The past year saw developments and updates to privacy regulations across the globe—from India’s Personal Data Protection Bill to Brazil’s General Data Protection Law, according to ISACA.
However, only 34% of organizations say they find it easy to understand their privacy obligations and only 43% are very or completely confident in their organization’s privacy team’s ability to ensure data privacy and achieve compliance with new privacy laws and regulations.
Privacy budgets anticipated to shrink
In addition to difficulty understanding the privacy regulatory landscape, organizations also face other data privacy challenges, including budget. 43% of respondents say their privacy budget is underfunded and only 36% say their budget is appropriately funded.
When looking at the year ahead, only 24% say that they expect budget will increase (down 10 points from last year), and only one percent say it will remain the same (down 26 points from last year). 51% expect a decrease in budget, which is significantly higher than last year when only 12% expected a decrease in budget.
For those seeking resources, technical privacy positions are in highest demand, with 62% of respondents indicating there will be increased demand for technical privacy roles in the next year, compared to 55% for legal/compliance roles. However, respondents indicate there are skills gaps among these privacy professionals; they cite experience with different types of technologies and/or applications (63%) as the biggest one.
When looking at common privacy failures, respondents pinpointed the lack of or poor training (49%), not practicing privacy by design (44%) and data breaches (42%) as the main concerns.
“When privacy teams face limited budgets and skills gaps among their workforce, it can be even more difficult to stay on top of ever evolving and expanding data privacy regulations and even increase the risk of data breaches,” says Safia Kazi, ISACA principal, privacy professional practices. “By understanding where these challenges lie, organizations can take the necessary measures to remedy them and change course to strengthen their privacy teams and programs.”
Organizations offer privacy awareness training for employees
One of the ways that organizations are mitigating both workforce gaps and privacy failures is through training. 50% of respondents note they are training to allow non-privacy staff to move into privacy roles, while 39% are increasing usage of contract employees or outside consultants.
With employee training, 86% indicate their organization provides privacy awareness training for employees, with 66% providing training to all employees annually, and 52% of respondents providing privacy awareness training to new hires. Interestingly, respondents note that their organizations are most often looking at the number of employees completing training (65%) as the main metric used to track effectiveness of privacy training, not a decrease in privacy incidents (56%).
Despite the challenges faced, 63% of organizations say they did not have a material privacy breach in the past 12 months, and 18% are not seeing a change in the number of breaches they are experiencing. Respondents are also optimistic: 16% say they expect a material privacy breach in the next 12 months.
Privacy by design
Organizations that practice privacy by design experience some key advantages:
- They have more employees in privacy roles (median staff size 15 vs. nine among all respondents) and are more likely to say their technical privacy department is appropriately staffed (42% vs. 34% among all respondents).
- They strongly believe their board of directors prioritizes organization privacy (77% vs. 57% total).
- They are much less likely to see organizational privacy programs as purely compliance driven (35% vs. 44% total), and more likely as a combination of compliance, ethics and competitive advantage (39% vs. 29% total).
- Feel their privacy budget is appropriately funded (50% vs. 36% total).
Ultimately, organizations that always practice privacy by design are also much more likely to be very or completely confident in their organization’s privacy team’s ability to ensure data privacy and achieve compliance with new privacy laws and regulations (71% versus 43%).