1 PRIVACY IN PRACTICE 2023

Privacy in Practice 2023

Privacy © 2023 ISACA. All Rights Reserved.

© 2023 ISACA. All Rights Reserved.
2 PRIVACY IN PRACTICE 2023

CONTENTS
3 Abstract

4 Executive Summary
4 / Key Findings

4 Survey Methodology

6 Privacy Staffing
9 / Skill Gaps

10 Privacy Budgets

10 Privacy Program Trends

12 / Privacy Team Interaction With Other Areas
13 / Boards of Directors’ Privacy Involvement
13 / Monitoring Privacy Programs

14 Privacy Awareness Training

16 Privacy Frameworks, Laws and Regulations

16 Privacy Breaches and Failures

18 Privacy by Design

19 The Future of Privacy

20 Conclusion

21 Acknowledgments

© 2023 ISACA. All Rights Reserved.

3 PRIVACY IN PRACTICE 2023

ABSTRACT
Privacy in Practice 2023 reports the results of the ISACA® global State of Privacy Survey,
conducted in the fourth quarter of 2022. This report focuses on privacy staffing, budgets,
program trends, awareness training and breaches, and privacy by design. Some survey
findings are consistent with last year’s survey results, while others indicate relief from
some of the privacy challenges identified last year.

© 2023 ISACA. All Rights Reserved.

4 PRIVACY IN PRACTICE 2023

Executive Summary
Privacy in Practice 2023 explores trends in privacy staffing, • Experience is considered the most important factor in
budgets, programs, awareness training and privacy by determining if a privacy-position candidate is qualified.
design, based on the results of the ISACA global State of
• The demand for privacy professionals is expected
Privacy Survey, conducted in the fourth quarter of 2022.
to increase over the next year for technical privacy
Strong enterprise privacy practices are critical in a rapidly professionals and legal/compliance privacy
evolving privacy regulatory landscape. Privacy violations professionals.
erode customer trust and increasingly result in enterprise • Privacy teams interact most frequently with
reputation damage and significant fines. Enterprise privacy information security, legal/compliance and risk
programs that aim to protect data subjects and gain their management teams.
trust set their enterprises apart from competitors. This
• Enterprises that practice privacy by design are more
white paper explores the state of organizational privacy.
likely to:

Key Findings • Have adequately staffed privacy teams

The following are key survey findings: • Believe that their board of directors appropriately
prioritizes enterprise privacy
• Technical privacy roles are slightly more likely to be
somewhat or significantly understaffed than legal/ • Require documented privacy policies, procedures

compliance privacy roles, although both types of roles and standards

are impacted by staff shortages. • Use more privacy controls overall than are legally
• Technical privacy roles are significantly more likely required
than legal/compliance privacy roles to have increased • Feel their privacy budget is appropriately funded
demand in the next year.

Survey Methodology
In the fourth quarter of 2022, ISACA sent survey The most commonly held certification is the CISM
invitations globally to approximately 46,000 ISACA certification: Seventy-five percent of respondents hold
constituents who hold the ISACA CSX Cybersecurity the CISM certification, 42 percent hold the Certified
Practitioner Certification™ (CSX-P™), Certified Information Systems Auditor® (CISA®) certification
Information Security Manager® (CISM®) or Certified Data and 35 percent hold the CDPSE certification. Forty-
Privacy Solutions Engineer™ (CDPSE™) designation, three percent of respondents are in a management
or have “privacy” in their job title. Survey data were role, 26 percent are in senior leadership positions, 21
collected anonymously via Survey Monkey. A total percent are individual contributors and 10 percent
of 1,890 respondents completed the survey; their are in executive leadership positions. Figure 1 shows
responses are included in the results. additional information about survey respondents.

© 2023 ISACA. All Rights Reserved.

 5 PRIVACY IN PRACTICE 2023

FIGURE 1: Respondent Demographics

Top industries Years of experience Total revenue

34%

24%
14% 8%
24%
Technology services/ 21%
consulting 14%

23% 16%
19% 13%
24%
12%
Financial/banking

1–5 16–20
13%
6–10 21–25
Less than $50M– $100M– $500M– Greater
Government/military– 11–15 25+ $50M $99M $499M $999M than $1B
national/state/local

Region Europe

20% Asia
19%
North America 47%

4%
4%

Latin America 4% 3% Oceania

Africa

Middle East

Number of employees at organization

19% 16% 23% 18% 25%

1–249 250–999 1,000–4,999 5,000–24,999 25,000 or more

employees employees employees employees employees

© 2023 ISACA. All Rights Reserved.

