ISACA’s report releasing ahead of Data Privacy Day reveals that confidence in the ability to ensure the privacy of sensitive data is declining

Faced with a web of complex and ever-evolving global data privacy regulations—including new ones that took effect at the year’s start—enterprises must stay compliant and protect the privacy of their data subjects or lose trust and take a hit to their reputation. ISACA’s Privacy in Practice 2023 research report, released today ahead of Data Privacy Day on 28 January, finds that enterprises that consistently practice privacy by design reap rewards, but many face challenges getting there because of privacy budgets, staffing and skills gaps.

This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20230117005858/en/

ISACA surveyed more than 1,800 professionals who work in data privacy or have detailed knowledge of the data privacy function within their organizations to demonstrate current perspectives on privacy staffing, organization structure, frameworks and policies, budgets, training, and data breaches. Learn key findings and more about the business benefits of privacy by design at www.isaca.org/privacy-month-2023.

The survey report—reflecting the insights of 1,890 global respondents who currently work in data privacy or have detailed knowledge of the data privacy function within their organization—examines privacy staffing, organization structure, frameworks and policies, budgets, training, and data breaches.

The ROI of Privacy by Design

The survey found that organizations consistently practicing privacy by design (30 percent, up two points from 2022) are at an advantage. They are one-and-a-half times more likely to be completely or somewhat confident in their organization’s ability to ensure the privacy of its sensitive data (65 percent vs. 40 percent of total respondents) and more likely to see their organization’s privacy strategy aligned with organizational objectives (92 percent vs. 73 percent total).

Additionally, organizations that always practice privacy by design:

• Say their board properly prioritizes privacy (76 percent compared to just 55 percent total)
• Have more employees in privacy roles within their organization (the median privacy staff size is almost twice as large at 19 compared to 10 total) and are more likely to feel that their privacy department is adequately staffed (44 percent vs. 34 percent total).

Privacy Program Obstacles

The ISACA research identified three top obstacles to forming a privacy program:

1. Lack of competent resources (42 percent)
2. Lack of clarity on the mandate, roles, and responsibilities (40 percent)
3. Lack of executive or business support (39 percent)

While more than half of respondents believe that their board of directors adequately prioritizes privacy (55 percent), 22 percent do not, and 20 percent do not know. This suggests that boards have an opportunity to improve their communication about their commitment to privacy efforts. Thirty-eight percent of respondents say that a lack of visibility and influence in the organization is a challenge in forming a privacy program, which may signal a board that does not adequately prioritize privacy.

Privacy budgets also remain underfunded at many organizations, 42 percent of respondents saying their privacy budget is underfunded and only 36 percent citing it as appropriately funded. Just over a third of respondents (34 percent) indicate their privacy budgets will increase in 2023.

While 75 percent of respondents are confident in their organization’s ability to ensure the privacy of its sensitive data, this confidence is declining—down six points from last year.

Staffing Shortages, Skills Gaps

When it comes to resources, privacy staff shortages persist and the demand for both technical and legal/compliance roles is expected to increase next year. Technical privacy roles remain more understaffed than legal/compliance roles, with 53 percent of respondents indicating they are somewhat or significantly understaffed, versus 44 percent, respectively. The survey also found that many enterprises have unfilled privacy positions (34 percent saying this is the case for technical privacy roles and 27 percent for legal/compliance roles). Additionally, technical privacy roles (69 percent) are more likely to have increased demand in the next year compared to legal/compliance roles (62 percent).

Most also indicated that the amount of time to fill roles increased or stayed the same as last year, with 76 percent having the most difficulty hiring expert-level privacy professionals. About one in 5 respondents say that less than one quarter of applicants for privacy roles at their enterprises were qualified for those positions.

“Organizations may desire to comply with privacy regulations and build a privacy by design culture, but without a strong team of privacy practitioners, they face significant obstacles to achieving these goals,” says Safia Kazi, ISACA principal, privacy practices. “With the increased need for these privacy practitioners’ technical and legal expertise to keep pace with the regulatory landscape, it is more important than ever to cultivate and train a strong, skilled privacy workforce to meet the demand.”

Taking Action

To fill this skills gap, organizations are training to allow non-privacy staff to move into privacy roles (49 percent) and increasing their usage of contract employees or outside consultants (38 percent).

Respondents cited the most common causes of privacy failures as lack of training (49 percent), data breach (42 percent), and not practicing privacy by design (42 percent). To tackle the most common cause of privacy failures, 85 percent of respondents report that their organization provides privacy awareness training for employees, and 59 percent review and revise privacy awareness training at least annually. Though the metric used most often to measure training effectiveness is the number of employees completing training (65 percent) instead of a decrease in privacy incidents (54 percent), 73 percent believe that privacy training has had a positive impact on privacy awareness in the organization.

“Privacy, like security, is best when it is baked in from the start, not fixed after the fact,” says Anne Toth, trust, privacy and tech policy advisor, and member of the ISACA Digital Trust Advisory Council. “This research underscores and validates what many practitioners know from experience to be true: privacy by design is a smart investment that pays dividends in customer trust.”

To download a complimentary copy of the Privacy in Practice 2023 survey report, visit www.isaca.org/privacy-month-2023. Information on ISACA’s Certified Data Privacy Solutions Engineer (CDPSE) certification is available at www.isaca.org/credentialing/certified-data-privacy-solutions-engineer. ISACA is a nonprofit, independent professional association with 165,000 members in 188 countries. Members represent all areas of digital trust, including data privacy.

About ISACA

For more than 50 years, ISACA ^® (www.isaca.org) has equipped individuals and enterprises with the knowledge, credentials, education, training and community to progress their careers, transform their organizations, and build a more trusted and ethical digital world. ISACA leverages the expertise of its more than 165,000 members who work in digital trust fields such as information security, governance, assurance, risk, privacy and quality, with a presence in 188 countries, including 225 chapters worldwide. Through its foundation One In Tech, ISACA supports IT education and career pathways for underresourced and underrepresented populations.

View source version on businesswire.com: https://www.businesswire.com/news/home/20230117005858/en/

Privacy staff shortages continue amid increasing demand for these roles, according to new #ISACA study.