: Records with all required fields vs. total records; OneTrust ROPA module provides completeness scoring per entry
• DSAR workflow: SLA timer per request type; completion status; breach of SLA flag
• PIA completion: Linked to processing activities; completion date vs. processing deployment date
• Breach log: Incidents assessed through privacy breach assessment tool; notification decisions and filing dates

From Consent Management Platforms (Cookiebot, Usercentrics, Didomi)

• Consent record API: Export consent records with purpose, timestamp, mechanism, jurisdiction; calculate validity rate
• Cookie scan results: Cookies detected vs. cookies disclosed in consent banner, gap = undisclosed tracking = regulatory risk
• Withdrawal rate: Rate at which users withdraw consent, high rates may signal consent mechanism not meeting freely-given standard
• Geographic coverage: Consent capture rate by jurisdiction, EU visitors receiving GDPR-compliant consent banner

From DSAR Management Platforms (Transcend, DataGrail)

• API integrations: How many systems are integrated for automated data discovery in response to access requests, coverage gap = manual fulfillment risk
• Request volume trend: Rising DSAR volume may signal increased customer awareness or regulatory campaign; affects resource planning
• Fulfillment time distribution: Histogram of days-to-fulfill, tail of slow fulfillments approaching deadline

From Legal and Contract Management Systems

• SCC execution status: Filter vendor contracts by countries requiring SCCs; confirm SCC Annex completion for each
• DPA registry: Active DPAs vs. vendors processing personal data; gap = contractual compliance risk
• Updated SCCs tracking: Post-2021 EU SCCs (replacing 2010 version), filter for contracts using old version