London, 21st January 2025 – Despite the maturity of the General Data Protection Regulation in Europe, only a third (38%) of European professionals are confident in their organisation’s ability to safeguard sensitive data. With only a quarter (24%) of European organisations always practicing Privacy by Design, many risk falling short of compliance with GDPR and new frameworks like the Digital Services Act and AI Act.

Half (52%) of technical privacy teams in Europe remain understaffed, only marginally improving from 53% in 2024 as organisations continue to encounter difficulties with staff retention. 37% of European organisations struggle to retain qualified privacy professionals.

 

Chris Dimitriadis, Global Chief Strategy Officer at ISACA, said, “As the threat landscape continues to evolve in complexity, privacy is becoming a sector which is increasingly difficult to operate in, but also more critical. Two thirds (66%) of the European professionals working in privacy roles who we spoke to said their job is more stressful now compared to five years ago. This is only being exacerbated by continued underfunding. While companies may be making a short-term financial gain, they are putting themselves at long-term risk.”

European organisations who always practice Privacy by Design are more likely to say they have appropriately staffed privacy teams and decreased privacy skills gaps. 43% of European organisations who always practice Privacy by Design say their technical privacy teams are appropriately staffed (versus 33% of those who do not) 58% are highly confident in their technical privacy teams as a result.

More than half (56%) of European organisations who always practice Privacy by Design have decreased privacy skills gaps by training non-privacy staff who are interested to move into privacy roles, compared to 44% of those who do not.

A skilled and supported workforce is key to ensuring Privacy by Design is achievable. The biggest skills gaps reported by European organisations are experience with different types of technologies and/or applications (62%); technical expertise (49%); and IT operations knowledge and skills (45%).

To combat the skills gap and wider privacy challenges they are facing, 47% of European organisations offer training to allow non-privacy staff to move into privacy roles. Experience is key to filling the skills gap: 95% of respondents consider compliance and legal experience an important factor in determining if a privacy candidate is qualified, and 89% consider credentials important, compared with only 54% for a university degree.

Dimitriadis continues: “Practicing Privacy by Design and embedding privacy across an entire enterprise is key to long-term data protection. Such a comprehensive approach fosters trust with stakeholders and safeguards against ever-evolving threats – but this isn’t possible without skilled privacy teams who feel prepared and able to drive privacy practices from a technology, business and compliance point of view.

“There are several ways to plug the skills gap. Providing training and continuous support for privacy staff on emerging technologies, privacy-enhancing technologies, cybersecurity and data protection architectures on top of legal compliance knowledge is essential for managing their stress and maintaining organisational resilience.”