Privacy professionals feel more stressed than ever

Despite progress made in privacy staffing and strategy alignment, privacy professionals are feeling increasingly stressed on the job within a complex compliance and risk landscape, according to new research from ISACA.

Top three obstacles facing privacy programs

ISACA’s State of Privacy 2025 survey report, reflecting insights from more than 1,600 global professionals worldwide, found that 63% of privacy professionals say their role is more stressful now than it was five years ago, with 34% indicating it is significantly more stressful.

They cite the main causes of this stress as the rapid evolution of technology (63%), compliance challenges (61%) and resource shortages (59%).

These findings align with what respondents cited as the top three obstacles facing privacy programs:

• Complex international legal and regulatory landscape (38%)
• Lack of competent resources (37%)
• Management of risks related to new technologies (36%)

When it comes to resources, 43% indicate their privacy budget is underfunded, and 48% expect a budget decrease in the next year. Regarding staff, respondents are finding it tough to hire expert-level privacy professionals, with 73% indicating they are the most difficult privacy employees to hire.

Most common privacy failures

Respondents also provided insights into their most common privacy failures, listing lack of training or poor training (47%), data breaches (42%), and not practicing privacy by design (41%) in the top three.

“In an complex international regulatory environment, often with lackluster resources, it is understandable that many privacy professionals are feeling strain from their efforts to stay compliant and keep their organizations’ data safe,” says Niel Harper, ISACA board vice chair and CISO & Data Protection Officer at Doodle.

“Addressing these challenges and getting practitioners the support they need will be vital to not only ensure a healthy privacy workforce, but also to maintain data integrity and security, and avoid potential harm to data subjects,” added Harper.

In spite of these challenges, the research revealed some encouraging findings as well. While the median privacy staff size declined slightly from the previous year (eight this year compared to nine the prior), fewer survey respondents reported that their privacy teams are understaffed. This includes technical privacy roles—with understaffing reported at 54% in 2024 compared to 46% in 2025—and legal/compliance roles—with understaffing reported at 44% in 2024 compared to 38% in 2025.

Additionally, 74% of respondents report privacy strategy is aligned with organizational objectives, and 57% believe the board of directors has adequately prioritized their organization’s privacy.

Enterprises are taking compliance seriously, with 82% of respondents indicating they use a framework or law/regulation to manage privacy, and 68% saying it is mandatory to address privacy with documented policies and procedures.

Most respondents also do not believe they are experiencing more privacy breaches this year compared to last year, and 29% believe it is unlikely they will experience a material privacy breach in the next 12 months.

Privacy by design sets enterprises apart

The survey findings, as in past years, indicate that practicing privacy by design sets enterprises apart. 67% of respondents indicate that they practice privacy by design when building new applications and services. The survey found that enterprises that always practice privacy by design are more likely to:

• Have high confidence in their privacy teams (68% versus 41% total)
• Believe their technical privacy area is appropriately staffed (50% versus 40% total)
• Have decreased privacy skills gaps by training non-privacy staff for privacy roles (57% versus 48% total)
• Believe their boards of directors prioritize privacy (80% versus 57% total)

More respondents also reported using AI for privacy-related tasks this year (11%) than last year (8%). Additionally, 36% of respondents say they plan to use AI for this purpose in the next 12 months, compared to 28% who said the same last year.

The use of AI for this purpose was also found to be higher in enterprises that were not purely compliance-driven, with 14% of those in enterprises with boards that viewed privacy ethically or as a competitive advantage using AI for privacy-related tasks, compared with 9% from enterprises with boards that view privacy programs as compliance-driven.

This use of AI was also higher among enterprises that regularly practice privacy by design, with 18% of those who indicate they always practice privacy by design reporting that they are using AI for privacy work.