Data privacy professionals think their organizations are underfunding their work, and there's no light on the horizon as budgets are set to be squeezed further in 2025.
In a recent survey, more than half told ISACA they expect budgets to decline this year, up from 41% last year. Meanwhile, only a third said they were confident in their organization’s ability to safeguard sensitive data, with just a quarter always practicing Privacy by Design.
As a result, ISACA warned many organizations risk falling short of compliance with GDPR and new legal frameworks such as the Digital Services Act and EU AI Act.
“As the threat landscape continues to evolve in complexity, privacy is becoming a sector which is increasingly difficult to operate in, but also more critical," said Chris Dimitriadis, global chief strategy officer at ISACA.
"Two-thirds of the European professionals working in privacy roles who we spoke to said their job is more stressful now compared to five years ago. This is only being exacerbated by continued underfunding. While companies may be making a short-term financial gain, they are putting themselves at long-term risk."
Half of technical data privacy teams in Europe remain understaffed, the survey found, much the same as last year, while a third struggle to retain qualified privacy professionals.
Those that do always practice Privacy by Design do rather better, with 43% saying their technical data privacy teams are appropriately staffed. Six-in-ten said they were highly confident in their technical privacy teams as a result.
"Practicing Privacy by Design and embedding privacy across an entire enterprise is key to long-term data protection," Dimitriadis said.
"Such a comprehensive approach fosters trust with stakeholders and safeguards against ever-evolving threats – but this isn’t possible without skilled privacy teams who feel prepared and able to drive privacy practices from a technology, business and compliance point of view."
The data privacy skills gap is growing
Skills gaps were also highlighted as a key issue for data privacy professionals, ISACA found. The biggest reported skills gaps were experience with different types of technologies and/or applications, cited by 63% of respondents.
A lack of technical expertise and IT operations knowledge and skills were also flagged as major concerns. As a result of this shortfall, nearly half of organizations said they offer training to allow staff from non-privacy backgrounds to move into roles in this domain.
However, it’s experience that’s key to plugging this skills gap, the study noted.
Nearly all respondents said they consider compliance and legal experience an important factor in determining if a privacy candidate is qualified. Nine-in-ten also consider industry credentials as important, while only 54% said the same about a university degree.
"There are several ways to plug the skills gap," said Dimitriadis.
"Providing training and continuous support for privacy staff on emerging technologies, privacy-enhancing technologies, and cybersecurity and data protection architectures on top of legal compliance knowledge is essential for managing their stress and maintaining organizational resilience."
