In January 2025, research from ISACA warned that organizations were deprioritizing privacy budgets and cutting funds for teams. One year on and the situation has deteriorated further, the association claims.
A confluence of challenges, including funding cuts, staff shortages, and growing regulatory compliance pressures are pushing teams to their limits.
Nearly half (44%) of European-based survey respondents told ISACA their teams are already underfunded while 54% expect budgets to be cut further across 2026.
Around four-in-ten (39%) legal privacy workers and over half (51%) of technical privacy workers also reported staff shortages across their teams.
These funding cuts could have severe consequences further down the line, the association warned, especially as organizations continue ramping up adoption of AI tools.
Nearly half (49%) of respondents revealed that managing risks associated with emerging technologies is now a major obstacle to their long-term strategies. The pace of technological change is also having a marked impact on morale and workloads, with more than one-third (68%) highlighting this as a key challenge.
Adding insult to injury, 64% identified compliance-related challenges off the back of new technologies as a key stress driver, with teams forced to pivot rapidly to accommodate for regulations.
Chris Dimitriadis, global chief strategy officer at ISACA, said the study shows privacy teams are now being asked to “manage more risk with fewer resources” – and the impact is beginning to show across Europe.
“As organizations adopt new technologies at speed, the volume and complexity of privacy obligations grow in parallel – yet many teams are still operating without the staffing, funding or training they need to keep pace,” he commented.
Privacy teams are bracing for impact
Privacy teams are frightfully aware of the potential risks associated with understaffing and budget cuts – it’s a trend they’ve contended with for several years now, the study noted.
Notably, many teams are bracing for impact as the effects of these trends come to fruition. More than one-quarter (26%) of respondents told ISACA their organization is “likely to experience a material privacy breach” within the next year.
“Together, this highlights a growing contradiction for European organizations: privacy risk and regulatory expectations continue to rise, while investment in people and resources is being scaled back,” ISACA said in a statement.
Boards still aren’t tuned in
Despite repeated calls for heightened support, privacy professionals still feel board-level attention is “inconsistent”. Just over one quarter (26%) of respondents said their board is “failing to adequately prioritize privacy” regardless of intensified risks.
“When boards underestimate privacy, they underestimate a fundamental pillar of digital trust,” Dimitriadis said. “A single privacy breach can erode years of brand equity, damage customer relationships and trigger significant regulatory consequences.
“Prioritizing privacy is not simply a compliance requirement; it is a business imperative.”
There are positives with regard to privacy awareness, however. The potential monetary penalties associated with regulatory compliance failures mean executives are beginning to pay attention.
More than three quarters (79%) of respondents in Europe said they now use a framework or regulation such as GDPR to “guide their privacy program”.
64% now have a formal incident response plan embedded within their broader privacy strategies, a figure which ISACA said could be improved upon.
However, nearly half (44%) of respondents said the board views their privacy programs as merely “compliance-driven” and not from a holistic perspective.
ISACA warned this is a “narrow focus” which fails to fully address privacy-related risks, thereby leaving organizations exposed.
“These gaps underline a critical truth: privacy cannot be strengthened solely through controls or checklists,” Dimitriadis commented. “It demands sustained investment in people, governance and culture – and that begins at the top.”
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
What role does automation play when it comes to IT service management?
Do businesses need IT operations management?
EU lawmakers want to limit the use of ‘algorithmic management’ systems at work
Data (Use and Access) Act comes into force
UK businesses patchy at complying with data privacy rules
Data privacy professionals are severely underfunded – and it’s only going to get worse
Four years on, how's UK GDPR holding up?
Multicloud data protection and recovery
Intelligent data security and management
How to extend zero trust to your cloud workloads