 6 PRIVACY IN PRACTICE 2023

Privacy Staffing
According to the survey findings, the mean number of Privacy practitioners can usually be classified into one
full-time-equivalent employees who have privacy-related of two groups—legal/compliance or technical. Legal/
responsibilities within an enterprise is 26, which is slightly compliance privacy professionals have knowledge
higher than last year’s average (25). of the privacy laws and regulations that apply to
an enterprise but may not have extensive technical
Privacy staff roles include legal/compliance expertise; technical privacy professionals have the
practitioner, technical IT staff, risk professional or technical expertise to apply controls that help preserve
security professional. Figure 2 shows the percentage privacy and achieve compliance.
of staff in each of these roles.

FIGURE
What 2: Staff Privacy
percentage of your Roles
staff are in the following roles?
What percentage of your staff are in the following roles?

Legal/compliance practitioners 10%

53%
13%
7%
6%
6%
6%

Technical IT staff 8%
(excluding security professionals)
37%
21%
14%
10%
6%
4%

Risk professionals 8%
51%
18%
8%
5%
5%
4%

Security professionals 4%
45%
19%
11%
7%
10%
4%

None 1%–20% 21%–40% 41%–60% 61%–80% 81%–100% Don’t know

© 2023 ISACA. All Rights Reserved.

 7 PRIVACY IN PRACTICE 2023

Both legal/compliance and technical privacy teams are more compared to last year and/or increasing privacy
understaffed, according to the ISACA survey results. budgets—35 percent of last year’s survey respondents
Forty-four percent of respondents indicate that legal/ reported that their privacy budget would increase in the
compliance privacy teams are somewhat or significantly next 12 months.
understaffed, and 53 percent of respondents report that
technical privacy teams are somewhat or significantly Some enterprises are taking steps to address

understaffed. Larger understaffing in technical privacy understaffing. Twenty-seven percent of respondents

teams than in legal/compliance teams is consistent with say that their enterprises have open legal/compliance

previous years’ findings. Although understaffing remains privacy positions, and 34 percent indicate they have

concerning, it has improved from last year (figure 3). open technical privacy roles. Often, filling privacy

This may be due to enterprises prioritizing privacy positions can be time consuming (figures 4 and 5).

FIGURE 3: Privacy Understaffing Compared With Last Year

Understaffing of Privacy Roles
Understaffing of Privacy Roles

Legal/compliance 46%
44%

Technical privacy 55%

53%

2022 2023

FIGURE 4: Time to Fill Open Legal/Compliance Privacy FIGURE 5­: Time to Fill Open Technical Privacy Positions
Positions On average, how long does it take to fill technical
On average, how long does it take to fill legal/compliance privacy positions with a qualified candidate?
On average,
privacy how with
positions longadoes it take
qualified to fill legal/compliance
candidate? On average, how long does it take to fill technical privacy
privacy positions with a qualified candidate? positions with a qualified candidate?
2% 2%

10% 9%
22% 23%
20%
24%

2%
26% 25%
2% 18%
15%

<2 weeks >6 months <2 weeks >6 months

1–3 months Cannot fill open positions 1–3 months Cannot fill open positions

3–6 months Don’t know 3–6 months Don’t know

Not applicable Not applicable

© 2023 ISACA. All Rights Reserved.

8 PRIVACY IN PRACTICE 2023

Although some survey respondents report that the somewhat increased and 30 percent indicating it stayed
time to fill open privacy positions decreased in the past the same.
year, most report that the amount of time to fill roles One challenge to quickly filling roles is a lack of qualified
increased or stayed the same. For legal/compliance applicants. For approximately one-fifth of respondent
roles, 14 percent of respondents say that the time to enterprises, less than one-quarter of privacy-position
fill positions somewhat or significantly decreased, applicants were well qualified for the positions to which
19 percent report that it significantly or somewhat they applied (for both legal/compliance and technical
increased and 31 percent say that it stayed the same. privacy positions). Experience is the primary factor in
Time to fill technical privacy positions is similar, with determining an applicant’s qualifications. Figure 6 shows
16 percent saying that it somewhat or significantly the importance of factors that are used to evaluate if a
decreased, 23 percent saying that it significantly or privacy candidate is qualified.

FIGURE 6: Importance of Factors Determining an Applicant’s Qualifications

How important are each of the following factors in determining if a privacy candidate is qualified?
How important are each of the following factors in determining if a privacy candidate is qualified?

Compliance/legal experience 62%

34%
3%
1%

Prior hands-on experience 58%

in privacy role
38%
4%
0%

Technical experience 51%

42%
6%
0%

Credentials held 40%

52%
7%
1%

Completion of hands-on training 28%

courses in privacy
53%
17%
1%

University degree 26%

46%
24%
5%

Recommendation from 22%

previous employer
46%
27%
5%

Very important Somewhat important Not very important Not at all important

© 2023 ISACA. All Rights Reserved.

