According to ISACA’s Privacy in Practice 2023 research report, a web of complex and ever-evolving data privacy regulations - including strengthening of Australia’s online privacy legislation - is having an impact, with less than half of respondents in Australia and New Zealand finding it easy to understand their organisation’s privacy obligations.

In addition, only 35 percent report being highly confident in the ability of their organisation’s privacy teams to ensure data privacy and achieve compliance with new privacy laws and regulations.

Jo Stewart-Rattray, Information Security Advisory Group, ISACA said enterprises must stay compliant and protect the privacy of their data subjects or lose trust and take a hit to their reputation.

“We have seen a remarkable increase in the volume and sophistication of data breaches in Australia over the past year and this new research serves to validate and urge enterprises to prioritise privacy by design,” said Stewart-Rattray.

“This means ensuring that good privacy practices are built into your organisation’s decision-making and digital transformation from the outset. It is an investment that will return benefits in the form of consumer trust, reputational respect and in turn, financial security.”

The ROI of Privacy by Design

The survey found that organisations consistently practicing privacy by design (30 percent, up two points from 2022) are at an advantage. In Australia and New Zealand they are one and a half times more likely to be confident in their organisation’s ability to ensure the privacy of its sensitive data and more likely to see their organisation’s privacy strategy aligned with organisational objectives (81 percent vs. 73 percent total) compared with global results of 92 percent vs 73 percent total.

Additionally, organisations in ANZ that always practice privacy by design believe addressing privacy with documented privacy policies is mandatory (92 percent vs 73 percent total).

Privacy Program Obstacles

The ISACA research identified three top obstacles to forming a privacy program:

1. Lack of competent resources (50 percent vs 42 percent globally)
2. Lack of clarity on the mandate, roles and responsibilities (46 percent vs 40 percent globally)
3. Lack of executive or business support (42 percent vs 39 percent globally)

Only half of all Australia and New Zealand respondents believe their board of directors adequately prioritises privacy (50 percent vs 55 percent globally), which suggests an opportunity for boards to improve communication about their commitment to privacy efforts.

Privacy budgets also remain underfunded at many organisations, with only 31 percent of respondents saying their privacy budget is appropriately funded (compared to 36 percent globally).

Staffing Shortages, Skills Gaps

When it comes to resources, privacy staff shortages persist and the demand for both technical and legal/compliance roles is expected to increase during 2023. For Australia and New Zealand respondents, technical privacy roles remain more understaffed than legal/compliance roles, with 56 percent of respondents indicating they are somewhat or significantly understaffed, versus 46 percent respectively (globally 53 percent vs 44 percent respectively).

The survey also found that 83 percent of respondents expect increased demand for technical privacy roles in the next year (69 percent globally), compared to legal/compliance roles (73 percent vs 62 percent globally).

“Organisations may desire to comply with privacy regulations and build a privacy by design culture, but without a strong team of privacy practitioners, they face significant obstacles to achieving these goals,” says Safia Kazi, ISACA principal, privacy practices.

“With the increased need for these privacy practitioners’ technical and legal expertise to keep pace with the regulatory landscape, it is more important than ever to cultivate and train a strong, skilled privacy workforce to meet the demand.”

The survey report—reflecting the insights of 1,890 global respondents with 62 in Australia and New Zealand who currently work in data privacy or have detailed knowledge of the data privacy function within their organisation—examines privacy staffing, organisation structure, frameworks and policies, budgets, training, and data breaches.

To download a complimentary copy of the Privacy in Practice 2023 survey report, visit www.isaca.org/privacy-month-2023. ISACA is a nonprofit, independent professional association with 165,000 members in 188 countries. Members represent all areas of digital trust, including data privacy.