1 PRIVACY IN PRACTICE 2023

Privacy in Practice 2023

Privacy © 2023 ISACA. All Rights Reserved.

© 2023 ISACA. All Rights Reserved.
2 PRIVACY IN PRACTICE 2023

CONTENTS
3 Abstract

4 Executive Summary
4 / Key Findings

4 Survey Methodology

6
9 / Skill Gaps

10 Privacy Budgets

10
12 / Privacy Team Interaction With Other Areas
13 / Boards of Directors’ Privacy Involvement
13 / Monitoring Privacy Programs

14

16

16

18

19 The Future of Privacy

20

21

© 2023 ISACA. All Rights Reserved.

3 PRIVACY IN PRACTICE 2023

ABSTRACT
Privacy in Practice 2023 reports the results of the ISACA® global State of Privacy Survey,

program trends, awareness training and breaches, and privacy by design. Some survey

© 2023 ISACA. All Rights Reserved.

4 PRIVACY IN PRACTICE 2023

Executive Summary
Privacy in Practice 2023 • Experience is considered the most important factor in
budgets, programs, awareness training and privacy by
design, based on the results of the ISACA global State of
• The demand for privacy professionals is expected
Privacy Survey, conducted in the fourth quarter of 2022.
to increase over the next year for technical privacy
Strong enterprise privacy practices are critical in a rapidly professionals and legal/compliance privacy
evolving privacy regulatory landscape. Privacy violations professionals.
erode customer trust and increasingly result in enterprise • Privacy teams interact most frequently with
information security, legal/compliance and risk
programs that aim to protect data subjects and gain their management teams.
trust set their enterprises apart from competitors. This
• Enterprises that practice privacy by design are more
white paper explores the state of organizational privacy.

Key Findings • Have adequately staffed privacy teams

• Believe that their board of directors appropriately

prioritizes enterprise privacy
• Technical privacy roles are slightly more likely to be
• Require documented privacy policies, procedures

compliance privacy roles, although both types of roles and standards

are impacted by staff shortages. • Use more privacy controls overall than are legally
• required
than legal/compliance privacy roles to have increased • Feel their privacy budget is appropriately funded
demand in the next year.

Survey Methodology
In the fourth quarter of 2022, ISACA sent survey
invitations globally to approximately 46,000 ISACA
constituents who hold the ISACA CSX Cybersecurity
Information Systems Auditor® ®

Information Security Manager® ®

three percent of respondents are in a management

or have “privacy” in their job title. Survey data were role, 26 percent are in senior leadership positions, 21
collected anonymously via Survey Monkey. A total percent are individual contributors and 10 percent
of 1,890 respondents completed the survey; their are in executive leadership positions. Figure 1 shows
responses are included in the results. additional information about survey respondents.

© 2023 ISACA. All Rights Reserved.

 5 PRIVACY IN PRACTICE 2023

FIGURE 1: Respondent Demographics

34%
Top industries Years of experience Total revenue

24%
14% 8%
24%
Technology services/ 21%
consulting 14%

23% 16%
19% 13%
24%
12%
Financial/banking

1–5 16–20
13%
6–10 21–25
Less than $50M– $100M– $500M– Greater
Government/military– 11–15 25+ $50M $99M $499M $999M than $1B
national/state/local

Region Europe

20% Asia
19%
North America 47%

4%
4%

Latin America 4% 3% Oceania

Africa

Middle East

Number of employees at organization

19% 16% 23% 18% 25%

1–249 250–999 1,000–4,999 5,000–24,999 25,000 or more

employees employees employees employees employees

© 2023 ISACA. All Rights Reserved.

 6 PRIVACY IN PRACTICE 2023

full-time-equivalent employees who have privacy-related of two groups—legal/compliance or technical. Legal/

responsibilities within an enterprise is 26, which is slightly compliance privacy professionals have knowledge
of the privacy laws and regulations that apply to
an enterprise but may not have extensive technical
Privacy staff roles include legal/compliance expertise; technical privacy professionals have the
practitioner, technical IT staff, risk professional or technical expertise to apply controls that help preserve
security professional. Figure 2 shows the percentage privacy and achieve compliance.
of staff in each of these roles.

FIGURE
What 2: Staff Privacy
percentage of your Roles
staff are in the following roles?
What percentage of your staff are in the following roles?

