Privacy Teams Lost 37% of Their Staff in One Year—And Half Expect More Cuts

The median privacy team in 2025 had eight people. In 2026, it has five. That is a 37% reduction in the workforce responsible for protecting personal data at organizations worldwide—and according to ISACA's annual State of Privacy survey, half of those remaining teams expect their budgets to shrink even further.

The survey, which gathered responses from more than 1,800 global privacy professionals, paints a picture of a profession under extraordinary pressure at exactly the moment it matters most.

Fewer People, More Threats

The staffing collapse is not evenly distributed. Technical privacy roles—the people who actually implement privacy controls, audit systems, and detect breaches—are the hardest hit. Forty seven percent of respondents say their technical privacy teams are understaffed. Legal and compliance roles are not far behind at 37%.

Meanwhile, 65% of privacy professionals say their jobs are more stressful than five years ago. The top stressor is the rapid evolution of technology, cited by 71% of respondents, up from 63% last year. Compliance challenges follow at 62%, and resource shortages at 61%.

Safia Kazi, ISACA's principal research analyst for privacy, put it bluntly: "The pressing challenges that privacy professionals face in an increasingly complex data privacy threat landscape and regulatory environment underscore how critical it is for organizations to dedicate the necessary resources to support privacy teams in their vital work."

The Budget Problem

Only 22% of respondents expect their privacy budget to increase in the next year, down from 26% in 2025. Meanwhile, 50% anticipate budget decreases within twelve months. Forty three percent report their privacy budget is already underfunded.

The correlation between funding and confidence is stark. Among respondents who lack confidence in their organization's ability to ensure data privacy, 61% believe their budget will decrease. The less money they have, the less confident they become. The less confident they become, the more likely their budget gets cut. It is a vicious cycle.

The Skills Gap

Even when organizations can afford to hire, finding qualified candidates is difficult. Fifty three percent of respondents believe skills gaps exist among current privacy professionals. The most common deficiencies are technical expertise (54%) and experience with different technologies and applications (52%).

Organizations are adapting by training non privacy staff to transition into privacy roles (48%) and increasing reliance on contractors and consultants (36%). More than half of privacy staff have transitioned from entirely different career fields—a sign that dedicated privacy career pipelines remain underdeveloped.

Privacy by Design Is Declining

One of the most concerning trends: privacy by design adoption is falling. Only 58% of organizations always or frequently practice privacy by design, down from 62% in 2025. Half of respondents cite the lack of privacy by design practices as a leading cause of privacy failures, up sharply from 41% the previous year.

Other common failure factors include inadequate training (51%, up from 47%) and data breaches or leakage (44%). Fourteen percent experienced a material privacy breach in the past year, and 19% expect one within the next twelve months—up from 15% in 2025.

Encryption Use Is Dropping

Among the privacy controls tracked by the survey, encryption adoption fell from 73% to 68% year over year. Identity and access management dropped even more sharply, from 75% to 63%. Data security measures remain the most common control at 72%, but the downward trend in other areas suggests organizations are cutting corners under budget pressure.

On the regulatory side, 82% of organizations use privacy frameworks or regulations, with GDPR (51%) and the NIST Privacy Framework (45%) leading adoption. But only 46% feel very or completely confident in their compliance with new privacy laws.

What This Means for You

When privacy teams shrink, the people who catch unauthorized data collection, flag consent violations, and respond to breaches are the ones who disappear. The regulations do not shrink with them.

For individuals, this means the organizations handling your personal data are increasingly understaffed, underfunded, and stressed. The gap between what privacy laws require and what companies can actually deliver is widening. And in that gap, your data is less protected than it was a year ago.