- Original Date of Publication: January 27, 2024
ISACA, the global association for IT governance, risk and security professionals, recently released its Privacy in Practice 2024 survey report, which provides a comprehensive analysis of the current state and emerging trends in privacy practices. Conducted in anticipation of Data Privacy Day on January 28, the report draws insights from more than 1,300 privacy professionals worldwide, spanning multiple industries and geographic locations.
The survey delves into various facets of privacy, addressing key areas such as the impact of evolving privacy regulations, the causes and consequences of privacy failures, the demand for privacy professionals, budget considerations, and the implementation of privacy by design principles. Through an analytical lens, the report highlights critical findings and their implications for organizations and privacy professionals.
The analysis highlights the challenges organizations face in understanding their privacy obligations, with only 34% finding it easy to understand their responsibilities in the complex and dynamic privacy regulatory landscape. It also reveals a significant gap between the expectations and capabilities of privacy teams, with only 43% expressing confidence in their teams’ ability to ensure privacy and achieve compliance.
Budget constraints emerge as a notable concern, with 43% of organizations reporting underfunded privacy budgets. Alarmingly, 51% expect budgets to further decrease by 2024, raising concerns about the sustainability and effectiveness of privacy programs. This finding underscores the need for organizations to reevaluate their financial commitment to privacy initiatives.
The report highlights the barriers to establishing robust privacy programs, citing a lack of skilled resources, unclear mandates and insufficient executive support as the primary obstacles. Demand for technical privacy positions is high, with 62% of respondents expecting demand to increase, but significant skills gaps remain, particularly in dealing with various technologies, requiring increased investment in training and development.
Privacy failures, including inadequate training, lack of privacy by design practices, and data breaches, indicate a prevailing need for a proactive and preventative approach to privacy. The adoption of privacy by design is recognized as valuable, offering benefits such as improved customer trust, brand reputation, innovation, and compliance. However, challenges such as lack of awareness, resources and tools point to the need for increased education and support.
Underscoring the critical nature of privacy, Safia Kazi, ISACA’s principal of privacy professional practices, notes that the survey provides a timely snapshot for organizations to understand and address the challenges and opportunities in their privacy teams and programs.
To fill workforce gaps and mitigate privacy failures, organizations are investing in staff training. The survey reports that 50% of respondents are training non-privacy staff to transition into privacy roles, while 39% are increasing their use of contractors or outside consultants. Privacy awareness training is widespread, with 86% of organizations offering it, although metrics of effectiveness focus primarily on completion rates rather than incident reduction.
Despite these efforts, privacy remains a challenge for many organizations. Only 63% reported no significant data breaches in the past 12 months, and 18% reported no change in breach incidents. Yet optimism prevails, with only 16% expecting a significant data breach in the next year.
The report concludes by highlighting the value of privacy by design, citing that organizations practicing it have more staff, better alignment with business objectives, and increased confidence in complying with new privacy laws and regulations. Lisa McKee, Ph.D., founding partner of American Security and Privacy and a member of ISACA’s Emerging Trends Working Group, emphasizes that privacy by design is a proactive approach that brings significant value, highlighting the ethical obligation and competitive advantage of prioritizing privacy.