Privacy Governance Report 2024

What's inside?
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Part I. Increasing complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Growing complexity in law, policy and the regulatory environment . . 9
More consequential regulatory actions . . . . . . . . . . . . . . . . . . . . . . . . 11
Growing use of more complex technology . . . . . . . . . . . . . . . . . . . . . 12

Table of
Increased workload due to privacy requests . . . . . . . . . . . . . . . . . . . 13
Need to address ongoing and new challenges . . . . . . . . . . . . . . . . . . 16
Managing and responding to data breaches . . . . . . . . . . . . . . . . . . . . 18
Additional responsibilities for the privacy team . . . . . . . . . . . . . . . . . 20

contents
Part II. Compliance confidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Part III. Addressing complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Budgeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Resourcing and senior leadership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Activities of the privacy function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Looking ahead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Our research approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Contacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Privacy Governance Report 2024 | 2

 The hallmarks of privacy
professionalism inspire and
instill confidence.
In the poignant and romantic poem "Scaffolding" by the late Nobel
laureate Seamus Heaney, it is the astute, diligent and preparatory
work of masons in securing scaffolding that enables "walls of sure
and solid stone" to be built. It is the professionalism of masonry that

Foreword
inspires confidence. Confidence that the walls built within the frame
of secure and tested scaffolding can not only withstand the buffeting
of pressure, the creaks and the cracks that come with time and
change but also that those walls can grow.

For decades, the profession of privacy has sought to scaffold

the sure and solid walls of today's data-driven technologies,
economies and societies. History has shown early investment in
a professionalized workforce pays dividends later. Against a global
backdrop of fiscal pressure and geopolitical instability, the advent
and proliferation of new data-driven technologies, increasing
privacy regulation, consequential privacy enforcement and litigation
have all underscored the importance of effective and professional
privacy governance as an enabler and a point of differentiation.

Privacy Governance Report 2024 | 3

→ Foreword TABLE OF CONTENTS ↑

Despite these challenges, the profession has continued to

demonstrate an extraordinary capacity for adaptation and resilience,
ensuring organizations not only remain compliant with stringent
regulations but also uphold the trust and best interests of their
customers. In fact, nine out of 10 respondents to this year's survey
reported being at least somewhat confident with their organizations'

Nine out of 10 respondents

privacy governance program. For them, the privacy governance
"wall" has been built.

to this year's survey

The IAPP Privacy Governance Report 2024 charts how the efficacy
of, and corresponding confidence in, an organization's approach to
privacy governance stems from the investment in the hallmarks of
privacy as a professional discipline. Those hallmarks — the people,
techniques and tools — have scaled, matured and evolved in ways
that are resilient and responsive to change. They place the privacy
reported being at least
profession and privacy governance in a prominent position to take
on broader and heightening responsibilities, spanning artificial
intelligence governance, cybersecurity and content moderation somewhat confident with
to name a few.

The storied history of the privacy profession can inform our their organizations' privacy
expectations about the future growth of digital governance and its

governance program.
professionalization within organizations. While data privacy as a
practice began in the 1970s and 1980s in the legal and policy realm,
the technological advancements of recent decades necessitated a
truly cross-disciplinary approach with training in law and policy,
technology, business management, and design. The resulting
professionalization of the field has generated an accepted body of
knowledge, training programs and credentials, as well as a vibrant
and convivial global community of practitioners and leaders.

Privacy Governance Report 2024 | 4

→ Foreword TABLE OF CONTENTS ↑

A recurring theme in this year's report is how It's professionalization — and the people,
sustained investment and elevated prominence processes and practices that comprise the
for privacy governance and the professionals profession — that increasingly serves as the
commanding its work results in more robust and scaffolding for the emerging structures of digital
more confident practices. Within organizations, governance that need "sure and solid" building.
privacy champions, practitioners and leaders We will be more confident because of it.
drive privacy decision-making and awareness
across business lines and teams. Strong
visionaries and leaders have set the tone for
privacy within organizations advocating for
data protection as not just a legal obligation, but
a core component that should be incorporated
into the foundations of business strategy.

What's more, this investment and prominence

in privacy governance is being paid forward
and leveraged in newer and emerging frontiers Joe Jones
Director of Research and Insights, IAPP
spanning the gamut of digital governance.

Privacy Governance Report 2024 | 5

 Over 80% of privacy professionals
have been tasked with an
additional responsibility alongside
their existing privacy day jobs.
Privacy compliance and how organizations aspire to achieve a
better compliance posture remain an ongoing focus for most
organizations. Almost all organizations process personal data in
some form or another to deliver their business objectives, from
small organizations solely processing personal data of a few

Executive
employees to large multinational organizations processing vast
quantities of sensitive personal data every minute to deliver tailored
services to consumers.

summary Has your privacy function acquired additional responsibility*?

� Yes, 80% � No, 20%

* Domains that make up additional responsibility: AI governance, consumer protection,

human rights, content moderation and online safety, platform liability, data
governance/data use/data as an asset, data ethics, competition/antitrust, cybersecurity
as a regulatory compliance matter, product liability, intellectual property, and digital
architecture and infrastructure.

Privacy Governance Report 2024 | 6

→ Executive summary TABLE OF CONTENTS ↑

Developments in recent years have only highlighted the importance

of the privacy profession due to the need for better compliance The expanding remit for CPOs
practices to protect individual rights when personal data is being
processed effectively and for appropriate responses in the aftermath AI GOVERNANCE
of various data breaches or ongoing technological developments.
Privacy pros increasingly play an important role in enabling their
69%
respective organizations to deliver on core business objectives and
remain competitive going forward.

However, privacy pros are no longer solely focused on a narrow

remit. Increasingly, organizations are looking at these professionals
to address the complex environment both internally and externally.
As a result, privacy pros are increasingly tasked with additional
responsibilities. This year's survey found the vast majority have been
asked to take on further responsibilities on top of their day-to-day 70% 60% 50% 40% 30% 20% 10%
jobs. Existing C-suite leaders of specific domains are seeing their PLATFORM 20% 69% DATA GOVERNANCE
LIABILITY AND DATA ETHICS
personal obligations expanded and elevated. For example, among
surveyed chief privacy officers, 69% have acquired additional
responsibility for AI governance, 69% for data governance and
ethics, 37% for cybersecurity regulatory compliance, and 20%
for platform liability. 37%

This trend continues at the team level, with more than 80% of
privacy teams gaining responsibilities beyond privacy. At 55%,
more than one in two privacy pros work in functions with AI
governance responsibilities, at 58%, more than one in two have
picked up data governance and data ethics, at 32%, almost one
in three cover cybersecurity regulatory compliance, and, at 19%, CYBERSECURITY REGULATORY COMPLIANCE
nearly one in five have platform liability responsibilities.

Privacy Governance Report 2024 | 7

→ Executive summary TABLE OF CONTENTS ↑

Privacy pros globally and across organizations of various sizes

and industries have more on their plates. This is driven by several
factors that introduce increasing complexities in the broader
environment. Factors include growing complexity in law, policy
and the regulatory environment; more consequential enforcement;
growing use of more complex technologies; increased workload
due to privacy requests; the need to address ongoing and new
challenges; managing and responding to data breaches; and
increasingly, boards looking for privacy pros to help deliver

Increasingly, boards are looking

broader organizational compliance activities.

Organizations have responded to this growing complexity with

increased privacy budgets and more senior privacy leaders in

for privacy pros to help charge of growing privacy teams. Additionally, they prioritize
limited resources on the right strategic compliance priorities,
focusing on privacy training, establishing mature privacy risk

deliver broader organizational management approaches and utilizing technology to enable and
support compliance when possible. The remainder of this report
seeks to explore these complexities, the impact on compliance

compliance activities. and resulting organizational responses in greater detail.

Saz Kanthasamy Cheryl Saniuk-Heinig Luke Fischer

Principal Researcher, Research and Insights Former Westin Fellow, IAPP
Privacy Management, IAPP Analyst, IAPP

Privacy Governance Report 2024 | 8

 A growing list of interconnected
challenges continues to be heaped
onto the plates of privacy pros.
Growing complexity in law, policy and the
regulatory environment
The existing legal environment in the privacy domain is complex, with
a patchwork of global, national and sometimes local laws that impact

Part I.
data collection and processing. The growing number of privacy laws
and regulations around the globe have resulted in ever-increasing
compliance obligations and challenges for organizations.

This landscape is only growing more complex. Numerous

Increasing
jurisdictions have actively introduced, passed or amended
privacy laws this year. The EU AI Act went into effect, marking the
continent's first AI regulation. The state law privacy landscape in
the U.S. has skyrocketed recently, with seven comprehensive state

complexity
privacy bills signed in 2023 and seven more signed in 2024.