Legal/compliance practitioners 10%

53%
13%
7%
6%
6%
6%

Technical IT staff 8%
(excluding security professionals)
37%
21%
14%
10%
6%
4%

Risk professionals 8%
51%
18%
8%
5%
5%
4%

Security professionals 4%
45%
19%
11%
7%
10%
4%

None 1%–20% 21%–40% 41%–60% 61%–80% 81%–100% Don’t know

© 2023 ISACA. All Rights Reserved.

 7 PRIVACY IN PRACTICE 2023

Both legal/compliance and technical privacy teams are more compared to last year and/or increasing privacy
understaffed, according to the ISACA survey results. budgets—35 percent of last year’s survey respondents
Forty-four percent of respondents indicate that legal/ reported that their privacy budget would increase in the
next 12 months.
understaffed, and 53 percent of respondents report that
Some enterprises are taking steps to address

teams than in legal/compliance teams is consistent with say that their enterprises have open legal/compliance
privacy positions, and 34 percent indicate they have

This may be due to enterprises prioritizing privacy and 5

FIGURE 3:
Understaffing of Privacy Roles

Legal/compliance 46%
44%

Technical privacy 55%

53%

2022 2023

FIGURE 4: FIGURE 5: Time to Fill Open Technical Privacy Positions

Positions

On average, how long does it take to fill legal/compliance On average, how long does it take to fill technical privacy
privacy positions with a qualified candidate? positions with a qualified candidate?
2% 2%

10% 9%
22% 23%
20%
24%

2%
26% 25%
2% 18%
15%

<2 weeks >6 months <2 weeks >6 months

1–3 months Cannot fill open positions 1–3 months Cannot fill open positions

3–6 months Don’t know 3–6 months Don’t know

Not applicable Not applicable

© 2023 ISACA. All Rights Reserved.

8 PRIVACY IN PRACTICE 2023

Although some survey respondents report that the somewhat increased and 30 percent indicating it stayed
the same.

increased or stayed the same. For legal/compliance

roles, 14 percent of respondents say that the time to enterprises, less than one-quarter of privacy-position

increased and 31 percent say that it stayed the same.

Figure 6 shows
the importance of factors that are used to evaluate if a

FIGURE 6:
How important are each of the following factors in determining if a privacy candidate is qualified?

Compliance/legal experience 62%

34%
3%
1%

Prior hands-on experience 58%

in privacy role
38%
4%
0%

Technical experience 51%

42%
6%
0%

Credentials held 40%

52%
7%
1%

Completion of hands-on training 28%

courses in privacy
53%
17%
1%

University degree 26%

46%
24%
5%

Recommendation from 22%

previous employer
46%
27%
5%

Very important Somewhat important Not very important Not at all important

© 2023 ISACA. All Rights Reserved.

9 PRIVACY IN PRACTICE 2023

According to 76 percent of ISACA survey respondents, the laws and regulations to which an enterprise is subject

Skill Gaps •
Survey respondents identify a lack of experience with
•
different types of technologies and/or applications as
the biggest skill gap in current privacy professionals
• Networking and/or other infrastructure knowledge

•
Fifty-four percent of respondents report that experience
with frameworks and/or controls is a large skill gap. The Enterprises are working to reduce these skill gaps. Figure 7
shows the solutions that enterprises are applying.

FIGURE 7: Methods of Addressing the Privacy Skills Gap

Which, if any, of the following has your organization undertaken to help decrease this privacy skills gap?
Select
Which, all thatof
if any, apply.
the following has your organization undertaken to help decrease this privacy skills gap? Select all that apply.

Training to allow nonprivacy

staff who are interested 49%
to move into privacy roles

Increased use of contract

employees or outside consultants
38%

Increased use of
performance-based training 25%
to attest to actual skill mastery

Increased reliance on
credentials to attest to actual 25%
subject matter expertise

Increased reliance on artificial

20%
intelligence or automation

Nothing has been done 13%

Don’t know 12%

Organization has no
privacy skills gap 4%

Other 1%

© 2023 ISACA. All Rights Reserved.