9 PRIVACY IN PRACTICE 2023

According to 76 percent of ISACA survey respondents, the laws and regulations to which an enterprise is subject
expert-level privacy roles are the most difficult level to hire, (46 percent), followed closely by a lack of technical
followed by the practitioner knowledge level (51 percent) expertise (45 percent). Other skill gaps include:
and entry-level/foundational knowledge level (12 percent).
• Business insight (39 percent)

Skill Gaps • IT operations knowledge and skills (38 percent)

Survey respondents identify a lack of experience with
• Soft skills, such as communication, flexibility and
different types of technologies and/or applications as
leadership (34 percent)
the biggest skill gap in current privacy professionals
• Networking and/or other infrastructure knowledge
(indicated by 63 percent of respondents); this aligns with
and skills (33 percent)
the finding that experience is the most important factor
when evaluating privacy-position candidates (figure 6). • Business ethics (18 percent)
Fifty-four percent of respondents report that experience
with frameworks and/or controls is a large skill gap. The Enterprises are working to reduce these skill gaps. Figure 7
next most-commonly identified skill gap is understanding shows the solutions that enterprises are applying.

FIGURE 7: Methods of Addressing the Privacy Skills Gap

Which, if any, of the following has your organization undertaken to help decrease this privacy skills gap?
Which, all
Select if any,
thatof the following has your organization undertaken to help decrease this privacy skills gap? Select all that apply.
apply.

Training to allow nonprivacy

staff who are interested 49%
to move into privacy roles

Increased use of contract

employees or outside consultants
38%

Increased use of
performance-based training 25%
to attest to actual skill mastery

Increased reliance on
credentials to attest to actual 25%
subject matter expertise

Increased reliance on artificial

20%
intelligence or automation

Nothing has been done 13%

Don’t know 12%

Organization has no
privacy skills gap 4%

Other 1%

A challenge to quickly filling privacy roles is a lack of qualified applicants.

Experience is the primary factor in determining an applicant's qualifications.

© 2023 ISACA. All Rights Reserved.

10 PRIVACY IN PRACTICE 2023

Privacy Budgets
In addition to privacy skill deficiencies, insufficient budgets significantly or somewhat increase in the next 12 months
contribute to the staffing challenges that privacy teams decreased slightly to 34 percent—from 35 percent
face. Forty-two percent of ISACA survey respondents last year—that decrease may be due to the increased
report that their enterprise privacy budget is somewhat or percentage of respondents who believe that their privacy
significantly underfunded, 36 percent say it is appropriately budget is appropriately funded and therefore may not see
funded, seven percent say it is significantly or somewhat a need to increase funding.
overfunded and 14 percent do not know. This is a
slight improvement from last year, when 45 percent of
respondents felt their privacy budget was underfunded,
and a larger improvement from 2021, when 49 percent Forty-two percent of respondents report
of survey respondents believed their privacy budget that their enterprise privacy budget is
was underfunded. somewhat or significantly underfunded.

Those respondents who feel that their privacy budget

is appropriately funded increased from 33 percent last
year to 36 percent this year. These improvements may Twelve percent of respondents believe that their privacy
indicate that enterprises are beginning to recognize the budget will somewhat or significantly decrease in the
importance of privacy and are taking steps to improve next 12 months—an increase from eight percent last
funding. Although the percentage of respondents year—so some enterprises will likely need to scale back
that believe that their enterprise privacy budget will and make do with the limited resources they have.

Privacy Program Trends

Depending on an enterprise’s structure and the skills guide efforts in the event of a breach and advocate for
and competencies of executives, the role accountable the privacy team, including advocating for funding and
for enterprise privacy varies. Figure 8 shows the role other resources. This accountability also improves the
primarily accountable for privacy in survey-respondent alignment of privacy with other organizational objectives.
enterprises. Twenty-one percent of respondents say the
chief privacy officer is accountable for privacy. Sixteen Thirty-nine percent of respondents say that a lack of

percent of respondents say the chief information officer is executive or business support is an obstacle to forming

accountable for privacy, and 14 percent say the executive- a privacy program, and 38 percent of respondents say

level security officer— e.g., chief information security officer that a lack of visibility and influence in the organization

(CISO) or chief security officer (CSO)—is accountable. is an obstacle—these challenges can be mitigated by
having a strong C-level privacy advocate. Figure 9 shows
Ensuring the appropriate person is accountable for additional challenges enterprises face when forming a
privacy is essential because this individual can help privacy program.

© 2023 ISACA. All Rights Reserved.

11 PRIVACY IN PRACTICE 2023

FIGURE 8: Accountability for Privacy

Who is primarily
Who is primarily accountable
accountable for
for privacy
privacy in
in your
yourorganization?
organization?