The growth of US state privacy legislation

19 (+7)

12 (+7)

5 (+2)
3 (+2)
1 1 (—) 1 (—)

2018 2019 2020 2021 2022 2023 2024

� Total number of states with privacy bills

Privacy Governance Report 2024 | 9

→ Part I. Increasing complexity TABLE OF CONTENTS ↑

The U.S. also saw the most movement on Furthermore, the evolving policy and regulatory
comprehensive privacy legislation at the environment is impacting organizations.
federal level in years with the American Privacy Companies facing or at risk of regulatory action
Rights Act, though it stalled in the House of must grapple with operational decisions such
Representatives. With new legislation and as dedicating resources to implement more
regulations, professionals must remain mindful robust data governance frameworks, creating
of localization norms across jurisdictions, or leveraging advanced technologies internally,
from India's blacklist approach to cross-border and ensuring organizational resilience in the
data transfers to Kenya's security exemptions rapidly changing landscape. Though not entirely
allowing access to personal data from any device. unexpected, evolving policies force organizations
Each of these legislative developments adds to pivot their practices.
to the intricacy of the privacy landscape that
organizations are continuously adapting to. With Finally, consumers' expectations for privacy
70% of nations and 79% of the world's population continue to grow. Now more than ever, consumers
now covered by some form of national data are aware of their rights, and privacy issues are
privacy law, the burden on privacy teams at the forefront of their minds. They understand
continues to grow. the implications of AI models processing personal
data, are aware of privacy risks and data breaches,
Beyond the sheer number of privacy laws and are increasingly aware of the consequences
enacted this year, the increasing connectedness of getting privacy wrong.
of privacy laws with nonprivacy laws furthers the
challenges organizations face with compliance. Against all this, and in large part due to the
For instance, an overlap between competition professionalization of privacy, most survey
and privacy laws in the EU impacts online respondents are confident in their ability to
advertising technology, exacerbating compliance stay informed about new privacy laws and policy
challenges for organizations in the adtech space. initiatives, with 43% overall reporting they are
In response to the interconnectedness of laws totally confident. However, one in five reported
like these, groups like the U.K. Digital Regulation the difficulty in keeping up with continually
Cooperation Forum are working to coordinate evolving privacy laws creates challenges in
their regulatory disciplines and authorities in delivering privacy compliance. Organizations
charting a straightforward approach for applying are developing ways to iterate, scale and further
digital legislation and to provide organizations professionalize their privacy governance
with more consistency. programs and processes in the face of new,
scaling and compounding challenges.

Privacy Governance Report 2024 | 10

→ Part I. Increasing complexity TABLE OF CONTENTS ↑

More consequential regulatory actions

Once confined to discussions within the inner circles of privacy
pros, analysis of the scrutiny and enforcement actions of privacy
regulators now dominates even mainstream news cycles due to
the consequential and downstream nature of the actions' impacts.
Recent examples include the European Data Protection Board's
opinion on the pay-or-consent model, the EU AI Act officially
entering into force, as well as global regulatory scrutiny and
lawmaking on issues related to children's privacy and online safety.

This heightened regulatory activity impacts not just the privacy

practices of organizations but, more broadly and significantly, the
foundations and models of how businesses operate. Organizations
that are directly subject to regulatory action may have no choice
but to change their privacy compliance practices. But what of
organizations that are not directly subject to regulatory action?
Data from this year's survey shows one in five respondents changed
their privacy approach because of enforcement or litigation actions
against other organizations.

Respondents working at organizations with privacy budgets of more

than USD2 million were most likely to have changed their privacy
approaches, split almost equally between changing as a direct
Almost half of response to an action and as an indirect response. This suggests

respondents working the scale of the privacy program may be a factor in whether an
organization is able to conduct the activities necessary to respond
in organizations to broader regulatory changes. For organizations that have changed

with privacy their approaches, this may include enhancing horizon-scanning

activities, engaging external and/or internal legal counsel to assess
budgets totaling legal requirements, understanding the impact of changes, and

USD250,000 or more taking a risk-based approach to implementing required changes.

Organizations that fail to react to consequential market-impacting
have changed their privacy regulatory requirements may find themselves noncompliant

privacy approaches when compared with competitor organizations. Privacy pros are,
therefore, contending with more complexity introduced by the
in the last year. need to maintain a macro view of actions by regulators.

Privacy Governance Report 2024 | 11

→ Part I. Increasing complexity TABLE OF CONTENTS ↑

Growing use of more complex technology

The rapid proliferation of technology further adds to the complex
and varied workload faced by privacy pros. The dizzying list of

Looking ahead, it is
developments spans from AI technologies to increased automation,
augmented and virtual reality, personalized medical services, and
neurotechnology or quantum computing, to name a few. Often,
collecting and processing personal data is at the heart of these

unlikely organizations technologies, and privacy pros need to balance their organizations'
strategic desire to gather more valuable insights from data with
privacy and broader digital governance requirements.

will respond to each Many organizations have responded to the utilization of AI by

deploying AI governance functions tasked with managing this

new development by risk. Notably, 77% of this year's survey respondents identified their
organizations are currently working on AI governance. Looking
ahead, it is unlikely organizations will respond to each new

forming a stand-alone
development by forming a stand-alone governance function, such
as quantum computing or neurotechnology governance. Instead
they may seek to evolve existing structures into a streamlined digital

governance function.
governance approach. This is further outlined in the Organizational
Digital Governance Report 2024.

Privacy Governance Report 2024 | 12

→ Part I. Increasing complexity TABLE OF CONTENTS ↑

Average number of privacy metrics processed and completed

per organization in 2023 by headquartered region

Increased workload due to

privacy requests 4,594
Privacy functions are meeting the moment 5,391
and responding in commensurate terms to the Overall
average:
trends and developments shaping their new
4,935
and increased workloads. Privacy functions
face many varied priorities, from responding
to data subject right requests from increasingly
privacy-conscious and statutorily empowered
individuals to providing subject matter expertise
on privacy impact assessments. This year, we
This report refers
sought to understand the number of these
to privacy function Overall North America Europe
requests fielded by organizations.
responsibilities, such
Privacy impact assessments 393 250 707
as impact assessments, On average, organizations are processing nearly
requests and processing, 5,000 privacy compliance-related requests, which
Data protection impact assessments 153 81 357
as "metrics" to capture this report calls "metrics," per year. Respondents Data subject right requests 2,972 3,519 2,138
the activities completed working for organizations headquartered in
Transfer impact assessments 174 78 498
by privacy teams that may Europe reported around 4,500 metrics, while
vary drastically across North American organizations averaged Vendor-related privacy reviews 638 819 364
jurisdiction and industry. around 5,400. Privacy complaints 108 115 124

Data processing agreements 498 529 406

Total 4,935 5,391 4,594

Privacy Governance Report 2024 | 13

→ Part I. Increasing complexity TABLE OF CONTENTS ↑

What is the impact of this? A rudimentary but likely common set

of assumptions applies, including:

Proportion of privacy metrics completed on average in 2023

→ The average full-time employee works a 40-hour week with five
Data processing agreements PIAs weeks of annual leave, 10 days of public holiday and three days
Transfer impact assessments, 4% of sick leave.
DPIAs, 3%
8% → Between one and two full-time employees would need to
Vendor-related privacy reviews
10% Privacy complaints, 2%
work full time on privacy requests when each request takes
30 minutes to completely process.
13%
→ Seven full-time employees would need to work full time
on privacy requests when each request takes 2.5 hours to
completely process.

Organizations in the consumer goods and services sector processed

60% and completed an average of 15,000 privacy requests per year,
compared to the government and manufacturing sectors' average
between 500 and 700 per year. Respondents working in retail
Data subject right requests organizations with closer relationships with end consumers
reported responding to the highest number of privacy complaints,
which was 143 times higher than the lowest reported number in the
primarily business-to-business manufacturing industry.

