Resource Center / Reports and Surveys / Privacy Governance Report 2024

Privacy Governance Report 2024

This report provides comprehensive research on the location, performance and significance of privacy governance within organizations.

Published: November 2024

Contributors:

Joe Jones

Saz Kanthasamy

Cheryl Saniuk-Heinig

Luke Fischer

Over 80% of privacy professionals have been tasked with an additional responsibility alongside their existing privacy day jobs.

The IAPP's Privacy Governance Report 2024 charts how the efficacy of, and corresponding confidence in, an organization's approach to privacy governance stems from the investment in the hallmarks of privacy as a professional discipline. Those hallmarks — the people, techniques and tools — have scaled, matured and evolved in ways that are resilient and responsive to change. They place the privacy profession and privacy governance in a prominent position to take on broader and heightening responsibilities, spanning artificial intelligence governance, cybersecurity and content moderation to name a few.

Privacy compliance and how organizations aspire to achieve a better compliance posture remain an ongoing focus for most organizations. Almost all organizations process personal data in some form or another to deliver their business objectives, from small organizations solely processing personal data of a few employees to large multinational organizations processing vast quantities of sensitive personal data every minute to deliver tailored services to consumers.

Developments in recent years have only highlighted the importance of the privacy profession due to the need for better compliance practices to protect individual rights when personal data is being processed effectively and for appropriate responses in the aftermath of various data breaches or ongoing technological developments. Privacy pros increasingly play an important role in enabling their respective organizations to deliver on core business objectives and remain competitive going forward.

However, privacy pros are no longer solely focused on a narrow remit. Increasingly, organizations are looking at these professionals to address the complex environment both internally and externally. As a result, privacy pros are increasingly tasked with additional responsibilities. This year's survey found the vast majority have been asked to take on further responsibilities on top of their day-to-day jobs. Existing C-suite leaders of specific domains are seeing their personal obligations expanded and elevated. For example, among surveyed chief privacy officers, 69% have acquired additional responsibility for AI governance, 69% for data governance and ethics, 37% for cybersecurity regulatory compliance, and 20% for platform liability.

This trend continues at the team level, with more than 80% of privacy teams gaining responsibilities beyond privacy. At 55%, more than one in two privacy pros work in functions with AI governance responsibilities, at 58%, more than one in two have picked up data governance and data ethics, at 32%, almost one in three cover cybersecurity regulatory compliance, and, at 19%, nearly one in five have platform liability responsibilities.

Has your privacy function
acquired additional responsibility?

Organizations have responded to this growing complexity with increased privacy budgets and more senior privacy leaders in charge of growing privacy teams. Additionally, they prioritize limited resources on the right strategic compliance priorities, focusing on privacy training, establishing mature privacy risk management approaches and utilizing technology to enable and support compliance when possible.

Respondents described how satisfactory their organizations' budgets are with respect to privacy obligations. Notably, only four in 10 respondents who said their organizations' budget was less than sufficient had above-median privacy budgets. Meanwhile, more than half of those who said their budget was at least sufficient had above-median privacy budgets.

Sufficiency of privacy budget with
respect to privacy obligations

A prominent result from this year's survey was the acquisition of new responsibilities in AI governance and digital governance. The privacy function rarely sees stagnation due to the vibrancy, diversity and complexity of the field. Although privacy pros are reporting new responsibilities and facing complex challenges, confidence levels in privacy compliance remain relatively stable.

This report seeks to explore these complexities, the impact on compliance and resulting organizational responses in greater detail.

Key takeaways

Growing complexity in law, policy and the regulatory environment

Most survey respondents are confident in their ability to stay informed about new privacy laws and policy initiatives, with 43% overall reporting they are totally confident. However, one in five reported the difficulty in keeping up with continually evolving privacy laws creates challenges in delivering privacy compliance.

More consequential regulatory actions

Respondents working at organizations with privacy budgets of more than USD2 million were most likely to have changed their privacy approaches, split almost equally between changing as a direct response to an action and as an indirect response.

Growing use of more complex technology

It is unlikely organizations will respond to each new development by forming a stand-alone governance function, such as quantum computing or neurotechnology governance. Instead they may seek to evolve existing structures into a streamlined digital governance approach.

Increased workload due to privacy requests

Privacy functions are meeting the moment and responding in commensurate terms to the trends and developments shaping their new and increased workloads. Privacy functions face many varied priorities, from responding to data subject right requests from increasingly privacy-conscious and statutorily empowered individuals to providing subject matter expertise on privacy impact assessments.

Need to address ongoing and new challenges

Of respondents, 99% reported facing challenges delivering privacy compliance, and 55% reported experiencing five or more challenges delivering compliance, with 15% of all respondents reporting they experienced 10 or more challenges. Yet nearly one in 10 respondents identified zero or only one challenge in delivering privacy compliance for their organizations.

Managing and responding to data breaches

When considering confidence in compliance, the trend is clear. Respondents who were less confident in their organizations' compliance with privacy laws and policies were more likely to work at organizations that had experienced a data breach.

Additional responsibilities for the privacy team

Of respondents, 80% have been tasked with an additional responsibility alongside their existing privacy job. Of those with new responsibilities, 68% of respondents have acquired additional responsibilities for AI governance.

Compliance confidence

Of respondents, 91% reported they were at least somewhat confident in their organizations' ability to comply with privacy regulatory requirements, with 21% reporting total confidence.

Budgeting

The trend unsurprisingly shows budget steadily increases based on organization size, either by revenue or by number of total employees.

Resourcing and senior leadership

Approximately 70% of respondents in European organizations have at least one data protection officer, with an average of three to four full-time DPOs each. In comparison, only 40% of organizations headquartered in North America have a DPO, with an average of less than one full time DPO per organization.

Activities of the privacy function

AI governance has seen a sustained sharp annual increase as a top priority for organizations over the past three years.

Training

Although more than half of respondents reported 90% of employees in their organizations had completed privacy training, one in five identified less than 50% of employees had completed any privacy training.

Risk

Of respondents, 23% said their organizations do not undertake regular enterprise risk assessments, while 25% identified they are triggered in response to key events such as audit findings, data breaches or changes in regulatory requirements.

At-a-Glance Infographic

This at-a-glance infographic presents key data points from the report.

Additional resources