Data privacy teams are both understaffed and underfunded despite accelerating privacy threats and regulatory demands, according to new research by ISACA.

ISACA’s State of Privacy 2026 report found that the median privacy staff size was five, down from eight the previous year. Additionally, technical privacy roles are more understaffed than legal/compliance roles with the former set to increase in demand over the next year.

To address skill gaps, the survey found that privacy teams are training non‑privacy staff who are interested in moving into privacy roles and increasing the usage of contract employees or outside consultants.

The majority of respondents said they find their roles more stressful now compared to five years ago. In 2026, 35 % said their role was ‘significantly more stressful’ and 30 % said it was ‘slightly more stressful’.

The top contributors to this level of stress included technology’s rapid evolution, compliance challenges, resource shortages and competing priorities.

Privacy Roles More Stressful Than Ever

Of respondents in enterprises with significantly or somewhat underfunded privacy budgets, 46 % said their role is significantly more stressful now.

The report noted that this “suggests a correlation between resources and on‑the‑job stress.”

Chris Dimitriadis, Global Chief Strategy Officer at ISACA, said, “Privacy teams are being asked to manage more risk with fewer resources, and the strain is beginning to show. As organizations adopt new technologies at speed, the volume and complexity of privacy obligations grow in parallel – yet many teams are still operating without the staffing, funding or training they need to keep pace.”

When asked about their privacy budget perceptions in 2026, 36 % said they felt appropriately funded, 31 % somewhat underfunded and 11 % significantly underfunded.

Since 2024, the State of Privacy 2026 study has found an increase in respondents who anticipated budget cuts with 43 % anticipating budgets will somewhat decrease. However, the percentage of respondents whose privacy budget actually decreased was lower than those who anticipated a decrease in the previous year.

New Tech Introduces Privacy Risks

A total of 44 % of respondents said their privacy program faced obstacles and 52 % cited the management of risk associated with new technologies as a top difficulty.

The report noted, “It is possible that, this year, more respondents experienced the consequences of not practicing privacy by design, especially related to AI.”

Not practicing privacy by design was cited by 50 % of respondents as the second most common privacy failure, behind poor training which was noted by 51 % of respondents.

Despite AI presenting data privacy challenges, 38 % of respondents said they plan to use AI for privacy tasks in the next 12 months.

The State of Privacy 2026 report surveyed over 1,800 privacy and data‑protection professionals in September 2025 to generate the findings.