Data protection teams shrinking amid budget cuts and increased pressure

New research by ISACA in its State of Privacy 2026 report indicates that data protection practitioners are facing intensified pressure to safeguard personal information amid a volatile technology landscape driven by artificial intelligence (AI). Based on insights from over 1,800 global professionals, the report highlights a concerning trend of shrinking data protection teams, with the median number of staff dropping from 8 to 5 in just 1 year. Technical privacy roles are particularly affected, with 47% of organisations understaffed in critical expertise, which 54% rank as the leading privacy skills shortage.

The complex international regulatory environment remains a significant challenge, with many practitioners identifying a lack of understanding of global data protection laws as one of the top three privacy skills gaps. Despite these challenges, the EU General Data Protection Regulation (GDPR) continues to serve as a foundational framework. However, the report reveals a disconnect between board-level recognition and actual resource allocation. While 56% of directors claim to adequately prioritise data protection, half of respondents anticipate budget cuts over the next 12 months, compared with only 22% expecting an increase. The report identifies that the correlation between budget cuts and diminished confidence suggests that without adequate investment, organisations may struggle to remain compliant within the evolving global patchwork of data protection requirements.

The adoption of AI within data protection functions remains slow, with only 13% of professionals currently using AI tools. However, a further 38% plan to integrate AI within the next 12 months, suggesting that practitioners are cautious about the associated risks. Furthermore, the report finds that AI is not seen as a solution to persistent resource shortages or a lack of technical expertise. 

Training Announcement: The IAPP Certified Information Privacy Technologist (CIPT) is a privacy-focused professional IT certificate from the IAPP that addresses data protection requirements and controls within complex technological environments. It explores the data lifecycle, privacy risk models and frameworks, the principles of Privacy by Design, and the role of privacy-enhancing technologies within the organisation. Find out more.