Over 40% of privacy professionals in Europe feel their organizations aren’t investing enough in data privacy initiatives. A staggering 54% expect budgets to shrink in 2025, according to a study by Isaca, a tech governance and digital trust association.
Despite the General Data Protection Regulation (GDPR) kicking in back in May 2018, only 38% of these professionals trust their organizations to protect sensitive customer and employee data. The report notes that a mere 24% of European organizations are following privacy-by-design principles. Many risk falling short of GDPR compliance, with new EU regulations like the AI Act and Digital Services Act on the horizon.
Chris Dimitriadis, Isaca’s global chief strategy officer, emphasized the growing complexity and critical nature of privacy as a sector. He pointed out that 66% of privacy professionals in Europe feel their jobs have become more stressful over the past five years, and this stress is driven by ongoing budget cuts. While companies may save money in the short run, they’re setting themselves up for bigger problems down the line.
The report also revealed staffing challenges, with 52% of privacy teams unable to fill vacancies—an improvement of only 1% from last year. Once teams do hire new members, they struggle to keep them.
On a brighter note, organizations that adopt privacy-by-design practices tend to do better. They’re more likely to have enough staff and report fewer skills gaps. For those practicing privacy-by-design, 43% said they have adequate personnel, and 58% of leaders expressed high confidence in their privacy teams.
Interestingly, 56% of these organizations have managed to close knowledge gaps by training non-privacy staff who want to build their skills, compared to 44% in organizations that don’t practice privacy-by-design. Common skill gaps include knowledge of diverse applications and technologies, technical expertise, and IT operations.
However, Isaca believes creating the skilled workforce needed for privacy-by-design compliance is achievable. About 47% of organizations now provide training for non-privacy staff to transition into privacy roles, and they see experience in other compliance or legal areas as valuable for identifying strong internal candidates.
Dimitriadis highlighted that embedding privacy throughout the organization is crucial for sustained data protection and building trust among stakeholders. To manage stress levels and maintain resilience, staff need ongoing training and support in emerging technologies, privacy-enhancing strategies, and compliance knowledge.