Privacy Governance Report 2024 | 14

→ Part I. Increasing complexity TABLE OF CONTENTS ↑

Number of privacy metrics processed and completed by organization in 2023

BY INDUSTRY BY NUMBER OF EMPLOYEES

Banking and Technology and Education and Business Consumer goods, Life sciences 1,000- 5,000- 25,000- More than
insurance telecommunications nonprofit services services and retail Government and health care Legal Manufacturing Other Under 100 100-999 4,999 24,999 79,999 80,000

PIAs 1,086 603 51 396 239 131 112 417 84 191 7 14 127 224 557 2,275

DPIAs 459 147 49 362 94 83 38 61 43 59 5 11 41 90 210 892

Data subject right requests 1,568 6,285 966 542 12,870 229 1,861 41 46 2,531 132 760 2,091 2,781 6,772 8,176

Transfer impact assessments 71 111 18 2,297 100 25 45 12 9 70 4 7 20 84 139 1,234

Vendor-related privacy reviews 2,170 320 87 333 1,628 46 270 233 255 246 34 62 213 276 989 3,685

Privacy complaints 159 131 33 53 286 46 165 32 2 52 3 4 65 61 325 378

Data processing agreements 235 917 89 1,550 387 138 344 621 97 565 30 329 447 403 1,065 953

Total 5,749 8,513 1,293 5,531 15,604 697 2,836 1,417 536 3,715 216 1,188 3,004 3,919 10,056 17,593

Privacy Governance Report 2024 | 15

→ Part I. Increasing complexity TABLE OF CONTENTS ↑

Challenges of delivering on privacy compliance

Budget constraints 56%

Lack of understanding within the organization 50%

of privacy compliance obligations
Competing priorities reducing focus 48%
on privacy compliance activities
Not enough privacy resources relative to the privacy
Need to address ongoing and new challenges compliance activities required to be completed
45%
Whether respondents reported having additional responsibilities Privacy by design is not effectively 44%
or not, fundamentally, the entire industry still faces the challenge implemented within the organization
of delivering similar privacy compliance requirements to Lack of understanding of personal data processing 37%
their organization. activities across the organization
Lack of privacy function representation 31%
in senior levels of the organization
Of respondents, 99% reported facing challenges delivering privacy
Lack of structured communication 30%
compliance. Respondents who reported any challenge delivering methods across the organization
privacy compliance, including "other," were most likely to also report Ineffective integration of privacy risk management within 27%
either budget constraints or that lack of understanding of privacy broader risk management activities within the organization
compliance challenges within the organization was a challenge. Privacy team is siloed and is therefore 26%
not integrated with other teams

Of respondents, 55% reported experiencing five or more challenges Shortage of qualified privacy pros 26%
delivering compliance, with 15% of all respondents reporting they
Organizational privacy expectations 24%
experienced 10 or more challenges. Yet nearly one in 10 respondents are not clearly defined/followed up on
identified zero or only one challenge in delivering privacy Absence of or ineffective operation 22%
compliance for their organizations. Nevertheless, these challenges of privacy compliance technology
are neither stagnant nor permanent. Organizations facing no Desire for AI use deprioritizing data 21%
minimization within organization
challenges today could face new ones tomorrow. Evolving threats
Unable to keep up with continually evolving 20%
will continue to emerge and impact organizations, and privacy pros privacy laws, guidance and requirements
must continue to innovate to confront these challenges to ensure
Lack of board support for privacy compliance 18%
ongoing compliance.

Privacy goals are not aligned with organizational goals 18%

Absence of professional training/certification 10%

None 1%

Other 3%

Privacy Governance Report 2024 | 16

→ Part I. Increasing complexity TABLE OF CONTENTS ↑

Key challenges of reporting on privacy compliance

27%
Lack of board-level understanding of privacy
37% Compliance requires tools, budget, time and innovation. In
addition to striving for compliance, organizations have reporting
50% lines for compliance to inform those at the top of its status,
Absence of tangible metrics and/or link to
business margins to support reporting 57% challenges and needs.

28% Despite being tasked with several new responsibilities, privacy

Absence of a clear mandate for
privacy within the organization pros continue to report recurring challenges with compliance
34%
reporting. This year, one in two respondents identified the absence
of tangible metrics and/or a link between metrics and business
28%
Ineffective integration of privacy margins that support internal reporting as a key challenge in
with other complementary topics 43% reporting on privacy compliance. This number is similar to the
one in the 2023 report, identifying this as a trending challenge,
32% regardless of organization size.
Scope and objective of reporting
not defined appropriately 36%
Respondents who continue to face challenges in reporting compliance
36% may find it more difficult to report on progress, triage compliance
Lack of maturity of privacy by design within
the organization hindering reporting to board issues and ultimately improve compliance efforts, including securing
53%
budget increases if required.
33%
Privacy risk management is yet to be fully 2024
established within the organization 13% 2023

Privacy Governance Report 2024 | 17

→ Part I. Increasing complexity TABLE OF CONTENTS ↑

Managing and responding to data breaches

Most organizations will experience data breaches, but standardized
response plans help privacy pros remain confident in compliance.

Breaches in security are considered an occupational hazard in the Proportion of respondents who identified their organizations experienced
face of modern data processing activities. The need to respond to a data breach in the last year and the subsequent action taken
the impact of a breach requires privacy pros to be on top of their
game, as it will also impact work in progress and potentially divert
resources from existing projects. Half of this year's respondents 45%
identified their organizations experienced a breach within the
Yes, but breach did
last year. Of those respondents, 55% stated the breach warranted not result in a risk
reporting to a regulator, while 38% identified it was reported to to the rights and
freedoms of
both a regulator and to affected data subjects. individuals

When considering confidence in compliance, the trend is clear.

Respondents who were less confident in their organizations'
No, 42% Yes, 58% Yes, and breach
was notified to
compliance with privacy laws and policies were more likely to a regulator 17%
work at organizations that had experienced a data breach. Of
those not at all confident in compliance, 76% of respondents Yes, and breach
was notified to
worked for organizations that had experienced a data breach. Over a regulator and
half of these respondents' organizations had experienced a higher data subjects
severity breach and notified data subjects and/or a regulator. On
the other hand, seven in 10 respondents who were more confident 38%
in their organizations' privacy compliance were more likely to
work for organizations that either did not experience a breach or
experienced a breach that did not result in risks to the rights and
freedoms of individuals.

Privacy Governance Report 2024 | 18

→ Part I. Increasing complexity TABLE OF CONTENTS ↑

PRIVACY GOALS ARE NOT ALIGNED Respondents working at organizations that experienced breaches
WITH ORGANIZATIONAL GOALS
were more likely to identify their organizations faced a variety of
privacy compliance challenges.

THE PRIVACY TEAM IS SILOED AND Standardized data breach response plans can aid organizations
THE BOARD LACKS SUPPORT
IS THEREFORE NOT INTEGRATED
FOR PRIVACY COMPLIANCE in the aftermath of a breach. These plans are a predefined set of
WITH OTHER TEAMS
protocols and procedures the organization can immediately follow
to identify, contain, mitigate and recover from a breach. At 86%,
Top privacy the majority of respondents work at organizations with standardized
challenges for response plans for data breaches.
organizations
PRIVACY RISK MANAGEMENT IS NOT
EFFECTIVELY INTEGRATED WITHIN that experienced ORGANIZATIONAL PRIVACY
Privacy pros who work at organizations with standardized response
EXPECTATIONS ARE NOT CLEARLY
THE ORGANIZATION'S BROADER RISK breach DEFINED/FOLLOWED UP ON plans are more confident in privacy compliance than those who do
MANAGEMENT ACTIVITIES
not. Respondents who have confidence in their organizations are
less likely to report privacy compliance challenges, such as a lack
of structured communication methods, absence of privacy function
representation at senior levels, siloed privacy teams, ineffectually
implemented privacy by design, absence of effective privacy
compliance technology operation, and reduced understanding
THE DESIRE FOR AI USE DEPRIORITIZES DATA PRIVACY COMPLIANCE TECHNOLOGY IS
MINIMIZATION WITHIN THE ORGANIZATION ABSENT OR INEFFECTIVELY OPERATED of personal data processing activities across the organization.

Privacy Governance Report 2024 | 19

→ Part I. Increasing complexity TABLE OF CONTENTS ↑

Additional responsibilities for the privacy team

The growing complexity of law, policy and regulatory environments Domains of respondents who acquired additional responsibilities
reflects the interconnectedness of privacy laws with nonprivacy
laws. This year's survey identified over 80% of respondents have AI governance 68%
been tasked with an additional responsibility alongside their
existing privacy job. Therefore, most privacy functions surveyed Data governance/data use/data as an asset 60%
are evolving to help their organizations manage additional risks.
Cybersecurity as a regulatory compliance matter 40%
It is clear the job of the average privacy pro is changing.
AI governance is likely to form a top priority for those who Data ethics 37%

have acquired additional responsibilities. Of those with new

Consumer protection 24%
responsibilities, 68% of respondents have acquired additional
responsibilities for AI governance. Alongside this, data governance,
Platform liability* 23%
cybersecurity as a regulatory compliance matter and data ethics are
common additions to the workload of privacy pros. Two in five have
Intellectual property** 15%
been tasked with the complimentary topics of AI governance and
data governance on top of existing busy workloads.
Digital architecture and infrastructure 11%

These responsibilities do not exist in a vacuum. Approximately Human rights 10%

60% of respondents with new AI governance responsibilities also
have new responsibilities in data governance, data use or data as Content moderation and online safety 9%
an asset. One in five of those with new responsibilities have added
AI governance, data governance and data ethics to their existing Product liability 6%
privacy portfolios.
Competition/antitrust 5%
Without sufficient skills or resources, this added workload
could lead to burnout, missed targets and a steep learning curve Other 4%
for professionals to master. It may impact work quality. With
sufficient support and staffing, however, organizations could * Platforms include websites, internal platforms and other digital applications.
** This is limited to digital and regulatory compliance.
benefit from potential efficiency gains, innovation, and economic
and competitive impacts — if the employee can be retained.