10 PRIVACY IN PRACTICE 2023

Privacy Budgets
decreased slightly to 34 percent—from 35 percent
face. Forty-two percent of ISACA survey respondents last year—that decrease may be due to the increased
report that their enterprise privacy budget is somewhat or percentage of respondents who believe that their privacy
budget is appropriately funded and therefore may not see
a need to increase funding.
overfunded and 14 percent do not know. This is a
slight improvement from last year, when 45 percent of
respondents felt their privacy budget was underfunded,
and a larger improvement from 2021, when 49 percent
of survey respondents believed their privacy budget
was underfunded.

Those respondents who feel that their privacy budget

is appropriately funded increased from 33 percent last
year to 36 percent this year. These improvements may Twelve percent of respondents believe that their privacy
indicate that enterprises are beginning to recognize the
importance of privacy and are taking steps to improve next 12 months—an increase from eight percent last
funding. Although the percentage of respondents year—so some enterprises will likely need to scale back
that believe that their enterprise privacy budget will and make do with the limited resources they have.

Privacy Program Trends

Depending on an enterprise’s structure and the skills guide efforts in the event of a breach and advocate for
and competencies of executives, the role accountable the privacy team, including advocating for funding and
for enterprise privacy varies. Figure 8 shows the role other resources. This accountability also improves the
primarily accountable for privacy in survey-respondent alignment of privacy with other organizational objectives.
enterprises. Twenty-one percent of respondents say the
Thirty-nine percent of respondents say that a lack of
executive or business support is an obstacle to forming

accountable for privacy, and 14 percent say the executive- a privacy program, and 38 percent of respondents say

is an obstacle—these challenges can be mitigated by

having a strong C-level privacy advocate. Figure 9 shows
Ensuring the appropriate person is accountable for additional challenges enterprises face when forming a
privacy is essential because this individual can help privacy program.

© 2023 ISACA. All Rights Reserved.

11 PRIVACY IN PRACTICE 2023

FIGURE 8: Accountability for Privacy

Who is primarily
Who is primarily accountable
accountable for
for privacy
privacy in
in your
yourorganization?
organization?

Chief privacy officer 21%

Chief information officer 16%

Executive-level security officer

(e.g., CISO, CSO) 14%

Chief executive officer 13%

General counsel/chief legal officer 10%

Chief compliance officer 9%

Board of directors 5%

Don't know 4%

Other 4%

The organization does not have a

2%
person accountable for privacy

FIGURE 9: Obstacles to Forming a Privacy Program

Which, if any, of the following are obstacles faced by an organization in its ability to form a privacy program?
Select
Which, all thatof
if any, apply.
the following are obstacles faced by an organization in its ability to form a privacy program?
Select all that apply.

Lack of competent resources 42%

Lack of clarity on the mandate,

roles and responsibilities 40%

Lack of executive or business support 39%

Lack of visibility and influence within

the organization
38%

Complex international legal and

regulatory landscape 38%

Management of risk associated

32%
with new technologies

Lack of a privacy strategy and

31%
implementation roadmap

No obstacles exist 7%

Don't know 9%

Other 1%

© 2023 ISACA. All Rights Reserved.

12 PRIVACY IN PRACTICE 2023

Privacy Team Interaction It is concerning that nearly one-third of respondents meet

less than quarterly. The regulatory landscape is rapidly
changing, and the evolution of business operations may
Given the challenges of understanding the legal and necessitate more frequent meetings between technical and
regulatory landscape of privacy, it is imperative that legal/compliance privacy professionals. Equally concerning
technical privacy professionals work closely with
legal/compliance privacy professionals. These teams privacy laws and regulations go into effect; privacy efforts
should meet regularly to understand their legal and may be reactionary and delayed if meetings are prompted
regulatory obligations and ensure that technical only when the compliance landscape changes.
controls are in place to achieve compliance. Figure 10
shows how frequently technical privacy professionals Privacy teams must work cross-functionally to ensure

meet with legal/compliance privacy professionals privacy considerations exist throughout the enterprise.

in survey-respondent enterprises. Survey respondents report that their privacy teams

Twenty-eight percent of respondents say that their

technical privacy professionals and legal/compliance
privacy professionals meet quarterly, 25 percent
say that these professionals meet once or twice a
year and 17 percent report that they meet monthly. Privacy teams also interact regularly with IT operations

Another 17 percent of respondents report that their and development, procurement, internal audit, human

technical and legal/compliance privacy professionals resources, sales/marketing/customer relations,

meet when new privacy laws and regulations go

into effect. and media relations.

