The privacy landscape is developing rapidly with new laws, maturing enforcement and shifting industry trends. Alongside this, the swift adoption and integration of new technologies, and their ubiquities, have permanently altered the world — not just the privacy world — as we know it. Compliance and good governance are now critically important and co-dependent. Further complicating these challenges are fiscal and organizational constraints, such as limited resourcing and budget restrictions, which then further complicate an organization's ability to deal with rapidly increasing compliance burdens.  

To provide a clearer picture of the compliance environment across organizations and a better understanding of how organizations address these burdens, the IAPP has launched the 2024 IAPP Governance Survey to collect more data on organizations' governance and compliance behaviors. We encourage you to complete the survey so we can provide accurate and insightful perspectives to the community in 2024. For the first time, this year's survey spans the governance of privacy and data protection, artificial intelligence, and broader digital risk domains.

Compliance challenges in the current landscape

Given the increasingly complex environment of legislation, policy and technology developments, compliance challenges persist within organizations and are set to be tested further. In the U.S., the privacy legislative landscape is surging as new state privacy bills are steadily passed. Since 2023, nine comprehensive laws have been enacted, including in large economies such as Texas and New Jersey. This brings the number of states with fully operative or soon-to-be-effective comprehensive privacy legislation to 13.

The global landscape is similarly in flux. Not only is the sheer volume of national privacy laws soaring around the world — including in India and Nigeria — but the requirements within each law are also evolving and taking different forms. Since the EU General Data Protection Regulation went into effect, a number of non-EU countries passed national privacy laws mirroring it, a phenomenon representative of the "Brussels effect." More recently, countries, including Australia and the U.K., have begun to consider the lived experiences of the GDPR when framing national legislation, creating new requirements that reflect the societal changes that have occurred since the GDPR was enacted. Organizations operating across jurisdictions are increasingly subject to varying obligations from a plethora of new, distinctive data protection and privacy laws.

Legislative developments are not the only challenges burdening compliance. New technologies, including the proliferation of AI and the implications of its widespread use, impose further obligations on organizations. Alongside that, the EU AI Act will inevitably create more requirements for businesses and entities. Additionally, the electoral landscape in the U.S., the U.K. and India adds to compliance complexities. All things considered, the compliance burden is only set to increase going forward.

Compliance challenges within organizations

Notably, compliance was a challenge for organizations even before it was exacerbated by recent developments in the privacy landscape, as evidenced by the responses from our previous governance surveys. In our 2018 report, six in 10 respondents predicted partial compliance with the GDPR at best by May 2018, when it entered into force. In 2021, three years after the GDPR went into force, just over 50% of respondents rated themselves as "very or fully compliant" with the law. In 2023, while two in 10 respondents said they were totally confident in their organization's ability to comply with various privacy regulatory requirements, one in 10 said they were not at all confident. Thus, over half a decade after the GDPR went into effect as a major comprehensive privacy law, confidence in achieving compliance with the law remains mixed among organizations.

Some of this data can be explained by a lack of resources and budget constraints that further stretch the compliance expectations placed on privacy professionals. For instance, 63% of respondents from last year's report agreed the limited availability of resources within their organization impacts its ability to deliver on privacy objectives. Notably, respondents who said they were not at all confident in their organization's ability to remain compliant with privacy obligations were more likely to find its resourcing insufficient to meet objectives. Conversely, those who were totally confident in compliance were more likely to disagree and say the limited availability of the right privacy skills or resources did not limit their organization's ability to deliver on objectives.

Another challenge is the scale at which organizations respond to privacy obligations. Many privacy teams are developing and maintaining a global approach in response to global developments. Six in 10 respondents identified their organization takes a global approach that implements heightened or reduced regulatory requirements when certain jurisdictions allow them. This type of approach may require privacy teams to allocate significant efforts toward conducting consistent horizon scanning, stretching thin organizations that work with smaller budgets and privacy teams that are not allocated sufficient resources to tackle global developments. These internal challenges place organizations in a vulnerable position from a compliance standpoint when they are forced to respond to the external burdens emerging from the evolving privacy landscape.

IAPP efforts toward transparency

Each year, we ask individuals globally to complete our governance survey in order to gather information on how privacy teams function within organizations and help privacy pros understand the different ways privacy compliance activities are conducted across the industry. As the survey expands to further our research on the governance of privacy, AI and broader digital risk domains, we focus our attention on providing visibility through information sharing. The metrics we collect, compile and report on bring transparency to organizational practices, offering professionals the chance to benchmark against their peers.

2024 IAPP Governance Survey

This year, the governance survey and report will focus on uncovering what organizations are responding to and how, beyond privacy and into broader digital domains. Some of the main topics we will explore include:

• Privacy governance operations, staffing and resourcing: Privacy has evolved to become an interdisciplinary profession and function, reflecting changing technology, new regulations and the growing sentiment that privacy is critical to any data-driven enterprise. This advancement in the profession requires a shift in where privacy sits within organizations, how and by whom it is staffed, and what proportion of company resources is allocated to privacy operations. We hope to better understand how organizations have restructured governance to respond to the increasing importance of privacy's impact.   
• AI governance: The proliferation of AI has forced nearly every organization in the digital domain to consider how to handle the implications of its widespread use, likely requiring a shift in governance. With the introduction of new laws like the EU AI Act, teams are quickly trying to implement new requirements while still grappling with existing risk and compliance challenges. Our data should reveal the extent to which organizations are reshaping governance to account for developments in AI and where its governance sits within their organizational structure.
• Digital governance: The broader gamut of digital risk and governance — from content moderation, consumer protection and intellectual property — are rapidly rising in prominence on risk registers. While privacy and cyber have become well defined within organizational structures, other emerging and manifesting domains of digital risk do not always fall neatly within a singular bucket. Our hope is that revealing how other organizations address emerging digital concerns helps professionals who are tackling these topics reshape their digital governance structure.
• Metrics: Another important topic we explore is the change in how organizations consider and leverage metrics. We are looking to uncover the number of data subject requests received and closed, privacy complaints received, trainings delivered, and privacy and transfer impact assessments completed. These statistics might help illuminate how, for instance, a company that receives thousands of data subject access requests per year structures its privacy operations differently from an organization that receives very few. We hope compiling these high-level comparisons demonstrates the distinct ways governance may be structured within organizations of different sizes and capacities.
• Risk and incident management: Our survey looks to identify the extent to which organizations experience material privacy breaches, the key challenges for privacy pros with breach identification and containment, the extent to which organizations maintain incident response plans and the impact of data breaches on organizations. We hope such metrics reveal the correlation between action, or inaction, and the likelihood of security breaches. For instance, we may look to see whether an organization that reviews its privacy strategy regularly or has privacy impact assessments fully embedded within its organization has a lower chance of experiencing more incidents.

Our previous governance surveys have provided valuable insights for privacy pros and the community. Completing this year's survey will help us help the community by providing a better understanding of the way organizations are grappling with emerging challenges in today's complex landscape.