SYDNEY, AUSTRALIA, 22 January 2025 – Privacy professionals are under growing pressure as they face budget cuts, resource challenges and changes in regulations. According to ISACA’s State of Privacy 2025 survey report, almost half (48 percent) expect a budget decrease in the next year and 73 percent indicate expert-level privacy professionals are the most difficult to hire, adding to the stress of keeping data safe and meeting compliance requirements.

The new research from ISACA, the leading global professional association helping individuals advance their careers in digital trust fields, reflects insights from more than 1,600 privacy professionals worldwide.

The study found that 63 percent of privacy professionals say their role is more stressful now than it was five years ago, with 34 percent indicating it is significantly more stressful. They cite the main causes of this stress as the rapid evolution of technology (63 percent), compliance challenges (61 percent) and resource shortages (59 percent).

A Challenging Landscape

These findings align with what respondents cited as the top three obstacles facing privacy programs:

1. Complex international legal and regulatory landscape (38 percent)
2. Lack of competent resources (37 percent)
3. Management of risks related to new technologies (36 percent)

When it comes to resources, 43 percent indicate their privacy budget is underfunded, and 48 percent expect a budget decrease in the next year. In terms of staff, respondents are finding it tough to hire expert-level privacy professionals, with 73 percent indicating they are the most difficult privacy employees to hire.

Privacy professionals are facing other difficulties, with only 44 percent confident that their organisation’s privacy team can ensure data privacy and achieve compliance with new privacy laws and regulations. Additionally, only 33 percent of organisations find it easy to understand privacy obligations, with 23 percent considering it difficult.

Respondents also provided insights into their most common privacy failures, listing lack of training or poor training (47 percent), data breaches (42 percent), and not practicing privacy by design (41 percent) in the top three.

Jo Stewart-Rattray, Oceania Ambassador for ISACA, said the findings reveal significant challenges for organisations globally and in our region. “Privacy professionals are feeling the strain of shrinking budgets and increasing demands, all while grappling with regulatory changes and resource shortages,” said Ms Stewart-Rattray. “Greater investment in privacy teams, training and tools is essential to help organisations meet their responsibility to protect data and maintain trust.

“With almost half of privacy professionals anticipating budget cuts and many struggling to recruit skilled staff, organisations need to act now. Prioritising robust privacy frameworks and embedding strong practices into daily operations will enable companies to better safeguard data, meet compliance requirements and strengthen customer trust.”

Bright Spots

In spite of these challenges, the research revealed some encouraging findings as well. While the median privacy staff size declined slightly from the previous year (eight this year compared to nine the prior), fewer survey respondents reported that their privacy teams are understaffed. This includes technical privacy roles—with understaffing reported at 54 percent in 2024 compared to 46 percent in 2025—and legal/compliance roles—with understaffing reported at 44 percent in 2024 compared to 38 percent in 2025.

Additionally, 74 percent of respondents report privacy strategy is aligned with organisational objectives, and over half (57 percent) believe the board of directors has adequately prioritised their organisation’s privacy.

Enterprises are taking compliance seriously, with 82 percent of respondents indicating they use a framework or law/regulation to manage privacy, and 68 percent saying it is mandatory to address privacy with documented policies and procedures.

Most respondents also do not believe they are experiencing more privacy breaches this year compared to last year, and 29 percent believe it is unlikely they will experience a material privacy breach in the next 12 months.

Privacy by Design as a Differentiator

The survey findings, as in past years, indicate that practicing privacy by design sets enterprises apart. Sixty-seven percent of respondents indicate that they practice privacy by design, the integration of privacy into the entire engineering process, when building new applications and services. The survey found that enterprises that always practice privacy by design are more likely to:

• Have high confidence in their privacy teams (68 percent versus 41 percent total)
• Believe their technical privacy area is appropriately staffed (50 percent versus 40 percent total)
• Have decreased privacy skills gaps by training non-privacy staff for privacy roles (57 percent versus 48 percent total)
• Believe their boards of directors prioritise privacy (80 percent versus 57 percent total)

AI’s Evolving Role

More respondents also reported using artificial intelligence (AI) for privacy-related tasks this year (11 percent) than last year (8 percent). The use of AI for this purpose was also found to be higher in enterprises that were not purely compliance-driven, with 14 percent of those in enterprises with boards that viewed privacy ethically or as a competitive advantage using AI for privacy-related tasks, compared with 9 percent from enterprises with boards that view privacy programs as compliance-driven. This use of AI was also higher among enterprises that regularly practice privacy by design, with 18 percent of those who indicate they always practice privacy by design reporting that they are using AI for privacy work.

“When privacy is aligned with business objectives, integrated into the enterprise with a privacy by design approach, and viewed as both an ethical and compliance responsibility, organisations stand to gain tremendous value,” says Safia Kazi, ISACA Principal, Privacy Professional Practices. “Enterprises must continue to prioritise and advance their privacy programs—leveraging the right emerging technology, frameworks, training and best practices for them—to keep pace.”

For a complimentary copy of the survey report and to access other related content, visit www.isaca.org/state-of-privacy.

About ISACA

ISACA^® (www.isaca.org) is a global community advancing individuals and organizations in their pursuit of digital trust. For more than 50 years, ISACA has equipped individuals and enterprises with the knowledge, credentials, education, training and community to progress their careers, transform their organisations, and build a more trusted and ethical digital world. ISACA is a global professional association and learning organization that leverages the expertise of its 180,000+ members who work in digital trust fields such as information security, governance, assurance, risk, privacy and quality. It has a presence in 188 countries, including 228 chapters worldwide. Through the ISACA Foundation, ISACA supports IT education and career pathways for under-resourced and underrepresented populations.

LinkedIn: www.linkedin.com/company/isaca
Facebook: www.facebook.com/ISACAGlobal
Instagram: www.instagram.com/isacanews