Over 40% of European privacy professionals believe their organisations are not putting sufficient money behind data privacy initiatives, and 54% expect to get less money to play with during 2025, according to research from tech governance and digital trust association Isaca.
Even though the General Data Protection Regulation (GDPR) in Europe, and its UK equivalent, came into force in May 2018, Isaca also found that only 38% of European professionals were confident in the ability of their organisations to safeguard sensitive customer and employee data.
Isaca also warned that only 24% of European organisations were adhering to privacy-by-design principles, and many risked running afoul of GDPR and other new European Union (EU) frameworks and regulations – the AI Act and Digital Services Act, to name but two.
“As the threat landscape continues to evolve in complexity, privacy is becoming a sector which is increasingly difficult to operate in, but also more critical,” said Isaca global chief strategy officer Chris Dimitriadis.
“Two-thirds [66%] of the European professionals working in privacy roles who we spoke to said their job is more stressful now compared to five years ago. This is only being exacerbated by continued underfunding. While companies may be making a short-term financial gain, they are putting themselves at long-term risk.”
The issues businesses across Europe now face are compounded by understaffing, the report found, with 52% of technical privacy teams unable to fill their vacant seats, a marginal improvement of just 1% on last year’s report.
Respondents to the study also said they were struggling to retain staff once seated.
Privacy-by-design pays off for some
On a positive note, Isaca found the organisations that were adopting privacy-by-design best practice were faring better, and were more likely to have appropriately staffed teams and fewer skills gaps. Of those organisations that do practice privacy-by-design, 43% said they had enough staff at the coalface, and 58% of leaders reported they were “highly confident” in their technical privacy teams as a result.
Interestingly, 56% of privacy-by-design proponents said they had effectively decreased their knowledge gaps by training non-privacy staff who were keen to diversify their skillsets, compared with 44% who do not.
Where skills gaps did exist, these tended to be in areas such as experience with different applications and technologies, technical expertise, and IT operations knowledge and skills.
Nevertheless, Isaca said that creating the appropriately skilled and supported workforce that is necessary to achieve privacy-by-design compliance was clearly eminently achievable. It found that 47% of all organisations do now offer training to allow non-privacy staff to move into privacy roles, and more are considering factors such as experience in other compliance or legal functions as useful ways to root out the best internal candidates.
“Practicing privacy-by-design and embedding privacy across an entire enterprise is key to long-term data protection,” said Dimitriadis.
“Such a comprehensive approach fosters trust with stakeholders and safeguards against ever-evolving threats – but this isn’t possible without skilled privacy teams who feel prepared and able to drive privacy practices from a technology, business and compliance point of view.
“There are several ways to plug the skills gap,” he said. “Providing training and continuous support for privacy staff on emerging technologies, privacy-enhancing technologies, and cyber security and data protection architectures on top of legal compliance knowledge is essential for managing their stress and maintaining organisational resilience.”