Privacy in Practice 2022

Privacy in Practice 2022 reports the results of the ISACA® global State of Privacy Survey, conducted in the third quarter of 2021. This report focuses on the composition of privacy teams, the privacy workforce, privacy-related challenges and privacy by design. Some survey findings align with last year’s findings, such as technical privacy roles are harder to fill than legal/compliance privacy roles. Other findings provide new insights on the privacy-related challenges that enterprises face and the creative strategies they employ to mitigate those challenges.

Executive Summary

Privacy in Practice 2022 examines enterprise privacy teams, the privacy workforce, privacy-related challenges, privacy by design and the future of privacy, based on results of the ISACA global State of Privacy Survey, conducted in the third quarter of 2021. The data that an enterprise collects about its data subjects have the potential to reveal a great amount of personal information. In an age when 2.5 quintillion bytes of data are created daily11 and digital trust is becoming paramount, enterprises that demonstrate they protect data and preserve user privacy can gain a considerable competitive advantage. This paper reports on the state of enterprise privacy.

Key Findings

The following are key survey findings:

• Technical privacy teams are more understaffed than legal/compliance privacy teams.
• Technical privacy positions take longer to fill than legal/compliance roles.
• The demand for privacy professionals is expected to increase over the next year, with the demand for technical privacy roles increasing more than the demand for legal/compliance roles.
• Technical experience continues to be the biggest skill gap among privacy professionals.
• Most boards of directors adequately prioritize privacy, and most enterprise privacy strategies align with organizational objectives.
• The likelihood of privacy budgets decreasing in the next 12 months is low—many survey respondents believe that their privacy budgets will increase.
• A lack of privacy training is identified as a common privacy failure.
• Enterprises that practice privacy by design are more likely to:
  • Appropriately staff their technical privacy department
  • Have a board of directors that prioritizes enterprise privacy
  • Align their privacy strategy with organizational objectives
  • Be completely confident in the ability of their privacy team to ensure data privacy and achieve compliance with new privacy laws and regulations
  • Use the number of privacy incidents as a metric to assess effectiveness of privacy training
  • Mandate documented privacy policies, procedures and standards