New research by ISACA has revealed that more than two in five (45%) privacy professionals in Europe believe that their organisation’s privacy budget is underfunded, an increase from 41% in 2024. Worryingly, over half (54%) of privacy professionals expect budgets to decrease further in 2025. This may leave privacy teams under resourced, understaffed and, in many cases, under a lot of stress.
Chris Dimitriadis, Global Chief Strategy Officer at ISACA, noted, “As the threat landscape continues to evolve in complexity, privacy is becoming a sector which is increasingly difficult to operate in, but also more critical. Two thirds (66%) of the European professionals working in privacy roles who we spoke to said their job is more stressful now compared to five years ago. This is only being exacerbated by continued underfunding. While companies may be making a short-term financial gain, they are putting themselves at long-term risk.”
Despite the maturity of the General Data Protection Regulation in Europe, only a third (38%) of European professionals are confident in their organisation’s ability to safeguard sensitive data. With only a quarter (24%) of European organisations always practicing Privacy by Design, many risk falling short of compliance with GDPR and new frameworks like the Digital Services Act and AI Act.
The research found that European organisations who always practice Privacy by Design are more likely to say they have appropriately staffed privacy teams and decreased privacy skills gaps. 43% of European organisations who always practice Privacy by Design say their technical privacy teams are appropriately staffed (versus 33% of those who do not) and 58% are highly confident in their technical privacy teams as a result.
More than half (56%) of European organisations who always practice Privacy by Design have decreased privacy skills gaps by training non-privacy staff who are interested to move into privacy roles, compared to 44% of those who do not. A skilled and supported workforce is key to ensuring Privacy by Design is achievable.
Dimitriadis continues: “Practicing Privacy by Design and embedding privacy across an entire enterprise is key to long-term data protection. Such a comprehensive approach fosters trust with stakeholders and safeguards against ever-evolving threats – but this isn’t possible without skilled privacy teams who feel prepared and able to drive privacy practices from a technology, business and compliance point of view.”
Additionally, talent acquisition and retention remains an issue in the data privacy space. This is a problem facing every part of the industry as a whole. However, for data privacy pros, the research found that over half of technical privacy teams in Europe remain understaffed as organisations continue to encounter difficulties with staff retention. 37% of European organisations struggle to retain qualified privacy professionals.
Some organisations have turned to reskilling staff with the skills and knowledge needed for effective data privacy. Interestingly, the research suggests that 47% of European organisations offer training to allow non-privacy staff to move into privacy roles. However, experience is key to filling the skills gap, with 95% of respondents considering compliance and legal experience an important factor in determining if a privacy candidate is qualified, and 89% consider credentials important, compared with only 54% for a university degree.
“There are several ways to plug the skills gap,” said Dimitriadis. “Providing training and continuous support for privacy staff on emerging technologies, privacy-enhancing technologies, and cybersecurity and data protection architectures on top of legal compliance knowledge is essential for managing their stress and maintaining organisational resilience.”