Chief privacy officer 21%

Chief information officer 16%

Executive-level security officer

(e.g., CISO, CSO) 14%

Chief executive officer 13%

General counsel/chief legal officer 10%

Chief compliance officer 9%

Board of directors 5%

Don't know 4%

Other 4%

The organization does not have a

2%
person accountable for privacy

FIGURE 9: Obstacles to Forming a Privacy Program

Which, if any, of the following are obstacles faced by an organization in its ability to form a privacy program?
Which, all
Select if any,
thatof the following are obstacles faced by an organization in its ability to form a privacy program?
apply.
Select all that apply.

Lack of competent resources 42%

Lack of clarity on the mandate,

roles and responsibilities 40%

Lack of executive or business support 39%

Lack of visibility and influence within

the organization
38%

Complex international legal and

regulatory landscape 38%

Management of risk associated

32%
with new technologies

Lack of a privacy strategy and

31%
implementation roadmap

No obstacles exist 7%

Don't know 9%

Other 1%

© 2023 ISACA. All Rights Reserved.

12 PRIVACY IN PRACTICE 2023

Privacy Team Interaction It is concerning that nearly one-third of respondents meet

less than quarterly. The regulatory landscape is rapidly
With Other Areas changing, and the evolution of business operations may
Given the challenges of understanding the legal and necessitate more frequent meetings between technical and
regulatory landscape of privacy, it is imperative that legal/compliance privacy professionals. Equally concerning
technical privacy professionals work closely with is that nearly one-fifth of respondents only meet when new
legal/compliance privacy professionals. These teams privacy laws and regulations go into effect; privacy efforts
should meet regularly to understand their legal and may be reactionary and delayed if meetings are prompted
regulatory obligations and ensure that technical only when the compliance landscape changes.
controls are in place to achieve compliance. Figure 10
shows how frequently technical privacy professionals Privacy teams must work cross-functionally to ensure

meet with legal/compliance privacy professionals privacy considerations exist throughout the enterprise.

in survey-respondent enterprises. Survey respondents report that their privacy teams

continually interact with information security (32 percent
Twenty-eight percent of respondents say that their of respondents), legal and compliance (29 percent of
technical privacy professionals and legal/compliance respondents) and risk management (22 percent of
privacy professionals meet quarterly, 25 percent respondents).
say that these professionals meet once or twice a
year and 17 percent report that they meet monthly. Privacy teams also interact regularly with IT operations

Another 17 percent of respondents report that their and development, procurement, internal audit, human

technical and legal/compliance privacy professionals resources, sales/marketing/customer relations,

meet when new privacy laws and regulations go finance, product/business development and public

into effect. and media relations.

FIGURE 10: Frequency of Meetings Between Technical and Legal/Compliance Privacy Professionals

How often do technical privacy professionals meet with legal/compliance professionals to understand legal
How often do technical privacy professionals meet with legal/compliance professionals to understand legal and
and regulatory requirements?
regulatory requirements?

6%
17%
Never Monthly
25%
7%
1–2 times per year Weekly

Quarterly As new privacy laws/regulations

17% go into effect

28%

© 2023 ISACA. All Rights Reserved.

13 PRIVACY IN PRACTICE 2023

Boards of Directors’ Privacy Monitoring Privacy Programs

Involvement It is crucial that enterprises monitor their privacy
programs. Regular monitoring helps enterprises identify
A board of directors’ approach to privacy can greatly
and evaluate what they are doing well and areas for
impact the day-to-day operations of a privacy team. Most
improvement. As enterprises increase privacy-program
survey respondents believe that their board of directors
monitoring, they can see how their privacy programs
adequately prioritizes privacy. Fifty-five percent of
evolve. Figure 12 shows the common ways of
respondents believe that their board adequately prioritizes
monitoring the effectiveness of privacy programs.
privacy, 22 percent do not believe that their board
prioritizes privacy and 20 percent do not know. (Three
percent responded that it is not applicable.) The seemingly
large percentage of respondents who do not know if A board of directors' approach to privacy
their board prioritizes privacy may be due to a lack of can greatly impact the day-to-day
communication from the board. This result may also signal operations of a privacy team.
a disconnect between a board’s expression of support for
privacy and its lack of actions that show that support.

Thirty percent of respondent enterprises evaluate

Boards may view privacy from a few different
the number of privacy incidents as a metric to
perspectives. Figure 11 shows how boards of directors
indicate the effectiveness of their privacy programs.
may view privacy programs.
This metric should be combined with another
There are many concerns associated with having a monitoring mechanism; an organization that looks
purely compliance-driven privacy approach. The global solely at the number of privacy incidents will not
privacy landscape is evolving rapidly. Organizations know about its privacy program weaknesses until
whose primary focus is achieving compliance may find an incident happens, at which point the reputational
themselves struggling to catch up. A purely compliance- damage and loss of trust may be irreversible. Significant
driven view of a privacy program may signal that privacy fines can also result from privacy incidents, so it is
initiatives are reactive rather than proactive—privacy best to use forward-looking metrics to evaluate the
teams may always feel a step behind compliance and effectiveness of a privacy program to avoid these
unable to work best to protect data subjects’ privacy. high penalties.

