Executive Summary

The ISACA State of Privacy 2025 report, based on a survey conducted in September 2024, explores key trends in privacy staffing, operations, budgets, compliance, the use of AI, awareness training, breaches, and the role of privacy by design. While the findings are generally consistent with the previous year, they highlight ongoing challenges, particularly related to staffing and potential budget cuts, while also noting increased AI adoption and a growing recognition of the value of privacy by design. The report underscores the critical importance of privacy in maintaining customer trust and mitigating risks associated with breaches.

Key Themes & Findings

• Privacy Staffing and Operations: Shrinking Teams: The median privacy staff size decreased from nine in 2024 to eight in 2025. However, fewer respondents reported feeling understaffed compared to the previous year.
• Technical vs. Legal/Compliance: Demand for technical privacy roles is expected to increase more than legal/compliance roles. This trend is consistent with previous years.

“Demand for technical privacy roles is considerably more likely to increase in the next year compared to legal/compliance roles.”

• Open Positions: Open positions in both technical and legal/compliance roles have decreased. This may be due to “The Big Stay,” where employees are staying in their current roles longer.
• Time to Hire: The time it takes to fill open roles has decreased, and more applicants are considered well-qualified, which may also contribute to the decreased perception of being understaffed.

“Sixteen percent of respondents indicated that the speed of filling open legal/compliance privacy roles increased, while 18% indicated the speed of filling technical privacy roles increased.”

• Expertise Needed: Expert-level privacy professionals are the most difficult to hire. Compliance/legal experience, hands-on privacy experience, and technical experience are the most desired qualifications for candidates.
• Retention Challenges: Many organizations (38%) struggle to retain privacy professionals, with many noting that the role has become more stressful.
• Factors include:
  • Technology’s rapid evolution
  • Compliance challenges
  • Resource shortages
  • Competing priorities

“Sixty-three percent of respondents believed their role was more stressful than it was five years ago, with 34% indicating their role was significantly more stressful.”

Skill Gaps: The top skill gaps in privacy professionals are:

• Experience with different types of technologies and/or applications (61%)
• Experience with frameworks and/or controls (49%)
• Technical expertise (48%)
• Organizations are addressing skill gaps with training, contract employees, performance-based training, AI, and credentials.

Privacy Prioritization and Budgets

• Board Prioritization: Just over half of the respondents (57%) believe their board of directors adequately prioritizes privacy.
• Privacy Strategy Alignment: A majority (74%) reported their organization’s privacy strategy aligns with organizational objectives.
• Accountability: The Chief Privacy Officer (CPO) is the most likely individual to be primarily accountable for privacy operations.
• Budgetary Concerns: Many respondents (43%) feel their privacy budget is underfunded. The report notes concerns about potential budget cuts as survey results indicate that a higher proportion of respondents anticipate budget cuts compared to previous years.

Compliance and Regulatory Landscape

• Frameworks and Laws: A large majority (82%) use a framework or law/regulation to manage privacy.
• Communication with Legal/Compliance: Many organizations meet regularly with legal/compliance, but there is considerable variance.

“Twenty-eight percent of respondents meet with legal/compliance professionals quarterly, 24% meet with them once or twice a year, 18% meet with them monthly, 16% meet with them as new privacy laws/regulations go into effect, 8% meet with them weekly, and 7% never meet with them.”

• Understanding Obligations: Only a third found it easy to identify and understand privacy obligations.
• Confidence in Compliance: Most respondents felt confident in their organization’s ability to ensure data privacy and compliance.
• Importance of Documentation: The majority (68%) of respondents said that addressing privacy with documented privacy policies, procedures, and standards was mandatory. This number increased to 80% among respondents who believed their board adequately prioritized privacy.

Use of AI in Privacy

• Increased Adoption: A greater percentage of respondents are using AI for privacy-related tasks compared to last year.
• Potential Benefits: AI is being used to address skill gaps and manage large data volumes.
• AI and Privacy by Design: The current use of AI was also higher among enterprises that regularly practiced privacy by design.

“Of respondents who said they always practiced privacy by design, 18% reported currently using AI for privacy-related tasks.”

• Beyond Compliance: Enterprises that approach privacy ethically or as a competitive advantage are more likely to utilize AI for privacy.

Privacy Awareness Training

• Wide Adoption: A large percentage (87%) of organizations provide privacy awareness training to employees.
• Annual Updates: Most (59%) update privacy awareness training annually, although a portion only update when new laws go into effect, and some do not update at all.
• Metrics for Evaluation: Common metrics to evaluate training effectiveness include:
  • Number of employees who have completed training
  • Number of privacy incidents
  • Privacy complaints received from customers.
• Benefits: Most (86%) felt that privacy training and awareness programs positively impacted overall employee privacy awareness.

Privacy Breaches

• Consistency in Breach Rates: The percentage of respondents experiencing a material privacy breach is similar to the previous year.

“in 2024, 11% of respondents had experienced a material privacy breach in the past 12 months, 63% had not, 18% didn’t know, and 8% preferred not to answer.”

• Uncertainty about Breaches: There is uncertainty about the likelihood of future breaches, with a significant percentage of respondents indicating they do not know whether they’ll experience a breach in the next 12 months. This indicates that privacy risk isn’t a mature discipline at some organizations.
• Confidence in Data Privacy: Only 40% feel confident in their organization’s ability to ensure data privacy.
• Privacy by Design Impact: Those who always practiced privacy by design were more confident in their ability to ensure data privacy.

“This percentage jumps to 54% for respondents whose board adequately prioritized privacy and 68% for those who always practiced privacy by design.”

Privacy by Design

• Widespread Implementation: A majority (67%) reported their organization practicing privacy by design, though the frequency varies.

“Always (27%), Frequently (35%), Sometimes (23%), Rarely (9%) or Never (5%)”

• Collaboration Gaps: Collaboration with procurement and product/business development teams, which are vital for privacy by design, is not always consistent.
• Impact on Support: Organizations that always practice privacy by design tend to have more board support, resources, and budget.
• Alignment with Objectives: These organizations are also more likely to have a privacy strategy that aligns with organizational objectives.
• Maturity: They also are more likely to address privacy with documented policies, procedures, and standards.

Obstacles to Privacy Program Effectiveness

The most common obstacles include:

• Complex international legal and regulatory landscape
• Lack of competent resources
• Management of risk associated with new technologies
• Lack of clarity on the mandate, roles, and responsibilities
• Lack of executive or business support
• Lack of visibility and influence within the organization
• Poor data management practices
• Lack of a privacy strategy and implementation roadmap

Most Common Privacy Failures:

• Not performing a risk analysis
• Lack of training or poor training
• Noncompliance with applicable laws and regulations
• Bad or nonexistent detection of personal information
• Data breach/leakage
• Not practicing privacy by design
• Social engineering
• Ethical decision making

Conclusion:

The State of Privacy 2025 report reveals that privacy remains a priority, and privacy teams face significant challenges, particularly concerning staffing and budget constraints. However, organizations that prioritize privacy, especially those practicing privacy by design, are more likely to have board-level support, adequate resources, and greater confidence in their ability to ensure data privacy. The report underscores that a proactive and ethical approach to privacy, extending beyond mere compliance, is crucial for organizations aiming to thrive in the current digital landscape. Furthermore, AI has increasingly become an important tool for privacy teams, especially for organizations that are not driven purely by compliance goals.

This briefing document comprehensively overviews the key findings and trends highlighted in the ISACA State of Privacy 2025 report. For a deeper understanding of specific areas of interest, it is recommended that you examine the full report.