Privacy budgets expected to shrink despite rising risks, new ISACA research finds

A shield with a lock, representing safety and defense against threats.

Author: ISACA
Date Published: 15 January 2026
Read Time: 5 minutes

Boards continue to under-prioritise privacy as teams face funding cuts, staffing shortages and mounting regulatory pressure

London—Privacy teams are being asked to manage growing risk with fewer resources, according to new research from ISACA, the leading global professional association helping individuals and organisations in their pursuit of digital trust. Despite accelerating privacy threats and regulatory demands, more than four in ten (44%) privacy professionals in Europe say their teams are underfunded, while over half (54%) expect privacy budgets to decrease further in 2026.

In a region with one of the world’s most mature privacy regulatory environments, underinvestment is already having tangible consequences. Nearly four in ten (39%) legal privacy roles and over half (51%) of technical privacy roles in Europe report being understaffed, and more than a quarter (26%) of privacy professionals believe their organisation is likely to experience a material privacy breach within the next year. Together, this highlights a growing contradiction for European organisations: privacy risk and regulatory expectations continue to rise, while investment in people and resources is being scaled back.

Yet board-level attention remains inconsistent. More than a quarter (26%) of European respondents say their board of directors is failing to adequately prioritise privacy, even as risks continue to intensify.

Chris Dimitriadis, Global Chief Strategy Officer at ISACA, said, “Privacy teams are being asked to manage more risk with fewer resources, and the strain is beginning to show. As organisations adopt new technologies at speed, the volume and complexity of privacy obligations grow in parallel – yet many teams are still operating without the staffing, funding or training they need to keep pace.

“When boards underestimate privacy, they underestimate a fundamental pillar of digital trust. A single privacy breach can erode years of brand equity, damage customer relationships and trigger significant regulatory consequences. Prioritising privacy is not simply a compliance requirement; it is a business imperative.”

These pressures are mounting at a time when risks are accelerating. Nearly half (49%) of professionals say managing the risks associated with new technologies is a major obstacle to their privacy programmes. The human impact is equally stark: 67% say their job is more stressful now than five years ago, with respondents pointing to the rapid pace of technological change (68%) and compliance challenges (64%) as key drivers.

Regulatory complexity is compounding these challenges. Over a fifth (22%) of privacy professionals in Europe say their organisation struggles to identify and understand its privacy obligations, while more than half (51%) point to the complexity of international laws and regulations as a key barrier. Confidence in future readiness is low, with just 8% of respondents completely confident in their organisation’s ability to comply with new and emerging privacy laws.

While regulation is helping to elevate privacy discussions at board level – with 44% of professionals saying their board views the privacy programme as compliance-driven – a narrow focus on compliance alone leaves organisations exposed. True resilience requires boards to see privacy as a strategic and ethical priority.

Dimitriadis continues: “These gaps underline a critical truth: privacy cannot be strengthened solely through controls or checklists, even with the help of AI. It demands sustained investment in people, governance and culture – and that begins at the top.

“Boards must treat privacy as a strategic driver of trust, resilience and competitive advantage, not just a compliance checkbox. When organisations equip their privacy teams with the skills, resources and authority they need, they are not just reducing risk – they are preparing their business for the next wave of regulatory and technological change. By investing in training and professional development today, leaders can build a foundation of privacy resilience that is ready for the evolving landscape.”

Many organisations are taking positive steps, with 79% in Europe using a framework or regulation, most commonly GDPR, to guide their privacy programme, and a majority implementing controls such as data security (71%) and encryption (73%).

However, critical gaps remain. Only 64% of European organisations have a formal incident response plan as part of their privacy controls, leaving more than a third unprepared to respond effectively to privacy incidents. Retention is also a growing concern, with 34% reporting difficulty keeping qualified privacy professionals, and 45% citing a lack of training or poor training as a key contributor to privacy failures.

As privacy risks continue to rise, ISACA warns that failing to invest now could leave organisations increasingly vulnerable in the years ahead.

Notes to Editors

All figures are based on fieldwork conducted by ISACA in September 2025 amongst 1,854 global respondents working in privacy, of which 485 are located in Europe.

About ISACA

ISACA^® (www.isaca.org) is a global community advancing individuals and organizations in their pursuit of digital trust. For more than 50 years, ISACA has equipped individuals and enterprises with the knowledge, credentials, education, training and community to progress their careers, transform their organizations, and build a more trusted and ethical digital world. ISACA is a global professional association and learning organization that leverages the expertise of its 180,000 members who work in digital trust fields such as information security, governance, assurance, risk, privacy and quality. It has a presence in 188 countries, including 225 chapters worldwide. Through the ISACA Foundation, ISACA supports IT education and career pathways for underresourced and underrepresented populations.

Twitter: www.twitter.com/ISACANews
LinkedIn: www.linkedin.com/company/isaca
Facebook: www.facebook.com/ISACAGlobal
Instagram: www.instagram.com/isacanews