Privacy team sizes have plummeted by more than one-third globally, with the median dropping from eight staff to five, according to ISACA's State of Privacy 2026 report released this week.

The survey of more than 1,800 privacy professionals conducted in September 2025 reveals mounting pressure on organisations struggling to maintain compliance amid resource constraints and rapid technological change.

Half of respondents anticipate privacy budget decreases in the next 12 months, while fewer than one-quarter expect increases. Technical privacy roles remain more understaffed than legal and compliance positions, with 47% reporting understaffing compared with 37% for legal and compliance roles.

"Privacy teams are shrinking," the report states. "The median privacy staff size of survey respondents is five, down from eight last year."

Confidence in meeting compliance requirements has also declined, with fewer than half of respondents (46%) reporting they are very or completely confident in their privacy team's ability to achieve compliance with new privacy laws and regulations.

The findings come as organisations grapple with an increasingly complex regulatory landscape, including new privacy laws across multiple jurisdictions and emerging requirements around artificial intelligence governance.

Nearly two-thirds (63%) of privacy professionals in Oceania say their roles are more stressful today than they were five years ago.

Jamie Norton, Sydney-based Vice Chair of the ISACA Board, said privacy teams across Oceania are being stretched at a time when expectations continue to rise. “Many organisations are asking small privacy teams to manage complex compliance obligations, emerging technologies like AI, and growing breach risk all at once,” said Mr Norton.

“Lower budgets can mean that organisations risk falling behind regulatory expectations as scrutiny continues to intensify. When investment doesn’t keep pace, privacy risk quickly becomes a broader business and governance issue.”

Survey respondents identified lack of training or poor training as the most common privacy failure at 51%, up from 47% last year. Not practising privacy by design ranked second at 50%, representing a nine percentage-point increase from 2025.

"Survey respondents identify lack of training or poor training as the most common privacy failure," according to the report.

Technical privacy professionals face particular challenges, with 54% of respondents citing technical expertise as the biggest skill gap, followed by experience with different types of technologies and applications at 52%.

The rapid evolution of technology emerged as the top stressor for privacy professionals at 71%, up eight percentage points from last year. Compliance challenges (62%), resource shortages (61%) and competing priorities (56%) rounded out the leading stressors.

Despite these pressures, organisations with strong board support and strategic alignment fare better. The report found that 29% of respondents whose boards adequately prioritised privacy anticipated budget increases, compared with just 14% whose boards did not prioritise privacy.

"A CPO is an important role that can advocate for privacy teams and initiatives," the report notes. Respondents whose organisations had a chief privacy officer were more likely to feel their board adequately prioritised privacy and more confident in ensuring data compliance.

The survey also explored artificial intelligence adoption, with 13% of respondents currently using AI for privacy-related tasks and 38% planning to adopt AI within 12 months. However, AI adoption correlated strongly with organisational maturity, with 41% of current AI users reporting they always practice privacy by design.

Organisations with privacy strategies aligned to broader business objectives demonstrated better outcomes across multiple metrics, including less understaffing, more optimistic budget forecasts and higher rates of practising privacy by design.

ISACA surveyed 47,600 constituents holding the Certified Data Privacy Solutions Engineer (CDPSE) designation, Certified Information Security Manager (CISM) designation or having "privacy" or "data protection" in job titles.

The full State of Privacy 2026 report is available at www.isaca.org/resources/reports/state-of-privacy-2026