Privacy Governance Report 2024 | 20

 Despite growing complexities,
privacy pros are tentatively
confident in compliance with
privacy requirements.

Part II.
There is no metric to measure compliance perfectly, nor does it
operate in isolation. However, one possible proxy measure is the
extent to which privacy pros are confident in their organizations'
privacy compliance.

Compliance
In 2024, two in 10 respondents were totally confident in
their organizations' ability to comply with privacy regulatory
requirements, and one in 10 were not at all confident.

confidence 2024
Confidence in organizations' compliance with privacy

9%
laws and policies across jurisdictions

70% 21%

2023 10% 72% 18%

Not at all confident Somewhat confident Totally confident

Privacy Governance Report 2024 | 21

→ Part II. Compliance confidence TABLE OF CONTENTS ↑

Those respondents were more likely to identify → Organizational privacy expectations not
the following compliance challenges: clearly being defined or followed up on.

→ Ineffective integration of privacy

→ Lack of understanding of privacy compliance
risk management within broader risk
obligations within the organization.
management activities within the
→ Lack of understanding of personal data organization.
processing activities across the organization.
→ Shortage of qualified privacy pros.
→ Lack of privacy function representation
at senior levels of the organization. Respondents who reported their teams have
sufficient resources to complete their objectives
→ Privacy by design not being effectively
were more likely to be totally confident in their
implemented within the organization.
organizations' compliance with privacy laws
→ Budget constraints. and policies across jurisdictions. Of those who
were not confident in compliance, the majority,
→ Lack of board support for privacy
at 75%, also agreed a lack of the right privacy
compliance.
resources limits the organizations' ability to
→ Not enough privacy resources relative to deliver its objectives.
the required privacy compliance activities.
Two out of three respondents who were not
→ Competing priorities reducing the focus
confident in their organizations' ability to stay
on privacy compliance activities.
informed about new privacy laws and policy
→ Lack of structured communication methods initiatives were also not confident in their
across the organization. organizations' compliance with privacy laws.
Effectively scanning the horizon, analyzing
→ Privacy goals not being aligned with
new requirements and translating this into
organizational goals.
prioritized actions remains an essential part
of continued compliance.

Privacy Governance Report 2024 | 22

→ Part II. Compliance confidence TABLE OF CONTENTS ↑

In a similar trend, privacy pros who were not Almost nine in 10 of those who said they were
confident in their organizations' compliance were not confident in their organizations' compliance
more likely to identify challenges in reporting on were also likely to say their organizations have
privacy compliance. Respondents who were not insufficient budgets. These results suggest
confident identified their organizations: privacy pros who are not confident in their
organizations' compliance could face an uphill
→ Lack a clear mandate for privacy within the battle in improving compliance and thus
organization, at approximately 75%. in improving their confidence, considering
all current compliance, reporting and
→ Have not yet fully established privacy risk
budgetary challenges.
management, at approximately 72%. In
the absence of privacy risk management,
In 2024, 91% of respondents reported they
organizations are more likely to find it
were at least somewhat confident in their
challenging to report on whether privacy
organizations' ability to comply with privacy
compliance controls have been designed
regulatory requirements, with 21% reporting
appropriately and are working effectively.
total confidence. Respondents who reported
→ Lack a board-level understanding of at least some confidence in compliance on
privacy, at 64%. average reported fewer challenges delivering
on compliance and more confidence in their
→ Lack a mature implementation of privacy by
organizations' ability to stay informed about
design within their organization that hinders
new privacy laws or policy initiatives. They were
reporting to the board, at 64%.
less likely to report a lack or limited availability
→ Face challenges integrating privacy with of skills or resources restricted their ability to
other topics and lack tangible metrics or deliver on their objectives.
a link to business margins that support
reporting, at around 50%.

Privacy Governance Report 2024 | 23

 While the 2024 median privacy
budget of USD375,000 remained
identical for the third year in a row,
the average privacy budget rose
to USD1.75 million this year.

Part III.
Budgeting
This year saw moderate economic growth with inflation and interest
rates gradually retreating and recruitment increasing after years
of hiring freezes. This year's relative increase in the average mean
privacy budget may reflect healthier macroeconomic conditions as

Addressing
well as new, emerging and acquired additional privacy-adjacent and
broader digital governance responsibilities. Both mean and median
budget figures are included in this report to illustrate how the
economic factors of 2024 impacted organizations differently.

complexity Median and mean overall privacy budgets from 2022-2024

$375.0 2024
2023
Median $375.0
2022
$375.0

$1,751.9

Mean $1,598.7

$1,800.5

All figures in thousands of U.S. dollars.

Privacy Governance Report 2024 | 24

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

Median budget by total number of employees within an organization from 2022-2024

$50.0
Under 100 $50.0
$50.0

$175.0
100-999 $175.0
$125.0

$375.0
1,000-4,999 $375.0
$375.0
What does the privacy budget look like?
$750.0
The average privacy budget for 2024 is 5,000-24,999 $750.0
USD1.752 million, up from USD1.599 million $375.0

in 2023. The median privacy budget for 2024 $1,250.0

25,000-79,999 $1,250.0
remains unchanged from 2022 and 2023. $1,750.0 2024
Viewed together, the privacy budgets for $2,250.0 2023
organizations may represent a moderate uptick More than 80,000 $1,750.0
$2,250.0 2022
The trend in economic conditions over the past year as
well as the growing obligations the privacy All figures in thousands of U.S. dollars.
unsurprisingly shows role continues to acquire.
Mean budget by total number of employees within an organization from 2022-2024
budget steadily The trend unsurprisingly shows budget $177.0
increases based on steadily increases based on organization Under 100 $149.0
$241.0
organization size, size, either by revenue or by number of total
employees. The average privacy budget for $622.0
100-999
either by revenue
$495.0
organizations that reported annual revenues $265.0

or by number of of USD101-999 million is USD485,593, while the

average for organizations with annual revenues 1,000-4,999
$1,082.0
$696.0

total employees.
$662.0
of USD9-19.9 billion is USD2,447,015.
$1,398.0
5,000-24,999 $1,197.0
$1,428.0

$2,314.0
25,000-79,999 $3,321.0
$2,797.0

$7,062.0
More than 80,000 $5,216.0
$8,039.0

All figures in thousands of U.S. dollars.

Privacy Governance Report 2024 | 25

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

Median and mean budgets by sector in 2024

Additionally, of organizations that indicated annual revenues of
$750.0 USD1-8.9 billion, 55% are above the median global privacy budget,
Banking and insurance
$2,201.0 significantly higher than the rest of the sample. This trend increases
$375.0
with organization revenue: 67% of organizations with a revenue of
Technology and telecommunications USD9-19.9 billion, 77% of those with revenue of USD20-59.9 billion
$2,225.0
and 90% of those with revenue of USD60 billion or more are
$225.0 above the median privacy budget. These results demonstrate that
Education and nonprofit
$541.0 organizations with greater revenue have more resources to allocate
to privacy duties, and organizations with more employees, and
$175.0
Business services likely more privacy employees, have higher budgets to fulfill their
$1,189.0
privacy obligations.
$750.0
Consumer goods, services and retail
$3,685.0 Budget comparison by continent shows North America leads
with a significantly higher median budget than other regions.
$225.0
Government The median budget of USD562,500 in North America is more than
$598.0
double Europe's USD225,000 and more than three times greater
$375.0 than Asia's USD175,000.
Life sciences and health care
$1,734.0
Despite some large Asian organizations reporting high allocations
$50.0 of resources for privacy, organizations in North America generally
Legal
$1,168.0 maintain higher median budgets. More robust U.S. budgets could
$275.0
be explained by healthier market conditions and the complexity
Manufacturing of navigating the U.S. state privacy landscape, which has seen
$651.0
a proliferation of comprehensive state privacy laws passed and
$375.0 Median enacted in the last few years. Additionally, the stakes are high for
Other
$1,661.0 Mean noncompliance in the U.S. and Europe regarding enforcement
actions against organizations that violate privacy laws.
All figures in thousands of U.S. dollars.