FIGURE 10:

How often do technical privacy professionals meet with legal/compliance professionals to understand legal
and regulatory requirements?
How often do technical privacy professionals meet with legal/compliance professionals to understand legal and
regulatory requirements?

6%
17%
Never Monthly
25%
7%
1–2 times per year Weekly

Quarterly As new privacy laws/regulations

17% go into effect

28%

© 2023 ISACA. All Rights Reserved.

13 PRIVACY IN PRACTICE 2023

Boards of Directors’ Privacy Monitoring Privacy Programs

Involvement It is crucial that enterprises monitor their privacy
programs. Regular monitoring helps enterprises identify
A board of directors’ approach to privacy can greatly
and evaluate what they are doing well and areas for
impact the day-to-day operations of a privacy team. Most
improvement. As enterprises increase privacy-program
survey respondents believe that their board of directors
monitoring, they can see how their privacy programs
evolve. Figure 12 shows the common ways of
respondents believe that their board adequately prioritizes
monitoring the effectiveness of privacy programs.
privacy, 22 percent do not believe that their board

large percentage of respondents who do not know if

their board prioritizes privacy may be due to a lack of
communication from the board. This result may also signal
a disconnect between a board’s expression of support for
privacy and its lack of actions that show that support.

Thirty percent of respondent enterprises evaluate

Boards may view privacy from a few different
the number of privacy incidents as a metric to
perspectives. Figure 11 shows how boards of directors
indicate the effectiveness of their privacy programs.
may view privacy programs.
This metric should be combined with another
There are many concerns associated with having a monitoring mechanism; an organization that looks
purely compliance-driven privacy approach. The global solely at the number of privacy incidents will not
privacy landscape is evolving rapidly. Organizations know about its privacy program weaknesses until
an incident happens, at which point the reputational
themselves struggling to catch up. A purely compliance-
driven view of a privacy program may signal that privacy
initiatives are reactive rather than proactive—privacy best to use forward-looking metrics to evaluate the
teams may always feel a step behind compliance and effectiveness of a privacy program to avoid these
unable to work best to protect data subjects’ privacy. high penalties.

FIGURE 11: How Boards of Directors View Privacy Programs

Do you think your board of directors views your enterprise’s privacy program as:

Compliance driven: The privacy program serves to achieve

33% compliance with applicable laws and regulations

Ethically driven: The need to protect privacy is important to the

53% enterprise’s mission regardless of existing laws and regulations

A combination of both

14%

© 2023 ISACA. All Rights Reserved.

14 PRIVACY IN PRACTICE 2023

FIGURE 12: How Enterprises Monitor Privacy-Program Effectiveness

How does your

How does your organization
organization monitor
monitor the
the effectiveness
effectiveness of
of its
its privacy
privacyprogram?
program?Select
Selectall
allthat
thatapply.
apply.

Perform a privacy
impact assessment (PIA) 45%

Perform a privacy risk assessment 45%

Perform a privacy self-assessment 36%

Undergo a privacy audit/assessment 35%

Evaluate the number of

privacy incidents 30%

No monitoring is performed
9%

Don't know
11%

Other 1%

Privacy Awareness Training

Privacy teams may be small and understaffed, but everyone Privacy awareness training should be provided with some
in an enterprise plays a role in preserving privacy, which regularity, and—because of the rapidly changing privacy
regulatory landscape and technology—training should be
percent of respondent enterprises provide privacy training reviewed and revised periodically. Fifty-nine percent of
for employees. shows the frequency with which respondents say that their enterprise reviews and revises
privacy awareness training is provided. privacy awareness training annually, 24 percent review

FIGURE 13: Frequency of Privacy Awareness Training

When does your

When does your organization
organization provide
provide privacy
privacy training?
training?Select
Selectall
allthat
thatapply.
apply.

Annually 65%

As part of new hire training 52%

Quarterly 17%

After the occurrence of a

significant event 15%

No privacy training is conducted 7%

Don’t know 6%

Other 2%

© 2023 ISACA. All Rights Reserved.

15 PRIVACY IN PRACTICE 2023

and revise training as new laws and regulations go into Most respondents believe that privacy training

four percent do not revise their privacy training. of respondents say that privacy training and awareness
programs have a strong positive impact, and 47 percent
say they have some positive impact.
awareness training, enterprises should monitor their
training programs. shows the metrics that
respondent enterprises use to evaluate privacy training
program effectiveness.

