Privacy teams are being asked to manage increasingly complex regulatory, technology and data risks with fewer resources and shrinking budgets, according to ISACA’s newly released State of Privacy 2026 survey.
As organisations grapple with evolving privacy laws, rapid AI adoption and heightened breach risk, nearly two-thirds (63%) of privacy professionals in Oceania say their roles are more stressful today than five years ago.
Based on insights from more than 1,800 privacy professionals across the ISACA community worldwide, the survey shows the rapid evolution of technology is the leading source of stress for Oceania respondents, cited by 71% — up from 63% last year — followed by compliance challenges (62%) and resource shortages (61%).
Strained Resources & Teams
When it comes to resources, 43% of global respondents report their privacy budget is underfunded, while 36% say it is appropriately funded.
Looking ahead, respondents in Oceania are pessimistic about next year’s budget, with only 8% expecting an increase (compared with 22% globally), while 60% expect a decrease in the next 12 months (compared to 50% globally).
The results point to a widening gap between what organisations expect from privacy teams and what they are prepared to invest — at a time when data breaches, regulatory penalties and reputational damage can carry significant financial and governance consequences.
Jamie Norton, Vice Chair of the ISACA Board, says privacy teams across Oceania are being stretched as expectations continue to rise.
“Many organisations are asking small privacy teams to manage complex compliance obligations, emerging technologies like AI, and growing breach risk all at once,”
“Lower budgets can mean organisations risk falling behind regulatory expectations as scrutiny intensifies. When investment doesn’t keep pace, privacy risk quickly becomes a broader business and governance issue.” he said.
Shrinking team sizes are also a concern, with the global median privacy staff size dropping from eight in 2025 to five this year. Respondents indicate both technical (47%) and legal/compliance (37%) roles are understaffed.
Additionally, 53% believe skills gaps exist among today’s privacy professionals, with technical expertise (54%) and experience across different technologies and applications (52%) ranking highest.
To address skill gaps, the survey finds global privacy teams are training non-privacy staff interested in moving into privacy roles (48%) and increasing the use of contract employees or external consultants (36%).
This aligns with more than half (55%) worldwide noting that 50% or more of their privacy staff started their careers in a completely different field and transitioned into privacy roles — compared to only 25% who say 50% or more began and remained in privacy careers.
Obstacles & Breaches
When it comes to confidence in their organisation’s ability to protect sensitive data, Oceania respondents are less confident (26%) than their global counterparts (43%). Forty-four percent of all respondents indicate their privacy program faces obstacles, including:
- · Management of risks associated with new technologies (52%)
- · Complex international legal and regulatory landscape (45%)
- · Lack of competent resources (43%)
Respondents identified the following as the most common privacy failures within organisations:
- · Lack of training or poor training (51%, up from 47% in 2025)
- · Not practicing privacy by design (50%, up from 41% in 2025)
- · Data breach/leakage (44%)
Additionally, 14% say their organisations experienced a material privacy breach in the past 12 months. While 23% saw no change in breach numbers, 19% (up from 15% in 2025) expect a material breach in the next 12 months — reflecting slightly increased pessimism.
Privacy Programs, Frameworks & Controls
The survey found global privacy professionals are using a range of controls but are shifting slightly away from identity and access management.
The top controls identified were: data security (72%), encryption (68%, down from 73% in 2025), data loss prevention (65%), and identity and access management (63%, down from 75% in 2025).
Slightly fewer organisations appear to be practicing privacy by design, with 58% always or frequently applying it when building new applications or services, down from 62% in 2025.
Eighty-two percent of global respondents said they use a framework or law/regulation to manage privacy, most commonly GDPR (51%) and the NIST Privacy Framework (45%).
Slightly under half (46%) say they are very or completely confident in their privacy team’s ability to achieve compliance with new privacy laws.
Though only 36% of respondents in Oceania say they find it easy to understand their privacy obligations, far fewer now consider it difficult — 8%, compared to 21% in 2025.
Additionally, more organisations worldwide are using AI for privacy. Twenty-six percent say they have no plans to use AI (bots or machine learning) for privacy tasks, down from 36% in 2024 and 31% in 2025. Meanwhile, 38% indicate they plan to use AI for this function in the next 12 months.
