ISACA’s newly released State of Privacy 2026 survey warns that privacy teams across Oceania are under increasing pressure as resources shrink and risk continues to grow, turning privacy into a broader business and governance issue.
The survey, based on responses from more than 1,800 privacy professionals globally, found that nearly two-thirds (63 per cent) of respondents in Oceania say their roles are more stressful than they were five years ago. The leading source of stress is the rapid pace of technological change, cited by 71 per cent of respondents, followed by compliance challenges (62 per cent) and shortages of resources (61 per cent).
Budget constraints are emerging as a critical concern. Globally, 43 per cent of respondents said their privacy budgets are underfunded, while just over a third described them as appropriately funded. In Oceania, outlooks are notably pessimistic: only 8 per cent expect their privacy budget to increase in the next 12 months, compared with 22 per cent globally, while 60 per cent expect budgets to decline.
ISACA Vice Chair Jamie Norton said organisations across the region are asking increasingly small privacy teams to manage complex regulatory obligations, emerging technologies such as AI, and rising breach risk at the same time. He warned that when investment fails to keep pace with expectations, privacy risk quickly escalates beyond compliance into a broader business and governance challenge.
Team capacity is also tightening. The global median size of privacy teams has fallen from eight staff in 2025 to five in 2026. Respondents report shortages in both technical roles (47 per cent) and legal or compliance roles (37 per cent). More than half (53 per cent) believe skills gaps exist, particularly in technical expertise and experience with diverse technologies.
To address these gaps, organisations are increasingly retraining non-privacy staff and relying on contractors or external consultants. More than half of respondents globally said that at least 50 per cent of their privacy staff transitioned into privacy from other fields, highlighting the profession’s reliance on cross-disciplinary talent.
Confidence levels are also lower in Oceania than elsewhere. Only 26 per cent of respondents in the region said they are confident in their organisation’s ability to protect sensitive data, compared with 43 per cent globally. Forty-four per cent of all respondents reported obstacles to effective privacy programs, including managing risks from new technologies, navigating complex international regulations and a lack of skilled resources.
Common privacy failures identified in the survey include inadequate training, failure to embed privacy by design, and data breaches or leakage. Fourteen per cent of respondents said their organisation experienced a material privacy breach in the past year, while 19 per cent expect one in the next 12 months, reflecting growing concern about future exposure.
The survey also points to shifts in privacy controls and practices. While data security, encryption and data loss prevention remain widely used, reliance on identity and access management has declined. Fewer organisations are consistently applying privacy by design, and less than half of respondents said they are very confident in their organisation’s ability to comply with new privacy laws.
Despite these challenges, the report notes gradual progress in understanding privacy obligations and increased interest in using AI to support privacy functions, with more organisations planning to adopt AI-driven tools over the next year.
ISACA said the findings underscore the need for organisations to reassess how privacy is resourced and governed, as shrinking teams and rising complexity make privacy risk increasingly inseparable from broader enterprise risk.
