As is well known the GDPR provides no clear guidance on how to demonstrate its own conformity and this poses a number of non banal challenges to entities that process personal data. Between various possible tools that could be considered (while awaiting more detailed guidelines) there is the use of a series of measurable parameters which can give some indication of the GDPR’s current state.
Usually one is led to measure the result indicators (lag indicators), which in our case may be, for example, the number of people granted an adequate disclosure compared to the total of individuals subject of the data treatment. However, these indicators don’t say anything of the actions that I could take to improve my processes. For this purpose however, you need to use “lead” indicators , more difficult to identify than lag indicators and not certain to provide positive results.
An example to illustrate the concept; if I want to lose weight it is not enough to weigh myself every day to reach my objective on the scales (a lag indicator then), but I’ll have to measure the processes that I have put in place to get there: for example, how many calories I introduce or how many kilometers of running I am doing. Therefore I have defined a process to achieve goals and I measure ex ante the parameters. One type of approach certainly more in line with a law that requires us to think about the protection of personal data from the design stage.