FIGURE 11: How Boards of Directors View Privacy Programs

Do you think your board of directors views your enterprise’s privacy program as:
Do you think your board of directors views your enterprise’s privacy program as:

Compliance driven: The privacy program serves to achieve

33% compliance with applicable laws and regulations

Ethically driven: The need to protect privacy is important to the

53% enterprise’s mission regardless of existing laws and regulations

A combination of both

14%

© 2023 ISACA. All Rights Reserved.

14 PRIVACY IN PRACTICE 2023

FIGURE 12: How Enterprises Monitor Privacy-Program Effectiveness

How does your

How does your organization
organization monitor
monitor the
the effectiveness
effectiveness of
of its
its privacy
privacy program?
program?Select
Selectall
allthat
thatapply.
apply.

Perform a privacy
impact assessment (PIA) 45%

Perform a privacy risk assessment 45%

Perform a privacy self-assessment 36%

Undergo a privacy audit/assessment 35%

Evaluate the number of

privacy incidents 30%

No monitoring is performed
9%

Don't know
11%

Other 1%

Privacy Awareness Training

Privacy teams may be small and understaffed, but everyone Privacy awareness training should be provided with some
in an enterprise plays a role in preserving privacy, which regularity, and—because of the rapidly changing privacy
is why privacy awareness training is so crucial. Eighty-five regulatory landscape and technology—training should be
percent of respondent enterprises provide privacy training reviewed and revised periodically. Fifty-nine percent of
for employees. Figure 13 shows the frequency with which respondents say that their enterprise reviews and revises
privacy awareness training is provided. privacy awareness training annually, 24 percent review

FIGURE 13: Frequency of Privacy Awareness Training

When does your organization

organization provide
provide privacy
privacy training?
training?Select
Selectall
allthat
thatapply.
apply.

Annually 65%

As part of new hire training 52%

Quarterly 17%

After the occurrence of a

significant event 15%

No privacy training is conducted 7%

Don’t know 6%

Other 2%

© 2023 ISACA. All Rights Reserved.

15 PRIVACY IN PRACTICE 2023

and revise training as new laws and regulations go into Most respondents believe that privacy training
effect, nine percent review it every two-to-five years and programs benefit their enterprise. Twenty-six percent
four percent do not revise their privacy training. of respondents say that privacy training and awareness
programs have a strong positive impact, and 47 percent
To evaluate if employees are benefitting from privacy say they have some positive impact.
awareness training, enterprises should monitor their
training programs. Figure 14 shows the metrics that
respondent enterprises use to evaluate privacy training
program effectiveness. It is impossible to have privacy
without security, but security does not
Relying solely on the number of privacy incidents necessarily guarantee privacy.
and/or the number of privacy complaints received
from customers is problematic because it is reactive;
enterprises will not know training is ineffective until a In 57 percent of respondent enterprises, privacy
privacy incident occurs or a privacy complaint is received. awareness training is separate from security awareness
Although tracking the number of people who complete training, while 31 percent of respondent enterprises
privacy training may be valuable, it does not reveal the do not separate privacy awareness training from
efficacy of the privacy training; it treats training as a security awareness training.
check-the-box exercise without evaluating if employees
are learning anything from it. Although privacy and security training can be combined
in a way that teaches both topics, a concern is that
Pre- and post-training assessments are a stronger privacy-specific topics are not covered thoroughly in
metric, as they demonstrate if staff have learned from combined training. It is impossible to have privacy
the training programs. If there is no difference or a without security, but security does not necessarily
minimal difference between pre- and post-training guarantee privacy.
assessments, that may be an indicator that the privacy
awareness training needs to be revised.

FIGURE 14: Metrics to Evaluate Privacy Awareness Training Effectiveness

What metrics does your organization track to evaluate the privacy training program’s effectiveness?
Select all that does
What metrics apply.your organization track to evaluate the privacy training program’s effectiveness? Select all that apply.

Number of employees who have

completed privacy training
65%

Number of privacy incidents 54%

Number of privacy complaints

received from customers 36%

Comparison of pre- and

post-training assessments 23%

Other 6%

© 2023 ISACA. All Rights Reserved.

