Business privacy obligations hard to understand


Despite new updates to privacy regulations across the globe, including Australia’s Privacy Act Review Report in 2023, only 39 percent of Oceania respondents say they find it easy to understand their organisation’s privacy obligations, according to ISACA’s Privacy in Practice 2024 survey report. This has led to low confidence, with only 44 percent of Oceania respondents feeling very or completely confident in their privacy team’s ability to achieve data privacy and compliance with new laws and regulations.

Jo Stewart-Rattray, Oceania Ambassador, ISACA said the results are worrying and are cause for major concern globally, particularly around budget deficits, low confidence and lack of compliance clarity.

“Every organisation in ANZ and across the world, from SMEs through to enterprise, has a responsibility to protect the privacy of its customer and stakeholder data, and many governments including Australia’s Federal government, are updating legislation to ensure best practice,” said Ms Stewart-Rattray. “It is paramount that organisations understand what is expected of them in order to devise an effective privacy policy and implement accordingly. Then will they be able to realise the benefits of embedding privacy practices in digital transformation from the outset, including customer loyalty, reputational and financial performance.”

Privacy Challenges

In addition to difficulty understanding the privacy regulatory landscape, organisations in Oceania face other data privacy challenges in line with global counterparts, including budget. Over half of respondents (56 percent in Oceania vs 51 percent globally) expect a decrease in budget, nearly half (43 percent globally) say their privacy budget is underfunded and only 36 percent globally say their budget is appropriately funded. 

The path to forming a privacy program is not always a smooth one, with global respondents indicating top obstacles include:

  • Lack of competent resources (41 percent)
  • Lack of clarity on the mandate, roles and responsibilities (39 percent)
  • Lack of executive or business support (37 percent)
  • Lack of visibility and influence within the organisation (37 percent)

In seeking those competent resources, 62 percent of global respondents indicate there will be increased demand for technical privacy roles in the next year, compared to 55 percent for legal/compliance roles.

“When privacy teams face limited budgets and skills gaps among their workforce, it can be even more difficult to stay on top of ever evolving and expanding data privacy regulations and even increase the risk of data breaches,” says Safia Kazi, ISACA principal, privacy professional practices. “By understanding where these challenges lie, organisations can take the necessary measures to remedy them and change course to strengthen their privacy teams and programs.”

Taking Action

One of the ways organisations are mitigating workforce gaps and privacy failures is through training. Half of global respondents (50 percent) note they are training to allow non-privacy staff to move into privacy roles, while 39 percent are increasing usage of contract employees or outside consultants.

With employee training:

  • 86 percent indicate their organisation provides privacy awareness training for employees, with 66 percent providing training annually.
  • 52 percent of respondents provide privacy awareness training to new hires.
  • 60 percent review and revise privacy awareness training at least annually.

Interestingly, respondents note that their organisations are most often looking at the number of employees completing training (65 percent) as the main metric used to track effectiveness of privacy training, not a decrease in privacy incidents (56 percent).

Organisations are also using a variety of privacy controls to strengthen data privacy beyond what is legally required, the top three being identity and access management (74 percent), encryption (73 percent), and data security (72 percent). 

Fewer breaches

Despite the challenges faced, 63 percent of respondents say they did not have a material privacy breach in the past 12 months, and 18 percent are not seeing a change in the number of breaches they are experiencing. Respondents are also optimistic about the coming year: less than 1 in 5 (16 percent) say they expect a material privacy breach in the next 12 months.

Privacy effectiveness 

To assess the effectiveness of privacy programs, survey respondents note their organisations are most often:

  • Performing a privacy risk assessment (49 percent) 
  • Performing a privacy impact assessment (PIA) (44 percent) 
  • Performing a privacy self-assessment (38 percent) 
  • Undergoing a privacy audit/assessment (34 percent)

Value of Privacy by Design

One of the clearest takeaways from the survey results is that organisations practicing privacy by design experience some key advantages: 

  • They have more employees in privacy roles (median staff size 15 vs. nine among all respondents) and are more likely to say their technical privacy department is appropriately staffed (42 percent vs. 34 percent among all respondents). 
  • Feel their privacy budget is appropriately funded (50% vs. 36% total).
  • They strongly believe their board of directors prioritises organisation privacy (77 percent vs. 57 percent total).
  • They are much less likely to see organisational privacy programs as purely compliance driven (35 percent vs. 44 percent total), and more likely as a combination of compliance, ethics and competitive advantage (39 percent vs. 29 percent total). 
  • They are much more likely to see their organisation’s privacy strategy aligned with organisational objectives (90 percent vs. 74 percent total). 
  • They use many more privacy controls in total, overall, than are legally required:
    – Data minimisation and retention controls (54 percent vs. 39 percent among all respondents)
    – Data quality and integrity (50 percent vs. 38 percent)
    – Cryptographic protection (59 percent vs. 46 percent)  

The Privacy in Practice 2024 survey report is complimentary and can be accessed at More than 1,300 professionals who work in data privacy roles responded to the survey, weighing in on privacy topics such as staffing, organisation structure, policies, budgets and training.