Privacy Governance Report 2024 | 26

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

Is it enough?
Lastly, respondents described how satisfactory their organizations'
budgets are with respect to privacy obligations. Notably, only four in
10 respondents who said their organizations' budget was less than
sufficient had above-median privacy budgets. Meanwhile, more Sufficiency of privacy budget with respect to privacy obligations
than half of those who said their budget was at least sufficient had
above-median privacy budgets. At least sufficient

Of the respondents who described not being at all confident in their

organizations' compliance with privacy laws and policies, 87% also
noted their privacy budgets were less than sufficient. Of respondents
26%
who stated their budgets were at least sufficient to meet their
Much less than sufficient
privacy obligations, the vast majority, at 98%, were confident in
their organizations' ability to remain compliant with privacy laws 31%
and policies.

Furthermore, privacy pros who said they believe their organizations'

budgets are insufficient may face more challenges when delivering
on privacy compliance. These shortfalls demonstrate that privacy
43%
governance and the development of proactive, holistic privacy
programs are stunted when too few resources are allocated to the
domain. In turn, such organizations may be incapable of meeting
the required compliance demands. Somewhat less than sufficient

With organizations beginning to loosen budgetary constraints,

privacy pros should take this time to think strategically about
advocating for budgets that will support the work needed to
meet the profession's growing obligations.

Privacy Governance Report 2024 | 27

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

The average privacy team

Potential reporting line

Resourcing and senior leadership

Having senior privacy leaders in charge of growing privacy
teams may lead to greater confidence in compliance.

Composition of privacy teams

ONE ACCOUNTABLE PRIVACY OFFICER
The parameters of the privacy profession continue to change, as do
the resources needed for privacy teams to be successful. A privacy
team's makeup is as diverse as the tasks they are responsible
for. This year's survey sought to understand the varied roles,
internal and external, that make up respondents' privacy teams.
Internally, approximately half of respondents work on teams
with an accountable privacy officer, privacy lawyer, cybersecurity
professional, data protection officer, privacy manager and
SIX CYBERSECURITY PROFESSIONALS TWO PRIVACY LAWYERS ONE DPO
privacy analyst. The organizational chart on the left helps readers
visualize the average privacy team and how its makeup changes
with organizational demographic factors. This average changes
depending on jurisdiction, company size, revenue and sector.

Approximately 70% of respondents in European organizations have

at least one DPO, with an average of three to four full-time DPOs
each. In comparison, only 40% of organizations headquartered in
ONE PRIVACY MANAGER
North America have a DPO, with an average of less than one full
time DPO per organization. Privacy teams at organizations with
privacy budgets between USD0 and USD499,000 on average are
similar in size, with teams tending to double once the budget is
over USD500,000. This suggests, regardless of budget, a baseline
privacy team is required to deliver on privacy compliance activities.

THREE PRIVACY ANALYSTS

Privacy Governance Report 2024 | 28

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

Average number of internal and external team members

▪ Internal
▪ External

On average, organizations headquartered in North America and Asia have Average team size tends to grow proportionately with revenue
larger privacy teams than any other continent, though Asia has both the
highest average for number of internal and external privacy employees More than $60 billion 150.3 6.5
More than $60 billion 150.3 6.5

$20-59.9 billion 33.0 1.5

$20-59.9 billion 33.0 1.5

NORTH AMERICA EUROPE ASIA $9-19.9 billion 34.8 3.8

28.8/1.2 $9-19.9 billion 34.8 3.8
26.2/2.8 31.2/5.5
$1-8.9 billion 21.3 0.8
$1-8.9 billion 21.3 0.8

$101-999 million 15.1 1.6

OTHER $101-999 million 15.1 1.6
12.2/1.3
Under $100 million 7.5 1.2
Under $100 million 7.5 1.2

All categoriesOther
in U.S. dollars.
All categoriesOther
in U.S. dollars.

Other 2
Technology and telecommunications organizations, followed by life sciences Average
Other 2 team size tends to increase with a growing privacy budget
and health care organizations have the largest privacy teams on average
More than $2 million 84.2 3.9
More than $2 million 84.2 3.9
Technology and telecommunications 45.1 3.9
$1-1.9 million 31.9 0.9
Life sciences and health care 39.3 2.4 $1-1.9 million 31.9 0.9
Government 29.7 1.3
$500,000-999,999 24.8 3.7
27.6 0.5 $500,000-999,999 24.8 3.7
Banking and insurance Privacy teams with budgets
Business services 19.7 0.8 $250,000-499,999 10.8 0.6 over USD2 million are almost
$250,000-499,999 10.8 0.6
Legal 18.1 2.0 nine times larger on average
Consumer goods, services and retail 15.4 1.2 $100,000-249,999 9.6 1.6 as those with budgets less
$100,000-249,999 9.6 1.6
than USD100,000.
Manufacturing 11.1 0.8
Under $100,000 8.9 0.9
Education and nonprofit 8.3 1.0 Under $100,000 8.9 0.9

Other 20.2 1.8 All categories in U.S. dollars.

All categories in U.S. dollars.

Privacy Governance Report 2024 | 29

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

Having privacy leaders at the top drives confidence. Position of most senior privacy or data
Clear and effective communication with those in employee reports to one of several roles: chief professional in organization
executive positions allows the decision-making operating officer, chief information officer or
process to become more streamlined, optimizes chief risk officer.
Board member
the flow of information, and facilitates timely
(C-suite)
12%
and informed executive actions. This year's Approximately one in two respondents in the
report again looked at the reporting line of the technology and telecommunications, business
most senior privacy pros in their organizations. services, legal, or consumer goods, services and Board member -1
(executive vice president)
12%
retail industries work at organizations where
Nearly one in four privacy pros are part of the most senior privacy employee reported to
organizations in which the most senior privacy the chief legal officer or head of legal. Survey
Board member -2
or data protection employee is a C-suite executive results show reporting lines are also impacted
(senior vice president)
17%
or an executive vice president. Of respondents, by company size. Head privacy employees
84% work at companies in which the most senior at companies with 1,000 employees or more
privacy or data protection employee is a director are most likely to report to general counsel or
Board member -3
or above, a slight increase from 77% in 2023. head of legal, compared to companies with 100 (vice president)
19%
However, when the most senior privacy employee employees or less. At those companies with
is four rungs below the board, such as a director, 100 employees or less, a third of respondents said
respondents were more likely to report they the head privacy employees reports directly to the Board member -4
(director)
24%
were not at all confident in their organizations' CEO. This trend tracks not only for the number of
compliance with privacy laws compared to employees but for gross annual revenue as well.
professionals at organizations with privacy
Board member -5
employees in the C-suite or as an executive Of respondents who reported they could deliver (senior manager)
10%
vice president. their objectives despite a lack of or limited
availability of the right skills or resources,
When the most senior privacy employee is not 58% have an accountable privacy executive, Board member -6
(manager)
6%
located in the C-suite, organizations take mixed such as a board member, on their team. Of
approaches to who is accountable for privacy. respondents who identified their companies'
More than a third of respondents reported budgets were at least sufficient to deliver on their
Board member -7
their most senior privacy employee reports to privacy compliance obligations, around 60% had (assistant manager)
0%
the general counsel or head of legal. This is an accountable privacy executive on their team.
followed by one in 10 respondents who said their This highlights the importance of having a senior
organizations' head privacy employee reports or executive privacy leader, as they may be able Board member -8
(analyst)
1%
to the chief compliance officer. The remaining to advocate for and secure additional resources
third said their organizations' most senior privacy via recruitment.

Privacy Governance Report 2024 | 30

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

Privacy teams see less change

While privacy teams have grown on average, the rate of growth appears
Overall, based on this survey, privacy teams have grown by 5.7% in
to have slowed down overall over the past three years
the last twelve months. However, at approximately 57%, the majority
22.7% of respondents reported their privacy teams have had a zero net
change in size in the last year. Only a third reported positive growth
20% in the number of staff. Interestingly, of those who reported zero net
17.3% change for the previous 12 months, 73% reported no recruitment
13.7% was currently underway and a further 67% identified no future
+11.7% recruitment was planned, suggesting these privacy teams are
expected to stay stable other than any unplanned job changes.
10%
+6.3% +5.7% Net growth
The three-year trend starting in 2022 shows potential stabilization in
Joined the organization privacy teams, with a greater proportion reporting a net zero change
Left the organization this year. This stabilization may be due to recruiting challenges,
2022 2023 2024
0% budget constraints or even having privacy teams that are now the
right size. However, at least one in two respondents who reported
a net-zero change in privacy team size at their companies also
reported challenges delivering compliance, including in categories
8.0% such as budget constraints. With 53% of respondents reporting
10%
a shortage of qualified privacy pros as a challenge to delivering
11.0% 11.0%
compliance, recruitment challenges may also explain the lack
of growth in some privacy teams.

Privacy Governance Report 2024 | 31

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

What roles are organizations currently recruiting for?