16 PRIVACY IN PRACTICE 2023

Privacy Frameworks, Laws and

Regulations
Eighty-two percent of respondents use a framework or ISACA survey respondents say that it is difficult or
law/regulation to manage privacy in their enterprises. very difficult to identify and understand their privacy
For 73 percent of respondents, it is mandatory to obligations. This finding emphasizes how important it
address privacy with documented privacy policies, is for technical privacy professionals to meet with legal/
standards and procedures. The top-three frameworks compliance privacy professionals on a regular basis, as
and regulations most commonly used to manage many technical privacy experts do not have the legal
privacy are: background to understand the specific provisions of
laws and regulations.
• General Data Protection Regulation (GDPR):
50 percent

• US National Institute of Standards and Technology Almost a quarter of the survey

(NIST) Privacy Framework: 46 percent respondents find it difficult or very
difficult to identify and understand their
• ISO/IEC 27002:2013 Information technology—Security
privacy obligations.
techniques—Code of practice for information security
controls: 36 percent

Unsurprisingly, regional variations exist for the frameworks A previous section in this report revealed that privacy
and regulations used to manage privacy. Seventy-nine budgets appear to be more adequately funded this
percent of European respondents use GDPR. It may be year than last year, and understaffing seems to be
surprising that only 79 percent of respondents in Europe improving. Part of the reason for this may be that
use GDPR, but this may be partially attributable to Brexit. enterprises felt the strain on their privacy teams and
Sixty-one percent of respondents in the United States use increased privacy budgets and staff sizes accordingly.
the NIST Privacy Framework. This strain may be caused partially by an increase
in data-subject requests. Thirty-four percent of
Given the myriad privacy laws and regulations in effect, respondents say that the number of data-subject
some enterprises struggle to identify and understand requests has somewhat or significantly increased.
their privacy obligations. Twenty-three percent of

Privacy Breaches and Failures

Protecting data and achieving compliance with privacy and achieve compliance with new privacy laws and
laws and regulations can be challenging, but 45 percent regulations. Some of this confidence may come from an
of respondents are completely or very confident in understanding of common privacy failures. Figure 15
their privacy team’s ability to ensure data privacy shows these privacy failures.

© 2023 ISACA. All Rights Reserved.

17 PRIVACY IN PRACTICE 2023

Only 11 percent of respondents report that their they know a security incident occurred but are unsure
enterprise experienced a material privacy breach in the if personal information was compromised. Dwell time
past 12 months, which is slightly higher than last year (the time between a breach and when an enterprise
(10 percent). Sixty-four percent of respondents report discovers the breach) may have also influenced why
that their enterprise did not have a privacy breach, 17 so many respondents do not know if a privacy
percent do not know and nine percent preferred not breach occurred. Figure 16 shows the number of
to answer. Although the percentage of respondents enterprises experiencing more or fewer breaches
who do not know may seem high, it is possible that than last year.

FIGURE 15: Most Common Privacy Failures

In your opinion, which of the following are the most common privacy failures in an organization?
In your all
Select opinion, which of the following are the most common privacy failures in an organization? Select all that apply.
that apply.

Lack of training or poor training 49%

Not practicing privacy by design 42%

Data breach/leakage 42%

Not performing a risk analysis 41%

Social engineering 39%

Bad or nonexistent detection

of personal information
37%

Noncompliance with applicable

laws and regulations
34%

Ethical decision making 16%

Don't know 10%

Other 2%

FIGURE 16: Material Privacy Breaches Compared to Last Year

Is your organization experiencing an increase or decrease in material privacy breaches as compared to a year ago?
Is your organization experiencing an increase or decrease in material privacy breaches as compared to a year ago?

5%

16%
33% More breaches Prefer not to answer

Fewer breaches Don't know

21% The same number of breaches

26%

© 2023 ISACA. All Rights Reserved.

18 PRIVACY IN PRACTICE 2023

Privacy by Design
Privacy by design is a systems engineering method that Given that not practicing privacy by design is viewed as
“mandates that any system, process or infrastructure a common privacy failure (figure 15), it is surprising that
that uses personal data consider privacy throughout its more enterprises do not always practice it. The reason
development life cycle and identify possible risk to the may be that enterprises that always practice privacy
rights and freedoms of the data subjects and minimize by design are more likely to have resources that enable
them before they can cause actual damage.”1 Figure them to do so (figure 18). The median privacy staff
17 shows how often respondent enterprises practice size among enterprises that always practice privacy
privacy by design. Thirty percent of respondents
FIGURE 17: Frequency of Practicing Privacy by Design
indicate that their enterprises always practice privacy
How often does
How often doesyour
yourenterprise
enterprisepractice
practiceprivacy
privacy
by design, and 30 percent of respondents say that their by design?
by design?
enterprises frequently practice privacy by design.

