The full version of this report, available only to IAPP members, can be accessed here.

Published: November 2022View Executive Summary (PDF)View Full Report (Members-Only)

In this year’s IAPP-EY governance survey report we go back to the foundations of governance, seeking to explore “the way that organizations are managed, and the systems for doing this,” with a view to shedding light on the question senior executives routinely ask chief privacy officers: “What should a privacy function look like in 2022 and beyond?”

This year’s research focused on five key foundational areas of governance:

• Governance and operating model: The organizational structures, roles and responsibilities for managing the collection, use, retention, disclosure and disposal of personal data.
• Privacy strategy and planning: The activities undertaken by the privacy office to determine the strategic direction of the privacy office and its associated planning activities.
• Compensation management: The annual process of determining the compensation of privacy office staff.
• Budget management: The processes and activities supporting the development, approval and spending of annual privacy budgets.
• Performance metrics and monitoring: The processes and measurements to understand how the organization is performing against privacy strategy.

Summary of results from 2022 report

Privacy function responsibilities continue to expand
The breadth and scope of activities undertaken by the privacy function continues to grow far beyond the traditional expectations of a “data protection officer.” More than 30% of organizations are prioritizing international transfer rules and privacy impact assessments. These increasing demands are creating both management and prioritization challenges.

There is no golden model for the privacy office
More than 50% of organizations report their privacy office is spread across more than one line of defense; 37% of organizations have it spread out across all three. Additionally, the location of the privacy office and the structure of the privacy function is dependent on what is right for that organization and their organizational strategy and structure.

Privacy is increasingly aligned with organizational strategy
An organization’s privacy strategy is increasingly aligned with the organization’s overall corporate strategy, with 66% of respondents having at least “considerable” alignment.

Privacy is hiring, but it’s not enough
The demand for privacy expertise continues to accelerate, with the average privacy team growing by 12%. The need for the skills and experience that help organizations “navigate the most complicated of paths” is compounded by the limited availability of privacy professionals across workforce function areas.

The ratio of privacy staff to company resources is reasonably consistent
Despite the significant variance in organizational approaches to privacy, the ratio of privacy resources deployed to support the management of privacy is reasonably consistent across industries and geographies at approximately two to three staff members per billion U.S. dollars of revenue.

Privacy investment continues
Organizations continue to invest skills and resources into privacy as a strategic imperative. On average, more than 50% of an organization’s privacy budget is allocated to salary and benefits.

Most, but not all, companies gather privacy metrics
While most organizations collect privacy metrics, almost 20% of organizations indicated they do not. These metrics are used more for analyzing company performance than informing privacy strategy.

While the privacy profession is showing signs of pressure in some areas — staff turnover, organizational alignment and resource allocation — it is also maturing and developing. Teams continue to grow in size and purpose, while developing closer relationships with company leaders and consumers alike. Corporate governance and organizational models, in the myriad forms they can take, play a key role in the performance of the privacy function overall.