Privacy analyst 38%

Internal privacy lawyer 24%

AI governance professional 23%

Privacy manager 21%

Approximately 62% of overall respondents stated their organizations Cybersecurity professional 18%
have no current recruitment plans. This figure drops to 36% for
organizations with more than USD60 billion in annual revenue DPO 18%
or with more than 80,000 employees, suggesting the largest
organizations continue recruiting as needed. When focusing on Privacy office risk and compliance manager 16%
those with open recruitment, 38% of respondents' companies are
recruiting or will be recruiting for privacy analysts in the next Privacy engineer 16%

12 months, while 23% are looking for an AI governance professional.

Privacy champion/guru 9%
While fewer organizations are recruiting for higher positions such
as an accountable privacy executive or CPO, they are more likely
Privacy auditor 9%
to recruit for other roles, especially DPOs and privacy managers.
The organizations recruiting for CPO roles were also more likely Subject rights controller/administrator 9%
to be headquartered in Europe than not.
Country-specific CPO 7%

Regional privacy officer 7%

Accountable privacy executive, i.e., board member 4%

Global CPO 3%

CPO at a global 250 organization 2%

Privacy Governance Report 2024 | 32

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

To what extent did respondents agree with the following statement: "The lack/limited availability
of the right privacy skills/resources limits my ability to deliver on my objectives."

6% 25% 15% 33% 22%

Strongly disagree Disagree Undecided Agree Strongly agree

The absence of the right resources currently Confidence in compliance obligations correlated
within the privacy team or an inability to recruit with several other team implementations. For
resources with the right skill set can severely instance, privacy pros at organizations with a
impact an organizations' ability to deliver on structured incident-response process were more
its compliance obligations. Approximately confident in their organizations' compliance than
two-thirds of respondents reported a lack of or those at organizations that deal with breaches on
limited availability of the right privacy skills or an ad hoc basis. Those who work at organizations
resources on their teams limited their ability to where the right privacy skills and resources exist
deliver on objectives. Additionally, respondents to allow them to deliver on their objectives are
who reported their organizations have the right more likely to report greater confidence in the
resources were substantially more confident organizations' legal compliance.
in their organizations' ability to stay informed
about new policy laws and initiatives.

Privacy Governance Report 2024 | 33

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

Activities of the privacy function

The privacy role is progressing to encompass
varying functions, with greater focus on AI
governance. Privacy teams must prioritize Three-year trend of selected strategic priorities chosen within top five
limited time, budget and resources on the
47%
right strategic privacy compliance priorities.
AI governance 33%
20%
As the privacy domain has continued to evolve
in the last few years, privacy pros have been 40%
compelled to adapt with the changes and chart
Data inventory and mapping 14%
a governance path that allows them to keep up
20%
with the growing obligations of the profession.
Survey responses demonstrate organizations 30%
are focusing on both emerging technologies PIAs/privacy by design 35%
and established privacy practices. 31%

Viewing the evolution of organizations' top 27%

strategic priorities since 2022 by sector, AI Developing an AI governance framework 16%
governance has seen a sustained sharp annual N/A
increase as a top priority for organizations over
AI governance has the past three years, predictably in response to 23%
Incident and breach management 23%
seen a sustained the growing development and implementation
of AI technology. Meanwhile, the establishment 24%
sharp annual of dedicated AI governance teams has decreased
12% 2024
increase as a significantly, suggesting organizations are tasking
existing teams with the work of AI governance. International transfers 24% 2023
top priority for 31% 2022

organizations over International transfers have seen a steady

decrease over three years, while data inventory
the past three years. and mapping have more than doubled since 2023.

Privacy Governance Report 2024 | 34

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

Viewing responses by sector, most industries risk controls have also seen relatively little
saw an increase in AI governance as a top change since 2022 across all sectors. However,
strategic priority, except for organizations privacy by design and PIAs sharply declined
in the life sciences, education and nonprofit as a priority in two industries, dropping from
sectors. The consumer goods sector saw the 11% in 2023 to 0% in 2024 in the legal sector and
most significant increase of AI governance as from 24% in 2023 to 6% in 2024 in the business
a top strategic priority, with a 34% rise from services sector. Interestingly, the development
2023, followed by manufacturing with a 29% of AI governance frameworks increased steadily
rise, and banking and insurance with a 25% in all sectors over the past three years, except for
rise. This advancement is likely explained in the legal and manufacturing industries. Legal
by the skyrocketing implementation of AI in and manufacturing saw respective 18% and 4%
each of these industries, with machine learning decreases in priority since 2023.
facilitating product marketing, automated
banking, supply chain management and various When viewed by continent, responses indicate
other routine functions. In turn, the need for AI the top-five strategic priorities have trended
governance has grown exponentially. differently around the world. Unsurprisingly, AI
governance has sustained a sharp increase as a
Data inventory and mapping also saw a steady top priority in all regions. It jumped to the top in
increase as a top strategic priority across all North America, reported by 46% of respondents
industries, possibly due to a growing need in the region, as well as in Europe, where it
for professionals to understand their data was reported by 50%, and Asia, where it was
landscape to train or implement AI within reported by 55%. Data inventory and mapping
their organizations. also saw a significant increase in priority from
2023 to 2024 in Asia and Oceania, rising from
Incident and breach management has remained 9% to 21% and 3% to 48%, respectively. Again,
relatively consistent as a strategic priority since this spike is likely explained by the need for
2022, an unsurprising trend as data breaches organizations to understand is the location of
and cyber incidents are constant concerns for their data in response to the explosion of data
organizations in all sectors and likely make needed by AI models, as well as the rise in the
up the foundational backbone of privacy team number of comprehensive privacy legislations
responsibilities. Privacy by design and privacy in the regions.

Privacy Governance Report 2024 | 35

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

Training
Although more than half of respondents reported 90% of employees
in their organizations had completed privacy training, one in
five identified less than 50% of employees had completed any
privacy training.

The importance of privacy training is clear: Train staff to understand

their obligations and they will be better empowered to make
privacy-compliant decisions when processing personal data. Those
who need it may then be given more role-specific training designed
to support them when they collect and process higher volumes The importance of privacy training
and/or riskier personal data.

This year we sought to understand the extent to which privacy is clear: Train staff to understand
functions and employees are completing some form of

their obligations and they will

privacy training.

Privacy training completion rates in

respondent organizations in 2023
be better empowered to make
privacy-compliant decisions
90-100% of employees 54%
completed privacy training

70-89% of employees 19%

completed privacy training

10-69% of employees
completed privacy training
11% when processing personal data.
0-9% of employees 15%
completed privacy training

Privacy Governance Report 2024 | 36

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

When examining training data regionally, solely by proportionally allocating more budget
respondents working at organizations to privacy training.
headquartered in North America were
more likely to have 90% or greater training Privacy pros working at organizations with low
completion rates compared to other regions, privacy training completion rates may have a
at 58%. This drops to 36% of organizations different compliance environment from those
with 90% of employees or more completing working in organizations with higher privacy
training in Europe. training completion rates. For example, one
in two respondents working at organizations
This variation in training completion rates might with training rates higher than 70% had
be somewhat surprising as privacy training can regularly performed PIA processes with triggers
form a core part of educating the workforce, established in the organization. In contrast,
while training completion rates can form a one in two respondents identified PIAs are
demonstrable metric to show privacy knowledge performed on an ad hoc basis or not at all in
within an organization. Budgetary challenges are organizations with privacy training completion
one reason privacy training may not be available rates between 0% and 9%.
to all. Most respondents said their organizations
spend, on average, between 0% and 10% of their Ultimately, training remains a valuable method
total privacy budget on training. They said their to assess whether employees have basic privacy
organization spends an average of 5% of the knowledge commensurate with their roles and
budget on internal training and an additional responsibilities in relation to personal data.
5% on professional development, including Better yet, the ability to track training completion
external training courses and certifications. rates, follow up with those that have yet to
These allocations remained consistent across complete training and monitor training against
different rates of training completion, suggesting identified privacy compliance risks is likely a
those working at organizations with higher key part of how organizations address employee
training completion rates had not achieved this privacy risk.

