New ISACA Study: Privacy Teams Are Shrinking, Increasingly Stressed

SCHAUMBURG, Ill.--(BUSINESS WIRE)--Privacy professionals are facing a data-dominated landscape, a complex web of regulations and more limited resources this year. According to the State of Privacy 2026 survey report from ISACA, these professionals are feeling increasingly strained, with 65 percent saying their roles are more stressful now compared to five years ago.

ISACA’s latest State of Privacy survey report also finds rising use of AI among privacy professionals.

Share

This report, with insights gathered from more than 1,800 privacy professionals in the ISACA community worldwide, finds that respondents were most stressed by the rapid evolution of technology (71 percent, up from 63 percent last year), followed by compliance challenges (62 percent) and resource shortages (61 percent).

Strained resources and teams

Regarding resources, 43 percent of respondents report that their privacy budget is underfunded, with 36 percent citing it as appropriately funded. Respondents are less optimistic about their privacy budget for next year, with 22 percent saying it will increase (down from 26 percent in 2025), and only 2 percent saying it will remain the same. Half anticipate a decrease in their privacy budget in the next 12 months.

Shrinking team sizes are also a concern, with the median privacy staff size dropping from eight in 2025 to five this year. Respondents indicate that both technical (47 percent) and legal/compliance (37 percent) roles on their teams are understaffed. Additionally, 53 percent say skills gaps exist with today’s privacy professionals—with technical expertise (54 percent) and experience with different types of technologies and/or applications (52 percent) ranking at the top.

To address skill gaps, the survey finds that privacy teams are training non-privacy staff who are interested in moving into privacy roles (48 percent) and increasing the usage of contract employees or outside consultants (36 percent).

“The pressing challenges that privacy professionals face in an increasingly complex data privacy threat landscape and regulatory environment underscore how critical it is for organizations to dedicate the necessary resources to support privacy teams in their vital work,” says Safia Kazi, ISACA principal research analyst - privacy. “Investing in and empowering privacy teams is not only an operational requirement for organizations but also a vital step in building trust and resilience.”

Obstacles and breaches

Forty-three percent of respondents say they are confident in their organization’s ability to ensure the privacy of its sensitive data. However, 44 percent also indicate that their organization’s privacy program faces obstacles, including:

• Management of risks associated with new technologies (52 percent)
• Complex international legal and regulatory landscape (45 percent)
• Lack of competent resources (43 percent)

In looking at where privacy programs go wrong, respondents identified the following as the most common privacy failures within an organization:

• Lack of training or poor training (51%, up from 47% in 2025)
• Not practicing privacy by design (50%, up from 41% in 2025)
• Data breach/leakage (44%)

Additionally, 14 percent of respondents say their organizations experienced a material privacy breach in the past 12 months. While 23 percent did not see a change in the number of breaches, 19 percent (up from 15 percent in 2025) expect a material privacy breach in the next 12 months—reflecting a slight increase in pessimism in this area.

Privacy programs, frameworks and controls

The survey also found that slightly fewer organizations appear to be practicing privacy by design—58 percent always or frequently practice privacy by design when building new applications or services, down from 62 percent in 2025.

Slightly under half (46 percent) say they are very or completely confident in their organization’s privacy team’s ability to achieve compliance with new privacy laws and regulations. And though only 31 percent of respondents say they find it easy to understand their privacy obligations, slightly fewer than last year say they consider it to be difficult—20 percent, compared to 24 percent in 2025.

Additionally, 26 percent say they have no plans to use AI (bots or machine learning) to perform any privacy-related tasks, down from 36 percent in 2024 and 31 percent in 2025. However, 38 percent indicate they plan to use AI for this function in the next 12 months.

Kazi will delve into the survey findings in a webinar on 20 January: https://store.isaca.org/s/community-event?id=a33VQ000001bqyLYAQ.

To access the survey report and related resources, visit www.isaca.org/state-of-privacy. For additional privacy resources, visit www.isaca.org/resources/privacy.

About ISACA

For more than 55 years, ISACA^® (www.isaca.org) has empowered its community of 190,000+ members with the knowledge, credentials, training and network they need to thrive in information security, governance, assurance, risk management, data privacy and emerging tech. With a presence in more than 190 countries and more than 230 chapters worldwide, ISACA offers resources tailored to every stage of members’ careers. Through the ISACA Foundation, ISACA also expands IT and education career pathways, fostering opportunities to grow the next generation of technology professionals.