Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 22, 2026 · 5 min read

ISACA State of Privacy 2026: Five Key Findings

ISACA surveyed more than 1,800 global privacy professionals for its State of Privacy 2026 report and found an industry under sustained pressure: shrinking teams, widening skills gaps, minimal AI adoption, and a growing disconnect between board-level confidence in privacy programs and the budget decisions that undermine them.

The ISACA State of Privacy series is one of the few annual studies that samples the practitioner layer of privacy programs — the professionals actually running privacy reviews, managing consent frameworks, and responding to regulatory inquiries — rather than surveying executives who may have limited visibility into operational realities. The 2026 edition, covering responses from more than 1,800 professionals worldwide, presents a picture of a function being asked to do more with less, navigating increasingly complex regulations without adequate technical depth, and facing a 50-50 split on whether their budget will shrink in the year ahead.

Key Takeaways

  • The median privacy team shrank from 8 to 5 employees in a single year, with technical privacy roles disproportionately affected.
  • Technical expertise is the #1 skills gap at 54%, meaning the roles most critical for implementing privacy controls are precisely the ones hardest to fill or retain.
  • Only 13% of privacy functions currently use AI tools, while 38% plan adoption within 12 months — but ISACA cautions that AI "is not a panacea for challenges with prioritization or resource shortages."
  • 50% of respondents anticipate privacy budget decreases within the next 12 months, a figure that correlates strongly with the 61% who report lacking confidence in their privacy assurance processes.
  • 56% say their boards adequately prioritize privacy, but only 22% expect budget increases — a gap that suggests either that boards are defining "adequate" differently than practitioners are, or that privacy is treated as a reputational talking point rather than a funded operational priority.
Privacy compliance professional reviewing annual survey report on corporate desk with privacy dashboards and statistics on monitors, indigo and blue tones, photorealistic

Finding 1: Privacy Teams Are Shrinking

The median privacy team size dropped from 8 employees to 5 in a single year — a 37.5% reduction. This contraction disproportionately affects technical privacy roles, which were already the hardest to staff. The report does not specify whether these reductions are the result of layoffs, budget freezes, attrition without backfill, or organizational restructuring, but the practical effect is the same: fewer people covering the same or expanded regulatory surface area.

Practitioners in the survey report rising stress levels as a direct consequence, which has its own secondary effect: a stressed, understaffed privacy function is more likely to take shortcuts on program activities — conducting fewer privacy impact assessments, deferring vendor reviews, relying on self-certification where verification is warranted — that in turn increase organizational risk. The downsizing trend tracks with broader tech industry cost-cutting that has hit compliance and governance functions harder than product and engineering.

Finding 2: Regulatory Complexity Is Outpacing Expertise

Understanding laws and regulations ranks among the top three skills gaps identified by survey respondents, while navigating the complex international legal landscape is cited as the second most common privacy program obstacle. GDPR remains the most commonly referenced regulatory framework, but the global patchwork of state, national, and sector-specific privacy laws — US state privacy laws in Connecticut, Virginia, Colorado, and Texas; Brazil's LGPD; India's DPDPA; and ongoing APEC cross-border transfer frameworks — means that no single jurisdiction expertise is sufficient for organizations operating internationally.

This is compounded by a legislative acceleration problem: in 2025 alone, more than 15 US states passed or amended privacy legislation, with enforcement timelines of 12–24 months. Privacy teams that were already thin going into 2026 are being asked to map new legal requirements, update data inventories, revise contractual frameworks, and document consent workflows across an expanding set of jurisdictions. The skills gap data suggests that many teams are doing this work without the legal expertise to do it reliably.

Finding 3: AI Adoption Is Slow and Cautious

Only 13% of privacy functions currently use AI tools in their work. An additional 38% say they plan to adopt AI within the next 12 months, which would represent a significant acceleration if realized — but ISACA's own commentary adds a note of caution: "AI tools, although helpful, are not a panacea for challenges with prioritization or resource shortages." This is relevant context because a common argument for privacy team downsizing is that AI tooling will absorb the workload gap. The survey data suggests practitioners are not yet experiencing that substitution.

Current AI adoption in privacy functions tends to cluster around document classification and review (helping identify PII in large datasets), consent management automation, and privacy notice generation. The more judgment-intensive activities — risk assessments, regulatory interpretation, breach response decisions — remain human-dependent and are precisely the activities that require the technical expertise that the survey identifies as the field's primary gap.

Finding 4: Technical Expertise Is the Critical Gap

Technical expertise is the top-ranked skills gap at 54%, followed closely by experience with technologies and applications at 52%. Nearly half of respondents (47%) report that technical privacy roles on their teams are understaffed. The dominant mitigation strategy being pursued is training non-privacy staff — often legal or compliance generalists — to transition into privacy roles, rather than hiring net-new technical privacy specialists.

This matters because technical privacy work is qualitatively different from policy or legal privacy work. Reviewing a data processing agreement requires legal expertise. Conducting a software architecture review to identify where PII flows through a microservices environment, evaluating whether a new third-party SDK is data-exfiltrating, or configuring consent management platforms to correctly honor granular consent signals — these require technical skills that legal-to-privacy transition paths do not readily supply. Organizations relying on this mitigation strategy are likely underestimating the quality gap between their current and needed technical capacity.

Finding 5: Board Confidence Does Not Equal Budget

The most structurally revealing finding is the gap between stated board prioritization and actual budget decisions. 56% of respondents say their boards adequately prioritize privacy — a number that, on its face, suggests reasonable executive alignment. But set against that: only 22% expect privacy budget increases next year, while 50% anticipate budget decreases within 12 months. The 61% who report lacking confidence in their privacy assurance processes correlate heavily with those anticipating budget cuts.

This pattern — "we take privacy seriously" paired with "we are cutting the privacy budget" — is familiar from other compliance domains and typically reflects a specific kind of organizational risk tolerance: treating compliance functions as insurance against enforcement rather than as genuine operational risk management. The logic is that if no enforcement action is imminent, the cost of reducing privacy staffing is near zero in the short term. The 2026 regulatory environment, with enforcement agencies in the EU, UK, and US all showing increased willingness to act on complaints and audits, is beginning to stress-test that assumption.

What the Data Means for Privacy Programs in 2026

Taken together, the ISACA findings describe a field at an inflection point. Privacy programs built during the GDPR compliance wave of 2018–2020 — typically headcount-heavy, documentation-intensive, and organized around single-regulation frameworks — are being squeezed by both budget pressure and regulatory expansion. The teams doing this work are smaller, less technically equipped, and uncertain about whether AI tooling will deliver the efficiency gains needed to bridge the gap.

The report's implicit recommendation — increase technical privacy staffing, invest in AI tools with realistic expectations, and close the gap between board statements and budget decisions — is straightforward enough. The harder organizational question is whether privacy functions can make the case for resource investment before an enforcement action or breach forces that conversation. The data suggests that, for half of the organizations surveyed, that conversation is still being deferred.

Source: ISACA Now Blog: Five Key Findings from ISACA State of Privacy 2026 Report.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.