Privacy Governance Report 2024 | 37

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

Risk
Organizations are subject to different regulations. They process
differing sets of personal data for various purposes, so they
experience risk differently and, as a result, have varying risk
tolerance and mitigation strategies. Organizations conduct risk
assessments by analyzing and examining potential risk factors or
events that could have adverse impacts and then comparing those
with defined tolerance levels.
Frequency that organizations conduct enterprise-wide or
By implementing effective organizational privacy risk management, business-unit-wide privacy compliance/risk assessments
companies can take steps toward managing adverse legal and
regulatory consequences, protecting business reputations, and
maintaining individuals' privacy. Organizations that balance
individual privacy rights against the need to use that personal data Not regularly
At least annually
may further demonstrate trust in their ability to safeguard personal
data and advocate for its ethical use. 23% 42%
Regular enterprise-wide or business-unit-wide privacy compliance
risk assessments can support an organization's ability to identify,
assess and manage privacy risks in a top-down manner. For
the second year running, four in 10 respondents reported their 25%
organizations undertake enterprise-wide privacy compliance risk 10%
assessments once, twice or four times per year. Most respondents Ad hoc, in response to
indicated their organizations do not undertake regularly scheduled audit finding, breach, or
regulatory update Every two years
enterprise-wide privacy compliance risk assessments. This year,
23% of respondents said their organizations do not undertake regular
Established and enterprise risk assessments, while 25% identified they are triggered

mature privacy risk in response to key events such as audit findings, data breaches or
changes in regulatory requirements. That average increased to over
management may one in two respondents in the banking and insurance sector and the

lead to compliance business services sector. However, the education, nonprofit, and life
sciences and health care sectors only saw one in four organizations
confidence. complete risk assessments at least annually.

Privacy Governance Report 2024 | 38

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

Frequency of enterprise-wide or business-unit-wide privacy compliance/risk assessments by sector

Banking and Technology and Education and Consumer goods, Life sciences and
insurance telecommunications nonprofit Business services services and retail Government health care Legal Manufacturing Other

Not regularly 18% 21% 35% 24% 12% 26% 31% 19% 42% 18%

Every two years 11% 9% 10% 6% 12% 14% 14% 14% 4% 7%

Less than annually 29% 30% 45% 30% 24% 40% 45% 33% 46% 25%

Annually 40% 33% 18% 39% 37% 20% 30% 38% 21% 38%

Twice a year 5% 4% 3% 6% 2% 2% 1% 5% 4% 5%

Quarterly 8% 9% 5% 6% 5% 2% 3% 0% 8% 2%

At least annually 53% 46% 25% 52% 44% 24% 34% 43% 33% 45%

Ad hoc, in response to audit finding,

17% 25% 30% 18% 32% 36% 20% 24% 21% 30%
breach or regulatory update

Privacy Governance Report 2024 | 39

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

As an organization's size increases, by either revenue or number

of employees, the tendency for more frequent top-down
enterprise-wide assessments of privacy compliance also increases.
Six in 10 respondents working in organizations with more than
USD60 billion in annual revenue identified their organizations
conduct these assessments at least annually. In comparison, only
a third of those working in organizations with USD100 million or
Frequency of enterprise-wide or business-unit-wide privacy compliance/risk less in annual revenue identified the same.
assessments by confidence level of privacy compliance
Similar to 2023, this year we sought to understand the trend when
considering confidence in compliance. Respondents who said they
Totally confident 8% 24% 8% 60% are totally confident in their organizations' privacy compliance
capabilities were more likely to work in organizations that
undertake enterprise privacy compliance risk assessments at least
annually. Those working in organizations that do not regularly
Somewhat confident 23% 25% 12% 40%
undertake enterprise privacy compliance risk assessments were
more likely to say they have no confidence in their organizations'
level of privacy compliance.
Not at all confident 54% 28% 3% 15%
Factors that influence this could include the absence or ineffective
implementation of privacy by design within the organization,
thus requiring greater resources to conduct project-specific risk
Not regularly Ad hoc, in response to audit finding, breach or regulatory update
management. Another reason is that the cost of enterprise privacy
Every two years At least annually
compliance risk assessments may be prohibitive to conducting them
on a regular basis. Those who identified their companies' budgets
as more than sufficient were more likely to work for organizations
that conduct enterprise privacy compliance risk assessments at least
annually. In contrast, those who identified their companies' budgets
as less than sufficient were more likely to work for organizations
that undertake enterprise privacy risk assessments on a less
than annual basis.

Privacy Governance Report 2024 | 40

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

PIAs
PIAs, whether regulatorily required or not, are often an important
tool and process for an organization's privacy risk management.
In 2024, the number of organizations that perform PIAs or DPIAs Frequency of PIAs or DPIAs performed by an organization
regularly, based on established triggers embedded throughout the
Not regulatorily required
business processes, was similar to the number in 2023. Like in 2023, Not performed at my organization, 4% for my organization, 6%
almost one in five organizations still do not have fully established
triggers. On average, two out of three respondents identified their
organizations complete PIAs regularly. One in four said their
Ad hoc, resulting in some privacy
organizations complete them ad hoc, likely resulting in some risk not being managed
privacy risk not being managed. 24%
Industry also impacted when and how organizations perform PIAs.
46% Regularly, based on established
For example, of the respondents whose organizations are required triggers embedded throughout
to perform the assessments by regulation, 3% in the consumer business processes
goods, services and retail sector still do not perform PIAs or DPIAs. 19%
In contrast, 63% in that industry have established triggers for PIAs
embedded throughout business processes — the highest percentage Regularly, but triggers are not
across industries. The education and nonprofit sector was the least fully established or formalized
likely to perform PIAs regularly, with 47% of respondents in those
industries reporting their companies perform ad hoc assessments
or do not perform them at all.

Privacy Governance Report 2024 | 41

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

Frequency of PIAs or DPIAs by number of countries in which

the organization has officers or business operations

Notably, respondents from larger organizations that conduct PIAs

35% 39% are more likely to have established PIA processes, potentially due
49% 49%
to the organization's complexity or because their teams have the
60% 59%
resources to perform these activities regularly. The likelihood that
72%
an organization did not conduct a regulatory required assessment
25% decreased as an organization's number of employees increased.
24% Although one in four organizations with fewer than 100 employees
20% 23%
performed PIAs or DPIAs regularly based on established triggers,
that percentage increased as employee numbers increased.
17% 21% The largest organizations were more likely to undertake PIAs
34% 29% 10% regularly and were more likely to have taken steps to establish
29% a formal PIA process.
22% 28%
17% 15%
7% 8% Organizations operating in multiple jurisdictions are more likely
to have established mechanisms that trigger regular impact
1 2-5 6-10 11-20 21-40 41-60 More than 60
assessments embedded throughout their business processes.
Regularly, based on established triggers embedded throughout business processes
Regularly, but triggers are not fully established or formalized
Ad hoc, resulting in some privacy risk not being managed
Not performed at my organization

Privacy Governance Report 2024 | 42

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

Frequency of PIAs by confidence in an organization's

compliance with privacy regulations

10%

10%
Nearly eight in 10 respondents who were not at all confident in 43%
their organizations' compliance reported their organizations either
do or do not regularly perform PIAs or DPIAs. However, 77% of
respondents who were totally confident in compliance said their 73%
organizations perform them regularly based on established triggers.
An additional one in 10 respondents who noted being confident in 56%
their companies' compliance also said their organizations perform 23%
Privacy pros may feel more
them regularly but without established triggers. This suggests
confident in compliance if
privacy pros may feel more confident in compliance if their
their organizations have organizations have taken steps to embed the PIA process within
taken steps to embed the the organization, establish privacy by design and take a risk-based 25% 10%
PIA process within the approach to performing PIAs. Around 60% of respondents who said 18%
organization, establish they were not at all confident in their organizations' compliance 10%
privacy by design and take with privacy requirements work in organizations where the PIA 7% 7% 5%
a risk-based approach process is ad hoc, whereas this drops to 10% for those who said
Not at all confident Somewhat confident Totally confident
to performing PIAs. they were totally confident.
Regularly, based on established triggers embedded throughout business processes
Regularly, but triggers are not fully established or formalized
Ad hoc, resulting in some privacy risk not being managed
Not performed at my organization
Not regulatorily required for my organization

Privacy Governance Report 2024 | 43

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

Quantitative vs. qualitative privacy

risk management
At the organization level, we asked respondents
how privacy risk was measured, seeking to
establish if organizations utilize qualitative
methods, relative ratings or quantitative methods

There are two main methodologies for risk to forecast and model organizational risk.

assessments: qualitative and quantitative.

QUALITATIVE METHODS
Qualitative
→ Qualitative risk assessments use subjective judgment to identify and prioritize
risks based on their potential impact and likelihood.
Very low risk Low risk Moderate risk High risk Critical risk
→ Qualitative assessments offer insight into potential risks.
RELATIVE RATINGS
Quantitative
→ Quantitative risk assessments employ numerical data and statistical models to
measure and analyze risk, which provides a more objective forecast compared
with the qualitative approach.
QUANTITATIVE METHODS
→ Quantitative assessments deliver measurable and comparable risk metrics.

Privacy Governance Report 2024 | 44

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

When considering organization size, the largest

companies by number of employees or by
privacy budget are most likely to have approaches
that are at least 50% quantitative. Almost six in
Approaches used to measure organizational privacy risk
10 respondents who work at organizations with
more than 80,000 employees or with privacy
Fully qualitative approach Fully quantitative approach, 2%
budgets greater than USD2 million identified the
approach to privacy risk management is at least Mostly quantitative approach
as quantitative as qualitative. As privacy risk
management matures, it will be interesting to 32%
see how this balance shifts and if organizations 9%
will use more quantitative methods to measure
privacy risk.

