“Privacy budgets set to decrease in 2025” notes ISACA research

Despite the maturity of the General Data Protection Regulation (GDPR) in Europe, only on-third (38%) of European professionals are confident in the ability of their organisation to safeguard sensitive data. With only 24% of European organisations always practising Privacy by Design, many risk falling short of compliance with GDPR and new frameworks including the Digital Services Act and the AI Act.

Circa 52% of technical privacy teams in Europe remain understaffed, with that figure only improving marginally from 53% in 2024 as organisations continue to encounter difficulties with staff retention. 37% of European organisations are struggling to retain qualified privacy professionals.

Threat landscape evolving 

Chris Dimitriadis, global chief strategy officer at ISACA, explained: “As the threat landscape continues to evolve in terms of its complexity, privacy is becoming a sector which is increasingly difficult to operate in, but also more critical. Two-thirds (ie 66%) of the European professionals working in privacy roles who we spoke to said their job is more stressful now in comparison with five years ago. This is only being exacerbated still further by continued underfunding. While companies may be making a short-term financial gain, they’re also putting themselves at long-term risk.”

European organisations who always practice Privacy by Design are more likely to say they have appropriately staffed privacy teams and decreased privacy skills gaps. 43% of European organisations who always practice Privacy by Design suggest that their technical privacy teams are appropriately staffed (versus 33% of those who do not), while 58% are highly confident in their technical privacy teams as a result.

More than half (56%) of European organisations who always practice Privacy by Design have decreased privacy skills gaps by training non-privacy staff who are interested to move into privacy roles, compared to 44% of those who do not.

A skilled and supported workforce is key to ensuring Privacy by Design is achievable. The biggest skills gaps reported by European organisations are experience with different types of technologies and/or applications (62%), technical expertise (49%) and IT operations knowledge and skills (45%).

In order to combat the skills gap and wider privacy challenges they’re facing, 47% of European organisations offer training to allow non-privacy staff to move into privacy roles. Experience is key to filling the skills gap: 95% of respondents consider compliance and legal experience an important factor in determining if a privacy candidate is qualified, while 89% consider credentials important compared with only 54% advocating for a university degree.

Long-term data protection

Dimitriadis continued: “Best Practice in Privacy by Design and embedding privacy across an entire enterprise is key to long-term data protection. Such a comprehensive approach fosters trust with stakeholders and safeguards against ever-evolving threats, but this isn’t possible without skilled privacy teams whose members feel prepared and able to drive privacy practices from a technology, business and compliance point of view.”

He added: “There are several ways in which to plug the skills gap. The provision of training and continuous support for privacy staff on emerging technologies, privacy-enhancing technologies and invoking cyber security and data protection architectures on top of legal compliance knowledge is essential for managing their stress and maintaining organisational resilience.”

*All figures quoted are based on fieldwork conducted by ISACA between 13 September and 30 September 2024 among 1,603 global respondents working in the privacy domain (of which 351 are located in Europe)