Relying solely on the number of privacy incidents

and/or the number of privacy complaints received
from customers is problematic because it is reactive;
enterprises will not know training is ineffective until a In 57 percent of respondent enterprises, privacy
privacy incident occurs or a privacy complaint is received. awareness training is separate from security awareness
Although tracking the number of people who complete training, while 31 percent of respondent enterprises
privacy training may be valuable, it does not reveal the do not separate privacy awareness training from
security awareness training.
check-the-box exercise without evaluating if employees
are learning anything from it. Although privacy and security training can be combined
in a way that teaches both topics, a concern is that
Pre- and post-training assessments are a stronger
metric, as they demonstrate if staff have learned from combined training. It is impossible to have privacy
the training programs. If there is no difference or a without security, but security does not necessarily
minimal difference between pre- and post-training guarantee privacy.
assessments, that may be an indicator that the privacy
awareness training needs to be revised.

FIGURE 14: Metrics to Evaluate Privacy Awareness Training Effectiveness

What metrics does your organization track to evaluate the privacy training program’s effectiveness?
Select all that does
What metrics apply.your organization track to evaluate the privacy training program’s effectiveness? Select all that apply.

Number of employees who have

completed privacy training
65%

Number of privacy incidents 54%

Number of privacy complaints

received from customers 36%

Comparison of pre- and

post-training assessments 23%

Other 6%

© 2023 ISACA. All Rights Reserved.

16 PRIVACY IN PRACTICE 2023

Privacy Frameworks, Laws and

Regulations
Eighty-two percent of respondents use a framework or
law/regulation to manage privacy in their enterprises.
For 73 percent of respondents, it is mandatory to
address privacy with documented privacy policies, is for technical privacy professionals to meet with legal/
standards and procedures. The top-three frameworks compliance privacy professionals on a regular basis, as
and regulations most commonly used to manage many technical privacy experts do not have the legal

laws and regulations.

•
50 percent

• US National Institute of Standards and Technology

•
techniques—Code of practice for information security

Unsurprisingly, regional variations exist for the frameworks A previous section in this report revealed that privacy
and regulations used to manage privacy. Seventy-nine budgets appear to be more adequately funded this
percent of European respondents use GDPR. It may be year than last year, and understaffing seems to be
surprising that only 79 percent of respondents in Europe improving. Part of the reason for this may be that
use GDPR, but this may be partially attributable to Brexit. enterprises felt the strain on their privacy teams and
Sixty-one percent of respondents in the United States use increased privacy budgets and staff sizes accordingly.
the NIST Privacy Framework. This strain may be caused partially by an increase
in data-subject requests. Thirty-four percent of
Given the myriad privacy laws and regulations in effect, respondents say that the number of data-subject
some enterprises struggle to identify and understand requests has somewhat or significantly increased.
their privacy obligations. Twenty-three percent of

Privacy Breaches and Failures

Protecting data and achieving compliance with privacy and achieve compliance with new privacy laws and
laws and regulations can be challenging, but 45 percent
understanding of common privacy failures. Figure 15
their privacy team’s ability to ensure data privacy shows these privacy failures.

© 2023 ISACA. All Rights Reserved.

17 PRIVACY IN PRACTICE 2023

Only 11 percent of respondents report that their they know a security incident occurred but are unsure
enterprise experienced a material privacy breach in the if personal information was compromised. Dwell time
past 12 months, which is slightly higher than last year

that their enterprise did not have a privacy breach, 17 so many respondents do not know if a privacy
percent do not know and nine percent preferred not breach occurred. Figure 16 shows the number of
to answer. Although the percentage of respondents enterprises experiencing more or fewer breaches
who do not know may seem high, it is possible that than last year.

FIGURE 15:

In your opinion, which of the following are the most common privacy failures in an organization?
Select
In your all that apply.
opinion, which of the following are the most common privacy failures in an organization? Select all that apply.

Lack of training or poor training 49%

Not practicing privacy by design 42%

Data breach/leakage 42%

Not performing a risk analysis 41%

Social engineering 39%

Bad or nonexistent detection

of personal information
37%

Noncompliance with applicable

laws and regulations
34%

Ethical decision making 16%

Don't know 10%

Other 2%

FIGURE 16:

Is your organization experiencing an increase or decrease in material privacy breaches as compared to a year ago?
Is your organization experiencing an increase or decrease in material privacy breaches as compared to a year ago?

