This report provides comprehensive research on the location, performance and significance of privacy governance within organizations. The full report, available only to IAPP members, can be accessed here.

Published: November 2024

Contributors:

Joe Jones

Saz Kanthasamy

Cheryl Saniuk-Heinig

Luke Fischer

Over 80% of privacy professionals have been tasked with an additional responsibility alongside their existing privacy day jobs.

The IAPP's Privacy Governance Report 2024 charts how the efficacy of, and corresponding confidence in, an organization's approach to privacy governance stems from the investment in the hallmarks of privacy as a professional discipline. Those hallmarks — the people, techniques and tools — have scaled, matured and evolved in ways that are resilient and responsive to change. They place the privacy profession and privacy governance in a prominent position to take on broader and heightening responsibilities, spanning artificial intelligence governance, cybersecurity and content moderation to name a few.

Privacy compliance and how organizations aspire to achieve a better compliance posture remain an ongoing focus for most organizations. Almost all organizations process personal data in some form or another to deliver their business objectives, from small organizations solely processing personal data of a few employees to large multinational organizations processing vast quantities of sensitive personal data every minute to deliver tailored services to consumers.

Developments in recent years have only highlighted the importance of the privacy profession due to the need for better compliance practices to protect individual rights when personal data is being processed effectively and for appropriate responses in the aftermath of various data breaches or ongoing technological developments. Privacy pros increasingly play an important role in enabling their respective organizations to deliver on core business objectives and remain competitive going forward.

However, privacy pros are no longer solely focused on a narrow remit. Increasingly, organizations are looking at these professionals to address the complex environment both internally and externally. As a result, privacy pros are increasingly tasked with additional responsibilities. This year's survey found the vast majority have been asked to take on further responsibilities on top of their day-to-day jobs. Existing C-suite leaders of specific domains are seeing their personal obligations expanded and elevated. For example, among surveyed chief privacy officers, 69% have acquired additional responsibility for AI governance, 69% for data governance and ethics, 37% for cybersecurity regulatory compliance, and 20% for platform liability.

The expanding remit for CPOs

This trend continues at the team level, with more than 80% of privacy teams gaining responsibilities beyond privacy. At 55%, more than one in two privacy pros work in functions with AI governance responsibilities, at 58%, more than one in two have picked up data governance and data ethics, at 32%, almost one in three cover cybersecurity regulatory compliance, and, at 19%, nearly one in five have platform liability responsibilities.

Privacy pros globally and across organizations of various sizes and industries have more on their plates. This is driven by several factors that introduce increasing complexities in the broader environment. Factors include growing complexity in law, policy and the regulatory environment; more consequential enforcement; growing use of more complex technologies; increased workload due to privacy requests; the need to address ongoing and new challenges; managing and responding to data breaches; and increasingly, boards looking for privacy pros to help deliver broader organizational compliance activities.

Has your privacy function
acquired additional responsibility?

Organizations have responded to this growing complexity with increased privacy budgets and more senior privacy leaders in charge of growing privacy teams. Additionally, they prioritize limited resources on the right strategic compliance priorities, focusing on privacy training, establishing mature privacy risk management approaches and utilizing technology to enable and support compliance when possible.

Respondents described how satisfactory their organizations' budgets are with respect to privacy obligations. Notably, only four in 10 respondents who said their organizations' budget was less than sufficient had above-median privacy budgets. Meanwhile, more than half of those who said their budget was at least sufficient had above-median privacy budgets.

Sufficiency of privacy budget with
respect to privacy obligations

A prominent result from this year's survey was the acquisition of new responsibilities in AI governance and digital governance. The privacy function rarely sees stagnation due to the vibrancy, diversity and complexity of the field. Although privacy pros are reporting new responsibilities and facing complex challenges, confidence levels in privacy compliance remain relatively stable.

This report seeks to explore these complexities, the impact on compliance and resulting organizational responses in greater detail.

What's in the full report?

The full report, which is only available to IAPP members, contains sections covering the below topics:

Additional resources