European professionals show low confidence in data privacy

The latest research from ISACA reveals that confidence in privacy measures among European professionals remains relatively low.

The report shows that only 38% of European professionals trust their organisation's ability to protect sensitive data adequately. This figure, which reflects a critical concern about data protection, is indicative of challenges faced in meeting compliance with regulations such as GDPR, the Digital Services Act, and the AI Act.

ISACA's research highlights that a considerable number of privacy professionals feel that their organisations do not allocate sufficient resources to privacy efforts. In 2025, 45% of professionals express concerns about their organisation's privacy budget being underfunded, a rise from 41% in 2024. Furthermore, 54% anticipate further budget reductions in the coming year.

Staffing levels in technical privacy teams are another issue, with 52% reporting understaffing, only slightly better than the 53% reported in 2024. Additionally, 37% of organisations continue to struggle with retaining qualified privacy personnel.

Chris Dimitriadis, ISACA's Global Chief Strategy Officer, commented on the evolving challenges. "As the threat landscape continues to evolve in complexity, privacy is becoming a sector which is increasingly difficult to operate in, but also more critical," he stated. Dimitriadis also noted that increasing stress levels among privacy professionals are compounded by insufficient funding, which could threaten long-term organisational security.

Organisations prioritising Privacy by Design report more positive outcomes. Among these organisations, 43% say their technical privacy teams are adequately staffed, compared to 33% among those that do not apply this practice. Additionally, a decrease in privacy skills gaps correlates with these practices. 56% of organisations practicing Privacy by Design report reduced skills gaps by retraining non-privacy staff, compared to 44% among others.

Skill gaps noted by European organisations focus on experience with diverse technology and application types (62%), technical expertise (49%), and IT operations (45%). To address these gaps, 47% of organisations offer training for non-privacy staff interested in transitioning to privacy roles.

ISACA's participants overwhelmingly considered compliance and legal experience crucial for evaluating privacy candidates, with 95% supporting this view. Credentials were deemed important by 89%, while only 54% considered a university degree necessary.

Dimitriadis emphasised the importance of a comprehensive approach: "Practicing Privacy by Design and embedding privacy across an entire enterprise is key to long-term data protection. Such a comprehensive approach fosters trust with stakeholders and safeguards against ever-evolving threats – but this isn't possible without skilled privacy teams who feel prepared and able to drive privacy practices from a technology, business and compliance point of view."

He further added that training in emerging technologies and privacy-enhancing methods is essential. "Providing training and continuous support for privacy staff on emerging technologies, privacy-enhancing technologies, and cybersecurity and data protection architectures on top of legal compliance knowledge is essential for managing their stress and maintaining organisational resilience," Dimitriadis concluded.