Some interesting trends emerge when comparing the 4%

10%
enterprises that always practice privacy by design to
30%
the total number of respondent enterprises. Those that
always practice privacy by design:
26%
• Are more likely to separate privacy training from
security training (65 percent vs. 57 percent total)
30%
• Have survey respondents who are one-and-a-half times
more likely to be completely or somewhat confident in
their organization’s ability to ensure the privacy of its
Always Rarely
sensitive data (65 percent vs. 40 percent total)
Frequently Never
• Are more likely to rely on artificial intelligence (AI) or
automation (25 percent vs. 20 percent total) Sometimes

FIGURE 18: Trends in Enterprises That Always Use Privacy by Design

Trends in Enterprises That Always Use Privacy by Design

The median privacy staff size

Feel that their privacy department 44%

is adequately staffed
34%

76%
Feel that their board
properly prioritizes privacy 55%

Enterprises that always

Total respondents
practice privacy by design

1 ISACA, “Eight Strategies to Help Organizations Implement Privacy by Design and Default,” 21 October 2021, https://www.isaca.org/why-isaca/about-
us/newsroom/press-releases/2021/eight-strategies-to-help-organizations-implement-privacy-by-design-and-default

© 2023 ISACA. All Rights Reserved.

19 PRIVACY IN PRACTICE 2023

by design is almost twice as large—19 compared to 10 ability to ensure data privacy and achieve compliance
for total respondents. Forty-four percent of respondent with new privacy laws and regulations. Seventy-six
enterprises that always practice privacy by design feel percent of these respondents feel completely or
that their privacy department is adequately staffed, somewhat confident in this ability, compared to 35
compared to 34 percent of total respondents. It also percent of total respondents.
appears that the boards of directors of enterprises
that always practice privacy by design better prioritize Those who always practice privacy by design are less

privacy; 76 percent of these enterprises feel that their likely to have boards that view privacy programs as

board properly prioritizes privacy, compared to just 55 purely compliance driven (24 percent vs. 33 percent).

percent of total respondents. Given that a key tenet of privacy by design is that
privacy should be proactive and not reactive, and
Respondents from enterprises that always practice purely compliance-driven programs are often reactive,
privacy by design are significantly more likely to be it makes sense that enterprises that always practice
completely or somewhat confident in their team’s privacy by design do not operate reactively.

The Future of Privacy

The numerous new privacy laws and regulations—and year. Sixty-two percent of respondents say the demand
data subjects’ increased attention to privacy—indicate for legal/compliance roles will increase in the next year,
that privacy is important, and the work of privacy and 69 percent say the demand for technical privacy
professionals is crucial to an enterprise’s success. positions will increase.

Given the various requirements privacy teams must A primary responsibility of privacy professionals is to
meet and the growing number of international privacy respond to privacy breaches. Figure 19 shows the
laws and regulations, it makes sense that the demand likelihood of experiencing a privacy breach in the
for privacy professionals is expected to grow in the next next year.

FIGURE 19: Likelihood of a Material Privacy Breach in the Next Year

How likely
How is it
likely is it that
that your
your organization
organization will
will experience
experience aa material
material privacy
privacy breach
breach next
nextyear?
year?

Very likely 4%

Likely 11%

Neither likely nor unlikely 22%

Unlikely 20%

Very unlikely 10%

Don't know 21%

Prefer not to answer 12%

© 2023 ISACA. All Rights Reserved.

20 PRIVACY IN PRACTICE 2023

Approximately one-fifth of respondents do not know the last year, but the same number of respondents say they
likelihood of experiencing a privacy breach in the next year. plan to use AI for privacy in the next 12 months.
This may indicate that privacy risk is an area that is not
very mature or that enterprises are just not prioritizing it. Given the significant understaffing of privacy teams, it is
surprising that nearly 38 percent of respondents do not
The challenges in hiring the right people for privacy plan to use AI. This result may be because of the privacy-
positions and the consequences of a material privacy related concerns associated with AI.2 The large number
breach are leading some enterprises to start or plan to use of respondents who do not know of plans to use AI for
AI for privacy. Figure 20 shows respondent enterprise use privacy may also be explained by these concerns surfacing
of AI for privacy. More respondents use AI this year than when considering AI for privacy-related functions.

FIGURE 20: Plans to Use AI for Privacy-Related Tasks

What are
What are your
your organization’s
organization’s plans
plans to
to use
use AI
AI (bots
(bots or
or machine
machinelearning)
learning)to
toperform
performany
anyprivacy-related
privacy-relatedtasks?
tasks?

