In recent years the privacy function has been propelled to prominence. Supported by the advent of major legislative reform and increased regulatory scrutiny, organizations have responded by deploying and expanding dedicated privacy programs and functions. No longer is privacy a subset of information security, legal or ethics but a professional discipline in its own right, requiring time and effort from dedicated privacy professionals across the globe.

However, privacy pros continue to face several challenges. A growing alphabet soup of new laws, policies and guidelines keeps us on our toes. New and emerging technologies introduce new risks through novel processing of personal data. At the same time, economic headwinds continue to challenge and increased awareness by individuals of their rights to privacy highlight the need for privacy pros to stay nimble.

The important role good privacy governance can play in supporting privacy pros as they address these challenges cannot therefore be dismissed. As we look ahead to analyzing results from this year's soon-to-close IAPP-EY 2023 Privacy Governance Survey, we take a look back at key data points from past surveys and potential challenges for privacy pros to be aware of.

Take the 2023 IAPP-EY Privacy Governance Survey
The 2023 survey focuses on surging topics in the privacy world, such as the relationship between the privacy function and artificial intelligence governance and the use of emerging privacy-enhancing technologies.
Click here to take survey

Compliance challenges

Alongside the regulatory alphabet soup, managing emerging risks, budgetary pressures and compliance with applicable regulations continue to present a challenge for organizations. Three years after it became applicable, our 2021 survey showed how just under four in 10 respondents reported being at best moderately compliant with the EU General Data Protection Regulation. While that improves upon the six in 10 that predicted they would at best be partially compliant when the GDPR came into force in May 2018, it highlights the challenge of maintaining sustainable compliance in the face of internal and external changes. Importantly, that was against a backdrop of one law. Today there are dozens of GDPR-like laws, dozens more privacy laws being enacted (in the U.S. alone, there are currently ten comprehensive state privacy laws) and many more laws with privacy elements.

Financial pressures

While it is challenging to compare average budgets for privacy compliance across years without baselining for differences in sample sizes, currency fluctuations and other economic factors, some conclusions can be drawn. Since 2015 most respondents have highlighted that the budget allocated to privacy is insufficient to meet their obligations. This also highlights how privacy pros continue to need to manage the opportunity costs of action. Competing priorities must be prioritized and reevaluated. Luckily a number of organizations identified this, with almost two-thirds of respondents in 2022 considerably aligning their privacy strategies to broader corporate strategy, reducing the likelihood of wasted efforts on low priority endeavors. For those organizations yet to obtain appropriate alignment, now may be the best time to understand your existing compliance posture and exposure to privacy risks, align with broader company strategy, and benchmark your efforts against comparable peers.

Limited resources

The privacy profession continues to grow, and privacy pros continue to be rewarded for their efforts. This year's IAPP-TRU 2023 Privacy Professionals Salary highlighted how those working in internal privacy roles had increases of 10% in average base salary from 2019. The salary survey also identified that while respondents were overwhelmingly satisfied with their current roles, with 86% reporting they were satisfied, 72% of respondents would move jobs for a pay increase. Organizations may therefore need to work hard to keep existing employees while also facing challenges in recruiting for open roles. Indeed, in 2022, six in 10 respondents identified that the limited availability of resources hinders their ability to deliver on objectives, and one in three identified that salary costs specifically impact the ability to recruit. Salary and benefits continue to make up the vast majority of privacy spending, at least 50% across organizations surveyed since 2019, dwarfing the next biggest spend category of technology and tooling, around 10% of the privacy budget, and other spend areas such as professional development, outside counsel, consulting services and internal training. This suggests organizations may face challenges in trying to find room in existing budgets for more spending on salary and benefits without the loss of other critical components of a successful privacy function.

Balancing competing priorities

The workload facing privacy pros is as diverse as it is vast, from managing data subject rights and privacy training requirements to grappling with new regulatory requirements and risks presented by new and novel personal data processing by emerging technologies. The need to manage competing priorities cannot therefore be ignored. This year's IAPP-KPMG Privacy Risk Study identified that, while 93% of surveyed organizations identified privacy as a top-10 organizational risk, only 50% established a privacy risk appetite to support them in defining the target and acceptable privacy risk positions while pursuing broader corporate strategic objectives. It is clear that organizations face a number of competing priorities. In 2022, respondents highlighted how international transfers, privacy by design, data deletion, governance and operating models, and incident management all featured in the top five strategic privacy priorities. Given the financial pressures and limited resources available, it is likely organizations that take a risk-based approaches to these vast topics are able to manage their risk exposures better than those that do not.

Ongoing risk assessments that are part of a broader enterprise risk management approach can help organizations understand and manage their risk exposures. In the current environment, it is difficult to discuss privacy without mentioning AI. Indeed, the 2019 governance survey sought to understand whether or not organizations were exploring AI risk management. Findings suggested 36% of respondents did not perceive AI as a unique risk factor presently, with four in 10 using standard privacy risk assessment practices to assess AI related privacy risks, and only 6% having developed AI-specific privacy safeguards or guidelines. Times have changed. Fast forward to the start of 2023, the IAPP-FTI Privacy and Governance report identified that 50% of surveyed organizations building new AI governance approaches are building responsible AI governance on top of existing, mature privacy programs. In this year's survey, and in light of the velocity behind the development and integration of AI technologies, matched by the speed at which AI governance initiatives are being pursued, we again look forward to understanding how privacy pros and their organizations are responding to this challenge.

The importance of data driven reporting

How might privacy pros consider highlighting the burden of a limited budget, and ensure their voices are heard alongside other functions asking the same question? One strategy pursued by the majority appears to be the implementation of metrics to support reporting. In 2022, 72% of those surveyed implemented privacy metrics to provide organization leadership with information on performance, and 61% did so to help inform strategic privacy planning activities. These organizations may therefore be in a better position the one in five respondents yet to implement metrics to use quantifiable data to demonstrate the need for additional budget. Even then, with 46% of surveyed respondents relying on manual processes to collect privacy metrics, there may be some room for growth to improve the rigor of data driven privacy compliance reporting.

Conclusion

The role of the privacy pro continues to evolve, from working in vast programs following the adoption of privacy regulations to maturing their privacy functions for sustainable compliance with privacy requirements, and increasingly operating alongside others in the fluid interdisciplinary approach now required to privacy compliance. Privacy pros aren't alone, and solace may be taken in the challenges faced by others and the lessons learned to meet those challenges.

To support this, as we have since 2015, the IAPP continues to run its annual privacy governance survey. Please consider completing the survey before 5 July 2023, and share your expertise so we can deliver more tailored insights, allow others to benchmark their privacy functions, learn from good practices and help privacy pros improve the industry as a whole.