5%

16%
33% More breaches Prefer not to answer

Fewer breaches Don't know

21% The same number of breaches

26%

© 2023 ISACA. All Rights Reserved.

18 PRIVACY IN PRACTICE 2023

Privacy by Design
Privacy by design is a systems engineering method that Given that not practicing privacy by design is viewed as
“mandates that any system, process or infrastructure
that uses personal data consider privacy throughout its more enterprises do not always practice it. The reason
development life cycle and identify possible risk to the may be that enterprises that always practice privacy
rights and freedoms of the data subjects and minimize by design are more likely to have resources that enable
them before they can cause actual damage.”1 Figure
17 shows how often respondent enterprises practice size among enterprises that always practice privacy
privacy by design. Thirty percent of respondents
FIGURE 17: Frequency of Practicing Privacy by Design
indicate that their enterprises always practice privacy
How often
often does
doesyour
yourenterprise
enterprisepractice
practiceprivacy
by design, and 30 percent of respondents say that their
How privacy
by design?
by design?
enterprises frequently practice privacy by design.

Some interesting trends emerge when comparing the 4%

10%
enterprises that always practice privacy by design to
30%
the total number of respondent enterprises. Those that

26%
• Are more likely to separate privacy training from

30%
• Have survey respondents who are one-and-a-half times

their organization’s ability to ensure the privacy of its

Always Rarely

Frequently Never
•
Sometimes

FIGURE 18: Trends in Enterprises That Always Use Privacy by Design

Trends in Enterprises That Always Use Privacy by Design

The median privacy staff size

Feel that their privacy department 44%

is adequately staffed
34%

76%
Feel that their board
properly prioritizes privacy 55%

Enterprises that always

Total respondents
practice privacy by design

1 ISACA, “Eight Strategies to Help Organizations Implement Privacy by Design and Default,” 21 October 2021,
us/newsroom/press-releases/2021/eight-strategies-to-help-organizations-implement-privacy-by-design-and-default

© 2023 ISACA. All Rights Reserved.

19 PRIVACY IN PRACTICE 2023

by design is almost twice as large—19 compared to 10 ability to ensure data privacy and achieve compliance
for total respondents. Forty-four percent of respondent with new privacy laws and regulations. Seventy-six
enterprises that always practice privacy by design feel percent of these respondents feel completely or
that their privacy department is adequately staffed,
compared to 34 percent of total respondents. It also percent of total respondents.
appears that the boards of directors of enterprises
that always practice privacy by design better prioritize Those who always practice privacy by design are less

privacy; 76 percent of these enterprises feel that their likely to have boards that view privacy programs as

board properly prioritizes privacy, compared to just 55

percent of total respondents. Given that a key tenet of privacy by design is that
privacy should be proactive and not reactive, and
Respondents from enterprises that always practice purely compliance-driven programs are often reactive,
it makes sense that enterprises that always practice
privacy by design do not operate reactively.

The Future of Privacy

The numerous new privacy laws and regulations—and year. Sixty-two percent of respondents say the demand
data subjects’ increased attention to privacy—indicate for legal/compliance roles will increase in the next year,
that privacy is important, and the work of privacy and 69 percent say the demand for technical privacy
professionals is crucial to an enterprise’s success. positions will increase.

Given the various requirements privacy teams must A primary responsibility of privacy professionals is to
meet and the growing number of international privacy respond to privacy breaches. Figure 19 shows the
laws and regulations, it makes sense that the demand likelihood of experiencing a privacy breach in the
for privacy professionals is expected to grow in the next next year.

FIGURE 19:

How likely is
How likely is it
it that your organization
that your organization will
will experience
experience aa material
material privacy
privacy breach
breach next
nextyear?
year?

Very likely 4%

Likely 11%

Neither likely nor unlikely 22%

Unlikely 20%

Very unlikely 10%

Don't know 21%

Prefer not to answer 12%

© 2023 ISACA. All Rights Reserved.