We currently use AI for this function 11%

We plan to use AI for this

function in the next 12 months 20%

We have no plans to use

AI for this function 38%

Don’t know 31%

Conclusion
Data can provide information about an individual’s Despite the challenges associated with data privacy,
health, religion, orientation, political beliefs and more. the ISACA survey reveals good news: It appears that
Protecting data subjects’ privacy is critical to building enterprise budgets have started adjusting for the growing
and preserving digital trust, so enterprises must prioritize emphasis on privacy. Privacy teams are larger this year
privacy accordingly. The number of privacy laws and than they were last year. Although there is room for
regulations will only increase in the coming years, and improvement, and many enterprises believe they need
making headlines for a privacy violation can damage more resources, enterprises are moving toward better
trust with consumers. supporting their privacy teams.

2 Pearce, G.; “Beware the Privacy Violations in Artificial Intelligence Applications,” ISACA Now Blog, 28 May 2021, https://www.isaca.org/resources/
news-and-trends/isaca-now-blog/2021/beware-the-privacy-violations-in-artificial-intelligence-applications

© 2023 ISACA. All Rights Reserved.

21 PRIVACY IN PRACTICE 2023

Acknowledgments
ISACA would like to recognize:

Board of Directors
Pamela Nigro, Chair Gregory Touhill
CISA, CGEIT, CRISC, CDPSE, CRMA CISM, CISSP
Vice President, Security, Medecision, USA ISACA Board Chair, 2021-2022
Director, CERT Center, Carnegie Mellon
John De Santis, Vice-Chair
University, USA
Former Chairman and Chief Executive
Officer, HyTrust, Inc., USA Tracey Dedrick
ISACA Board Chair (2020-2021) and
Niel Harper
Interim Chief Executive Officer
CISA, CRISC, CDPSE, CISSP
Former Chief Risk Officer, Hudson City
Chief Information Security Officer, Data
Bancorp, USA
Privacy Officer, Doodle GmbH, Germany
Brennan P. Baybeck
Gabriela Hernandez-Cardoso
CISA, CISM, CRISC, CISSP
Independent Board Member, Mexico
ISACA Board Chair, 2019-2020
Maureen O’Connell Vice President and Chief Information
NACD-DC Security Officer for Customer Services,
Board Chair, Acacia Research (NASDAQ), Oracle Corporation, USA
Former Chief Financial Officer and Chief
Rob Clyde
Administration Officer, Scholastic, Inc.,
CISM, NACD-DC
USA
ISACA Board Chair, 2018-2019
Veronica Rose Independent Director, Titus, Executive
CISA, CDPSE Chair, White Cloud Security, Managing
Senior Information Systems Auditor– Director, Clyde Consulting LLC, USA
Advisory Consulting, KPMG Uganda,
Founder, Encrypt Africa, Kenya

Gerrard Schmid
Former President and Chief Executive
Officer, Diebold Nixdorf, USA

Bjorn R. Watne
CISA, CISM, CGEIT, CRISC, CDPSE,
CISSP-ISSMP
Senior Vice President and Chief Security
Officer, Telenor Group, USA

Asaf Weisberg
CISA, CISM, CGEIT, CRISC, CDPSE, CSX-P
Chief Executive Officer, introSight Ltd.,
Israel

© 2023 ISACA. All Rights Reserved.

22 PRIVACY IN PRACTICE 2023

About ISACA
ISACA® (www.isaca.org) is a global community advancing individuals and
organizations in their pursuit of digital trust. For more than 50 years, ISACA 1700 E. Golf Road, Suite 400

has equipped individuals and enterprises with the knowledge, credentials, Schaumburg, IL 60173, USA

education, training and community to progress their careers, transform their

Phone: +1.847.660.5505
organizations, and build a more trusted and ethical digital world. ISACA is a
global professional association and learning organization that leverages the Fax: +1.847.253.1755
expertise of its more than 165,000 members who work in digital trust fields
such as information security, governance, assurance, risk, privacy and quality. Support: support.isaca.org

It has a presence in 188 countries, including 225 chapters worldwide. Through

Website: www.isaca.org
its foundation One In Tech, ISACA supports IT education and career pathways
for underresourced and underrepresented populations.

Participate in the ISACA

DISCLAIMER
Online Forums:
ISACA has designed and created Privacy in Practice 2023 (the “Work”) https://engage.isaca.org/onlineforums
primarily as an educational resource for professionals. ISACA makes
Twitter:
no claim that use of any of the Work will assure a successful outcome.
The Work should not be considered inclusive of all proper information, www.twitter.com/ISACANews

procedures and tests or exclusive of other information, procedures LinkedIn:

and tests that are reasonably directed to obtaining the same results. www.linkedin.com/company/isaca
In determining the propriety of any specific information, procedure
or test, professionals should apply their own professional judgment Facebook:

to the specific circumstances presented by the particular systems or www.facebook.com/ISACAGlobal

information technology environment.
Instagram:

RESERVATION OF RIGHTS www.instagram.com/isacanews/

© 2023 ISACA. All rights reserved.

Privacy in Practice 2023

© 2023 ISACA. All Rights Reserved.