Privacy Staff Shortages Continue Amid Increasing Demand for These Roles, According to New Study

ISACA’s report releasing ahead of Data Privacy Day reveals that confidence in the ability to ensure the privacy of sensitive data is declining

Faced with a web of complex and ever-evolving global data privacy regulations—including new ones that took effect at the year’s start—enterprises must stay compliant and protect the privacy of their data subjects or lose trust and take a hit to their reputation. ISACA’s Privacy in Practice 2023 research report, released ahead of Data Privacy Day on 28 January, finds that enterprises that consistently practice privacy by design reap rewards, but many face challenges getting there because of privacy budgets, staffing and skills gaps.

The survey report—reflecting the insights of 1,890 global respondents who currently work in data privacy or have detailed knowledge of the data privacy function within their organization—examines privacy staffing, organization structure, frameworks and policies, budgets, training, and data breaches.

Marketing Technology News: Samba TV and MiQ Reach Multi-year Commercial Agreement

The ROI of Privacy by Design

The survey found that organizations consistently practicing privacy by design (30 percent, up two points from 2022) are at an advantage. They are one-and-a-half times more likely to be completely or somewhat confident in their organization’s ability to ensure the privacy of its sensitive data (65 percent vs. 40 percent of total respondents) and more likely to see their organization’s privacy strategy aligned with organizational objectives (92 percent vs. 73 percent total).

Additionally, organizations that always practice privacy by design:

• Say their board properly prioritizes privacy (76 percent compared to just 55 percent total)
• Have more employees in privacy roles within their organization (the median privacy staff size is almost twice as large at 19 compared to 10 total) and are more likely to feel that their privacy department is adequately staffed (44 percent vs. 34 percent total).

Privacy Program Obstacles

The ISACA research identified three top obstacles to forming a privacy program:

1. Lack of competent resources (42 percent)
2. Lack of clarity on the mandate, roles, and responsibilities (40 percent)
3. Lack of executive or business support (39 percent)

While more than half of respondents believe that their board of directors adequately prioritizes privacy (55 percent), 22 percent do not, and 20 percent do not know. This suggests that boards have an opportunity to improve their communication about their commitment to privacy efforts. Thirty-eight percent of respondents say that a lack of visibility and influence in the organization is a challenge in forming a privacy program, which may signal a board that does not adequately prioritize privacy.

Privacy budgets also remain underfunded at many organizations, 42 percent of respondents saying their privacy budget is underfunded and only 36 percent citing it as appropriately funded. Just over a third of respondents (34 percent) indicate their privacy budgets will increase in 2023.

While 75 percent of respondents are confident in their organization’s ability to ensure the privacy of its sensitive data, this confidence is declining—down six points from last year.

Marketing Technology News: MarTech Interview with Krishna Subramaniam, Co-founder & CEO at Captiv8

Staffing Shortages, Skills Gaps

When it comes to resources, privacy staff shortages persist and the demand for both technical and legal/compliance roles is expected to increase next year. Technical privacy roles remain more understaffed than legal/compliance roles, with 53 percent of respondents indicating they are somewhat or significantly understaffed, versus 44 percent, respectively. The survey also found that many enterprises have unfilled privacy positions (34 percent saying this is the case for technical privacy roles and 27 percent for legal/compliance roles). Additionally, technical privacy roles (69 percent) are more likely to have increased demand in the next year compared to legal/compliance roles (62 percent).

Most also indicated that the amount of time to fill roles increased or stayed the same as last year, with 76 percent having the most difficulty hiring expert-level privacy professionals. About one in 5 respondents say that less than one quarter of applicants for privacy roles at their enterprises were qualified for those positions.

“Organizations may desire to comply with privacy regulations and build a privacy by design culture, but without a strong team of privacy practitioners, they face significant obstacles to achieving these goals,” says Safia Kazi, ISACA principal, privacy practices. “With the increased need for these privacy practitioners’ technical and legal expertise to keep pace with the regulatory landscape, it is more important than ever to cultivate and train a strong, skilled privacy workforce to meet the demand.”

Taking Action

To fill this skills gap, organizations are training to allow non-privacy staff to move into privacy roles (49 percent) and increasing their usage of contract employees or outside consultants (38 percent).

Respondents cited the most common causes of privacy failures as lack of training (49 percent), data breach (42 percent), and not practicing privacy by design (42 percent). To tackle the most common cause of privacy failures, 85 percent of respondents report that their organization provides privacy awareness training for employees, and 59 percent review and revise privacy awareness training at least annually. Though the metric used most often to measure training effectiveness is the number of employees completing training (65 percent) instead of a decrease in privacy incidents (54 percent), 73 percent believe that privacy training has had a positive impact on privacy awareness in the organization.

“Privacy, like security, is best when it is baked in from the start, not fixed after the fact,” says Anne Toth, trust, privacy and tech policy advisor, and member of the ISACA Digital Trust Advisory Council. “This research underscores and validates what many practitioners know from experience to be true: privacy by design is a smart investment that pays dividends in customer trust.”

Marketing Technology News: Effectively Measuring Email Marketing – A How To