20 PRIVACY IN PRACTICE 2023

last year, but the same number of respondents say they

likelihood of experiencing a privacy breach in the next year. plan to use AI for privacy in the next 12 months.
This may indicate that privacy risk is an area that is not
very mature or that enterprises are just not prioritizing it.
surprising that nearly 38 percent of respondents do not
The challenges in hiring the right people for privacy plan to use AI. This result may be because of the privacy-
positions and the consequences of a material privacy related concerns associated with AI.2 The large number
breach are leading some enterprises to start or plan to use of respondents who do not know of plans to use AI for
AI for privacy. Figure 20 shows respondent enterprise use privacy may also be explained by these concerns surfacing
of AI for privacy. More respondents use AI this year than when considering AI for privacy-related functions.

FIGURE 20: Plans to Use AI for Privacy-Related Tasks

What are your organization’s plans to use AI (bots or machine learning) to perform any privacy-related tasks?

We currently use AI for this function 11%

We plan to use AI for this

function in the next 12 months 20%

We have no plans to use

AI for this function 38%

Don’t know 31%

Conclusion
Data can provide information about an individual’s Despite the challenges associated with data privacy,
health, religion, orientation, political beliefs and more.
Protecting data subjects’ privacy is critical to building enterprise budgets have started adjusting for the growing
and preserving digital trust, so enterprises must prioritize emphasis on privacy. Privacy teams are larger this year
privacy accordingly. The number of privacy laws and than they were last year. Although there is room for
regulations will only increase in the coming years, and improvement, and many enterprises believe they need
making headlines for a privacy violation can damage more resources, enterprises are moving toward better
trust with consumers. supporting their privacy teams.

© 2023 ISACA. All Rights Reserved.

21 PRIVACY IN PRACTICE 2023

Acknowledgments
Board of Directors
Pamela Nigro, Chair Gregory Touhill
CISA, CGEIT, CRISC, CDPSE, CRMA CISM, CISSP
Vice President, Security, Medecision, USA ISACA Board Chair, 2021-2022
Director, CERT Center, Carnegie Mellon
University, USA
Former Chairman and Chief Executive

Niel Harper
CISA, CRISC, CDPSE, CISSP

Bancorp, USA

CISA, CISM, CRISC, CISSP

Independent Board Member, Mexico
ISACA Board Chair, 2019-2020
Maureen O’Connell Vice President and Chief Information
NACD-DC
Oracle Corporation, USA

CISM, NACD-DC
USA
ISACA Board Chair, 2018-2019
Independent Director, Titus, Executive
CISA, CDPSE Chair, White Cloud Security, Managing
Senior Information Systems Auditor– Director, Clyde Consulting LLC, USA
Advisory Consulting, KPMG Uganda,
Founder, Encrypt Africa, Kenya

Former President and Chief Executive

CISA, CISM, CGEIT, CRISC, CDPSE,

CISSP-ISSMP
Senior Vice President and Chief Security

CISA, CISM, CGEIT, CRISC, CDPSE, CSX-P

Israel

© 2023 ISACA. All Rights Reserved.

22 PRIVACY IN PRACTICE 2023

ISACA®
organizations in their pursuit of digital trust. For more than 50 years, ISACA 1700 E. Golf Road, Suite 400

has equipped individuals and enterprises with the knowledge, credentials, Schaumburg, IL 60173, USA

education, training and community to progress their careers, transform their

Phone: +1.847.660.5505
organizations, and build a more trusted and ethical digital world. ISACA is a
global professional association and learning organization that leverages the Fax: +1.847.253.1755

such as information security, governance, assurance, risk, privacy and quality. Support: support.isaca.org

It has a presence in 188 countries, including 225 chapters worldwide. Through

www.isaca.org
its foundation One In Tech, ISACA supports IT education and career pathways
for underresourced and underrepresented populations.

ISACA has designed and created Privacy in Practice 2023

primarily as an educational resource for professionals. ISACA makes
Twitter:
no claim that use of any of the Work will assure a successful outcome.
The Work should not be considered inclusive of all proper information, www.twitter.com/ISACANews

procedures and tests or exclusive of other information, procedures

and tests that are reasonably directed to obtaining the same results. www.linkedin.com/company/isaca
In determining the propriety of any specific information, procedure
or test, professionals should apply their own professional judgment
to the specific circumstances presented by the particular systems or www.facebook.com/ISACAGlobal
information technology environment.

www.instagram.com/isacanews/

© 2023 ISACA. All rights reserved.

Privacy in Practice 2023

© 2023 ISACA. All Rights Reserved.