Privacy professionals are under growing pressure as they face budget cuts, resource challenges and regulatory changes. According to ISACA’s State of Privacy 2025 survey report, almost half expect a budget decrease in the next year and 73% indicate expert-level privacy professionals are the most difficult to hire, adding to the stress of keeping data safe and meeting compliance requirements.
The new research from ISACA, the leading global professional association helping individuals advance their careers in digital trust fields, reflects insights from more than 1,600 privacy professionals worldwide.
The study found that 63% of privacy professionals say their role is more stressful now than five years ago, with 34% indicating it is significantly more stressful. They cite the main causes of this stress as the rapid evolution of technology (63%), compliance challenges (61%) and resource shortages (59%).
These findings align with what respondents cited as the top three obstacles facing privacy programs, including the complex international legal and regulatory landscape (38%), lack of competent resources (37%), and management of risks related to new technologies (36%).
When it comes to resources, 43% indicate their privacy budget is underfunded, and 48% expect a budget decrease in the next year. In terms of staff, respondents are finding it tough to hire expert-level privacy professionals, with 73% indicating they are the most difficult privacy employees to hire.
Privacy professionals are facing other difficulties. Only 44% are confident that their organisation’s privacy team can ensure data privacy and achieve compliance with new privacy laws and regulations. Additionally, only 33% of organisations find it easy to understand privacy obligations, with 23% considering it difficult.
Respondents also provided insights into their most common privacy failures, listing lack of training or poor training (47%), data breaches (42%), and not practising privacy by design (41%) as the top three.
“Privacy professionals are feeling the strain of shrinking budgets and increasing demands, all while grappling with regulatory changes and resource shortages,” said ISACA’s Jo Stewart-Rattray. “Greater investment in privacy teams, training and tools is essential to help organisations meet their responsibility to protect data and maintain trust.”
“With almost half of privacy professionals anticipating budget cuts and many struggling to recruit skilled staff, organisations need to act now,” she added. “Prioritising robust privacy frameworks and embedding strong practices into daily operations will enable companies to better safeguard data, meet compliance requirements and strengthen customer trust.”
In spite of these challenges, the research revealed some encouraging findings. While the median privacy staff size declined slightly from the previous year (eight this year compared to nine the prior), fewer survey respondents reported that their privacy teams are understaffed. This includes technical privacy roles, with understaffing reported at 54% in 2024 compared to 46% in 2025, and legal/compliance roles, with understaffing reported at 44% in 2024 compared to 38% in 2025.
Additionally, 74% of respondents reported that privacy strategy was aligned with organisational objectives, and over half (57%) believed that the board of directors had adequately prioritised their organisation’s privacy.
Enterprises are taking compliance seriously, with 82% of respondents indicating they use a framework or law/regulation to manage privacy and 68% saying it is mandatory to address privacy with documented policies and procedures.
Most respondents also do not believe they are experiencing more privacy breaches this year compared to last year, and 29% believe it is unlikely they will experience a material privacy breach in the next 12 months.
The survey findings, as in past years, indicate that practicing privacy by design sets enterprises apart. Sixty-seven per cent of respondents indicate that they practice privacy by design and the integration of privacy into the entire engineering process when building new applications and services. The survey found that enterprises that always practice privacy by design are more likely to:
- Have high confidence in their privacy teams (68% versus 41% total);
- Believe their technical privacy area is appropriately staffed (50% versus 40% total)
- Have decreased privacy skills gaps by training non-privacy staff for privacy roles (57% versus 48% total); and
- Believe their boards of directors prioritise privacy (80% versus 57% total).
More respondents also reported using artificial intelligence for privacy-related tasks this year (11%) than last year (8%). The use of AI for this purpose was also found to be higher in enterprises that were not purely compliance-driven, with 14% of those in enterprises with boards that viewed privacy ethically or as a competitive advantage using AI for privacy-related tasks, compared with 9% from enterprises with boards that view privacy programs as compliance-driven. This use of AI was also higher among enterprises that regularly practice privacy by design, with 18% of those who indicate they always practice privacy by design reporting that they are using AI for privacy work.
“When privacy is aligned with business objectives, integrated into the enterprise with a privacy by design approach, and viewed as both an ethical and compliance responsibility, organisations stand to gain tremendous value,” says ISACA’s Safia Kazi. “Enterprises must continue to prioritise and advance their privacy programs, leveraging the right emerging technology, frameworks, training and best practices for them, to keep pace.”
