“Privacy budgets expected to shrink despite rising risks” finds ISACA research

Despite accelerating privacy threats and regulatory demands, more than four in every ten (44%) privacy professionals in Europe state that their teams are underfunded, while over half (54%, in fact) expect privacy budgets to decrease further in 2026.

In a region exhibiting one of the world’s most mature privacy regulation environments, underinvestment is already having tangible consequences across Europe. Nearly four-in-ten (39%) legal privacy roles and over half (51%) of technical privacy roles are understaffed, while more than a quarter (26%) of privacy professionals believe their organisation is likely to experience a material privacy breach within the next year.

Taken together, this highlights a growing contradiction for European organisations: privacy risk and regulatory expectations continue to rise, while investment in people and resources is being scaled back.

Board-level attention remains inconsistent. More than a quarter (26%) of European respondents note that their Board of Directors is failing to adequately prioritise privacy even as the risks continue to intensify.

Fewer resources

Chris Dimitriadis, global chief strategy officer at ISACA, explained: “Privacy teams are being asked to manage more risk with fewer resources. The strain is beginning to show. As organisations adopt new technologies at speed, the volume and complexity of privacy obligations grow in parallel, yet many teams are still operating without the levels of staffing, funding or training they need to keep pace.”

Dimitriadis added: “When Boards of Directors underestimate privacy, they underestimate a fundamental pillar of digital trust. A single privacy breach can erode years of brand equity, damage customer relationships and trigger significant regulatory consequences. Prioritising privacy is not simply a compliance requirement. Rather, it’s a business imperative.”

These pressures are mounting at a time when risks are accelerating. Nearly half (49%) of professionals say managing the risks associated with new technologies is a major obstacle to their privacy programmes. The human impact is equally stark: 67% say their job is more stressful now than it was five years ago, with respondents pointing to the rapid pace of technological change (68%) and compliance challenges (64%) as key drivers.

Regulatory complexity is compounding these challenges. Over one-fifth (22%) of privacy professionals in Europe comment that their organisation struggles to identify and understand its privacy obligations, while more than half (51%) point to the complexity of international laws and regulations as a key barrier.

Confidence in future readiness is particularly low, with just 8% of respondents completely confident in their organisation’s ability to comply with new and emerging privacy laws.

Narrow focus 

While regulation is helping to elevate privacy discussions at Board level – with 44% of professionals affirming that their Board views the privacy programme as being compliance-driven – a narrow focus on compliance alone leaves organisations somewhat exposed. True resilience requires Boards of Directors to view privacy as a strategic and ethical priority.

Dimitriadis continued: “These gaps underline a critical truth: privacy cannot be strengthened solely through controls or checklists, even with the help of Artificial Intelligence. It demands sustained investment in people, governance and culture. That begins at the top.”

Embellishing this theme, Dimitriadis stated: “Boards must treat privacy as a strategic driver of trust, resilience and competitive advantage, not just as a compliance checkbox. When organisations equip their privacy teams with the skills, resources and authority they need, they are not just reducing risk. They’re preparing their business for the next wave of regulatory and technological change. By investing in training and professional development today, leaders can build a foundation of privacy resilience that’s ready for the evolving landscape.”

Many organisations are taking positive steps, with 79% of those business interviewed in Europe using a framework or regulation (most commonly the General Data Protection Regulation) in order to guide their privacy programme, with a majority implementing controls such as data security (71%) and encryption (73%).

Crucial gaps remain

However, critical gaps remain. Only 64% of European organisations have a formal Incident Response Plan in place as part of their privacy controls, leaving more than one-third unprepared to respond effectively to privacy incidents.

Retention is also a growing concern, with 34% of organisations reporting difficulty in retaining qualified privacy professionals and 45% citing either a lack of training or poor training as a key contributor to privacy failures.

As privacy risks continue to rise, ISACA warns that failing to invest now could leave organisations increasingly vulnerable in the years ahead.

*Further information is available online at www.isaca.org