Privacy teams are being asked to manage increasingly complex regulatory, technology and data risks with fewer resources and shrinking budgets, according to ISACA’s newly released State of Privacy 2026 survey. As organisations grapple with evolving privacy laws, rapid AI adoption and heightened breach risk, nearly two-thirds (63%) of privacy professionals in Oceania say their roles are more stressful today than they were five years ago.

Based on insights from more than 1,800 privacy professionals across the ISACA community worldwide, the survey shows that the rapid evolution of technology is the leading source of stress for Oceania-based respondents, cited by 71 percent – up from 63 percent last year – followed by compliance challenges (62 percent) and resource shortages (61 percent).

Strained Resources and Teams

When it comes to resources, 43 percent of global respondents report that their privacy budget is underfunded, with 36 percent citing it as appropriately funded. Looking ahead, respondents in Oceania are pessimistic about their privacy budget for next year, with only 8 percent expecting a budget increase (compared with 22 percent globally). Rather, 60 percent expect a decrease in the next 12 months (compared to 50 percent globally).

The results point to a widening gap between what organisations expect from privacy teams and what they are prepared to invest – at a time when data breaches, regulatory penalties and reputational damage can carry real financial and governance consequences.

Jamie Norton, Vice Chair of the ISACA Board, said privacy teams across Oceania are being stretched at a time when expectations continue to rise. “Many organisations are asking small privacy teams to manage complex compliance obligations, emerging technologies like AI, and growing breach risk all at once,” said Mr Norton.

“Lower budgets can mean that organisations risk falling behind regulatory expectations as scrutiny continues to intensify. When investment doesn’t keep pace, privacy risk quickly becomes a broader business and governance issue.”

Shrinking team sizes are also a concern, with the global median privacy staff size dropping from eight in 2025 to five this year. Respondents indicate that both technical (47 percent) and legal/compliance (37 percent) roles on their teams are understaffed. Additionally, 53 percent believe that skills gaps exist with today’s privacy professionals, with technical expertise (54 percent) and experience with different types of technologies and/or applications (52 percent) ranking as the top two.

To address skill gaps, the survey finds that global privacy teams are training non-privacy staff who are interested in moving into privacy roles (48 percent) and increasing the usage of contract employees or outside consultants (36 percent). This tracks with the more than half (55 percent) worldwide who note that 50 percent or more of their privacy staff consist of those who started their career in a completely different field and have transitioned into a privacy role – compared to only 25 percent who indicate that 50 percent or more of their privacy staff is comprised of those who started their career and privacy and remain in privacy today.

Obstacles and Breaches

When it comes to confidence in their organisation’s ability to ensure the privacy of its sensitive data, Oceania respondents are less confident (26 percent) than their global colleagues (43 percent). Forty-four percent of all respondents indicate that their organisation’s privacy program faces obstacles, including:

• Management of risks associated with new technologies (52 percent)
• Complex international legal and regulatory landscape (45 percent)
• Lack of competent resources (43 percent)

In looking at where privacy programs go wrong, respondents identified the following as the most common privacy failures within an organisation:

• Lack of training or poor training (51 percent, up from 47 percent in 2025)
• Not practicing privacy by design (50 percent, up from 41 percent in 2025)
• Data breach/leakage (44 percent)

Additionally, 14 percent of respondents say their organisations experienced a material privacy breach in the past 12 months. While 23 percent note they did not see a change in the number of breaches, 19 percent (up from 15 percent in 2025) expect a material privacy breach in the next 12 months – reflecting a slight increase in pessimism in this area.

Privacy Programs, Frameworks and Controls

The survey also found that global privacy professionals are using a variety of privacy controls within their organisations, but are shifting slightly away from identity and access management – with the top controls identified as 1) data security (72 percent), 2) encryption (68 percent, down from 73 percent in 2025), 3) data loss prevention (65 percent), and 4) identity and access management (63 percent, down from 75 percent in 2025).

Slightly fewer organisations also appear to be practicing privacy by design – 58 percent always or frequently practice privacy by design when building new applications or services, down from 62 percent in 2025.

Eighty-two percent of global respondents said they used a framework or law/regulation to manage privacy in their organisation, the most common being GDPR (51 percent) and the NIST Privacy Framework (45 percent). Slightly under half (46 percent) say they are very or completely confident in their organisation’s privacy team’s ability to achieve compliance with new privacy laws and regulations.

Though only 36 percent of respondents in Oceania say they find it easy to understand their privacy obligations, much fewer than last year say they consider it to be difficult – 8 percent, compared to 21 percent in 2025.

Additionally, slightly more organisations worldwide are using AI for privacy. Twenty-six percent say they have no plans to use AI (bots or machine learning) to perform any privacy-related tasks, which is down from 36 percent in 2024 and 31 percent in 2025. However, 38 percent indicate they plan to use AI for this function in the next 12 months.

To access the survey report and related resources, visit www.isaca.org/state-of-privacy. For additional privacy resources, visit www.isaca.org/resources/privacy.