SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Overworked eu data privacy team dim office papers servers alerts
#
Data Protection
#
Digital Transformation
#
Encryption

European privacy teams warn of cuts amid rising risks

Fri, 16th Jan 2026
Author image
By Mark Tarre, News Chief

Privacy teams across Europe expect further budget cuts in 2026 even as many organisations report understaffing and rising breach expectations, according to new research from ISACA.

The survey found that 54% of privacy professionals in Europe expect privacy budgets to decrease further in 2026. It also found that 44% said their teams are underfunded.

Staffing levels emerged as a key pressure point. Nearly four in ten legal privacy roles in Europe report being understaffed, at 39%. Technical privacy roles reported higher levels of understaffing, at 51%.

The findings point to heightened concern about incidents. More than a quarter of respondents, 26%, said they believe their organisation is likely to experience a material privacy breach within the next year.

Board focus

The research also highlights uneven attention at board level. More than a quarter of European respondents, 26%, said their board of directors is failing to adequately prioritise privacy.

Regulation appears to shape how boards view privacy. The survey found that 44% of professionals said their board views the privacy programme as compliance-driven.

ISACA said organisations face rising pressure from both threats and regulatory demands. Europe has an established privacy regulatory environment, led by GDPR, alongside national and sector-specific rules that affect data handling and incident response.

Chris Dimitriadis, Global Chief Strategy Officer, ISACA, linked the resourcing gap to the breadth of obligations facing teams.

"Privacy teams are being asked to manage more risk with fewer resources, and the strain is beginning to show. As organisations adopt new technologies at speed, the volume and complexity of privacy obligations grow in parallel - yet many teams are still operating without the staffing, funding or training they need to keep pace.

"When boards underestimate privacy, they underestimate a fundamental pillar of digital trust. A single privacy breach can erode years of brand equity, damage customer relationships and trigger significant regulatory consequences. Prioritising privacy is not simply a compliance requirement; it is a business imperative," said Dimitriadis.

New technology

Respondents pointed to new technologies as a major source of friction for privacy programmes. Nearly half, 49%, said managing the risks associated with new technologies is a major obstacle.

The survey also captured changes in working conditions. Two thirds of respondents, 67%, said their job is more stressful now than five years ago. Among the drivers, 68% cited the rapid pace of technological change and 64% cited compliance challenges.

Organisations also reported difficulty navigating cross-border obligations. More than half, 51%, said the complexity of international laws and regulations is a key barrier. A further 22% said their organisation struggles to identify and understand its privacy obligations.

Confidence about future compliance readiness appears limited. Only 8% of respondents said they are completely confident in their organisation's ability to comply with new and emerging privacy laws.

Controls and gaps

Despite budget and staffing constraints, many respondents said their organisations use formal approaches to structure privacy work. The survey found that 79% in Europe use a framework or regulation to guide their privacy programme, most commonly GDPR.

Respondents also reported the use of technical and operational controls. The survey said 71% have data security controls in place and 73% use encryption.

The research also points to gaps in preparedness and skills development. Only 64% of European organisations said they have a formal incident response plan as part of their privacy controls. That leaves more than a third without a formal plan in this area.

Retention and training also feature in the results. More than a third of respondents, 34%, said their organisation has difficulty keeping qualified privacy professionals. The survey found that 45% cited a lack of training or poor training as a key contributor to privacy failures.

Dimitriadis argued that boards need to treat privacy as more than a compliance exercise when resourcing decisions tighten.

"These gaps underline a critical truth: privacy cannot be strengthened solely through controls or checklists, even with the help of AI. It demands sustained investment in people, governance and culture - and that begins at the top," said Dimitriadis.

"Boards must treat privacy as a strategic driver of trust, resilience and competitive advantage, not just a compliance checkbox. When organisations equip their privacy teams with the skills, resources and authority they need, they are not just reducing risk - they are preparing their business for the next wave of regulatory and technological change. By investing in training and professional development today, leaders can build a foundation of privacy resilience that is ready for the evolving landscape," said Dimitriadis.

The research is based on a survey of 1,854 global respondents working in privacy, including 485 based in Europe.

Related stories
Ecommpay leader wins Women in Risk & Compliance award
Palo Alto warns on earnings as guidance disappoints
Gr4vy adds Sardine tools to unify fraud & payments
AI deepfakes erode trust and reshape UK dating apps
AI & endpoints reshape global information governance

Top stories

IT leaders rethink cloud, AI spend amid lock-in fears
12Port unveils AI session intelligence for PAM security
DryRun Security adds Andrew Peterson to drive AI shift
AI-driven phishing surge dominates 2025 cyberattacks
Tailscale unveils Aperture to govern workplace AI use