The survey also asked respondents to what

extent individual harms are considered by their
organizations' management approach to privacy 23% 35%
Nine in 10 use a risk assessment. Nine in 10 articulated that
individual harms are included or considered.
About an equal mix
qualitative approach When individual harms are not considered in Mostly qualitative approach

at least as much an organization's management approach to

privacy risk assessments, privacy pros were less
as a quantitative confident in compliance compared to their peers.

approach to privacy However, how organizations define individual

harm undoubtedly varies by company, sector
risk management. and even department.

Privacy Governance Report 2024 | 45

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

Steps organizations take to ensure third-party processors

or contractors fulfill commitments Third parties and contractors
Regarding third-party processors and contractors, privacy pros are
Rely on assurances in the contract 85% doing more than just relying on assurances in contracts to ensure
commitments. It remains important for organizations to outsource
Require completion of risk to third parties and take advantage of specific expertise, obtain cost
67%
assessment questionnaire(s) efficiencies and scale operations as needed to meet core business
objectives. However, the absence of a third-party risk management
Require documentation 50%
of third-party audit process, particularly when sharing personal and sensitive personal
data, may expose the organization to unmitigated third-party
Rely on assurances given in 42% privacy risk.
communications with the processors

Require certification or proof 35%

The third party's privacy risk posture, therefore, should be a core
of adherence to code of conduct part of how an organization manages its privacy risk exposure.
Effective third-party privacy risk management now relies upon
Conduct on-site audits ourselves 15%
undertaking due diligence processes commensurate with the
level of potential risk faced, effective contracting processes that
Other steps 3% include privacy requirements, and post-contracting reviews
and audits that monitor the privacy risk present in ongoing
Nothing 3% third-party relationships.

Privacy Governance Report 2024 | 46

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

Confidence in an organization's compliance with privacy regulations

by the number of steps it takes to manage third-party risks

Totally confident 9% 18% 24% 24% 13% 9%

Somewhat confident 12% 24% 29% 17% 13%

Not at all confident 11% 18% 36% 20% 8% 7%

0 steps 1 step 2 steps 3 steps 4 steps 5 steps 6 steps

Almost six in 10 respondents selected respondents at organizations that take three

their organizations rely on assurances in or more steps to manage third-party risks are
contracts and require completion of risk more likely to be confident in the organizations'
assessment questionnaires. Just over a third compliance with privacy laws and policies.
of respondents also noted their companies This result suggests organizations embracing
require documentation of third-party audits diversified, risk-based approaches to third parties
in addition to assurances and risk assessment are better positioned to confidently mitigate and
questionnaires. adapt to evolving risk and compliance challenges
than those relying on a single measure, which
On average, organizations take three steps could become the single point of failure during
to manage third-party risks. Additionally, security incidents.

Privacy Governance Report 2024 | 47

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

Responses indicating if and how a privacy task is performed

Not performed Manual Semiautomated Fully automated

Consent management 11% 21% 42% 26%

Cookie consent/website scanning 10% 9% 31% 50% Privacy technology and tooling
Data mapping/inventory 12% 49% 33% 6% The proliferation of autonomous tools
and privacy-enhancing technologies is
Third-party risk management 5% 52% 39% 4%
ever-increasing within companies. Organizations
Privacy/DPIAs 8% 56% 32% 4% that intend to introduce automation must choose
Data subject rights request management 8% 50% 37% 5%
whether to dedicate the time and resources to
developing technologies tailored to their needs
Remediation tracking 24% 51% 22% 3% or engage in services or products developed by
Data minimization 17% 54% 25% 4% or with third parties for their privacy functions.
This year's report examines the privacy and
Data retention 10% 42% 42% 7%
compliance-oriented tasks respondents
Data anonymization 24% 31% 34% 11% complete manually, through semiautomation
or full automation, and it examines whether
Data pseudonymization 24% 30% 34% 11%
companies are developing automated
Data tagging 36% 23% 34% 7% technology themselves.
Program management (policies,
6% 72% 20% 1%
benchmarking, maturity/planning) To better understand the level of assistance
Privacy by design 13% 61% 25% 1% each organization employs, we asked
respondents which of the following common
Privacy risk management 7% 62% 29% 3% privacy-related and compliance-oriented
Privacy training and awareness 3% 33% 49% 14% tasks their organizations completed manually,
through semiautomation or full automation.
Privacy policies management 3% 72% 23% 3%

International data transfer assessments 28% 52% 18% 2%

Incident management 2% 56% 38% 3%

Regulation tracker 10% 62% 24% 4%

Privacy Governance Report 2024 | 48

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

Privacy tasks differ from entity to entity and are influenced by

location and industry, among other factors. For example, in the
government sector, organizations are more likely to perform PIAs
and DPIAs manually and are less likely to automate program
management. The information technology sector is more likely to
fully automate data tagging and program management. On the other
hand, the finance and banking sector is more likely to manually
perform consent management, cookie/consent and website
The emerging scanning and is also more likely to perform incident management

utilization of by semiautomation.

technology to Organizations headquartered in the EU are more likely to

support privacy manage third-party risk manually, while companies in North

America are more likely to complete this via semiautomation.
compliance can Those at companies with fully automated consent management,

boost confidence cookie consent/website scanning, data mapping/inventory and

PIA/DPIAs were also more likely to be confident in compliance
in compliance. with the EU AI Act.

Privacy Governance Report 2024 | 49

→ Part III. Addressing complexity TABLE OF CONTENTS ↑

Origin of automation technologies at organizations In-house compared to third-party automation

71%
The development of PETs or any automation
requires sufficient thought and resources.
Organizations that intend to introduce
automation to their tasks must choose whether
52%
47% 46%
48% to dedicate the time and resources to developing
42% 43% technologies tailored to their needs or select
40% 41%
37% 37% 37% services or products developed by or with third
33% 34%
31% 31% parties for their privacy functions.
29% 28% 28%
26% 26% 25% 26%
24% 23%
22% 21% 21%
17% Organizations at which the privacy team reports
12% to the general counsel or head of legal and
uses automation for consent management,
cookie consent and website scanning, or data
Consent Cookie Data mapping/ Third-party Privacy/data Data subject Remediation Data Data retention Data mapping and inventory were more likely to
management consent/ inventory risk protection rights request tracking minimization anonymization use technologies developed by third parties.
website management impact management
scanning assessments
47% 47% Automation and confidence
41% 40% 39%
On average, 9% of respondents reported they
38% 38% 37% 38%
36% 35% 36% 36% 36% 36% were not confident in their organizations'
33% 34%
32%
29% 28% 29% 30% 29% 28% ability to comply with privacy regulations and
26% 27% 26%
25% 25%
policies. The percentage of respondents who
17% were not confident increased when a selected
privacy process was not performed or was
done manually. For example, over three out
of 10 respondents at companies that did not
Data Data tagging Program Privacy by Privacy risk Privacy Privacy International Incident Regulation
perform data mapping or inventory, third-party
pseudonymization management design management training and policies data transfer management tracker risk management, data retention, data tagging,
(policies, awareness management assessments
benchmarking) privacy by design, or privacy training and
awareness reported they were not at all
Fully in-house developed only Third-party and in-house developed Third-party developed only
confident in compliance.

Privacy Governance Report 2024 | 50

 Many privacy pros are gaining
additional responsibilities in AI
governance and digital governance.
A prominent result from this year's survey was the acquisition of
new responsibilities in AI governance and digital governance. The
privacy function rarely sees stagnation due to the vibrancy, diversity
and complexity of the field. Although privacy pros are reporting new
responsibilities and facing complex challenges, confidence levels in
privacy compliance remain relatively stable.

Like last year, the IAPP AI Governance Center will publish a report
outlining the results of questions specific to AI and AI governance

Looking ahead
from this year's survey. The survey reflected what many privacy
pros are experiencing: The privacy function is more likely to gain
additional responsibility for AI governance when the organization is
working on AI. Although the majority of organizations are currently
working on AI governance, this number jumps significantly
when organizations are using AI for process automation, at
88%, automated decision-making, at 89%, data analysis, at 88%,
personalizing experiences, at 89%, or customer interactions, at 90%.

Respondents working in AI governance face significant

challenges. For example, one in two respondents reported a lack of
understanding of AI, underlying technologies and/or AI compliance
obligations within their organizations impacts their ability to deliver
for their organizations. One in three respondents stated there are
not enough AI resources relative to the activities required to be
completed, organizational AI expectations are not clearly defined
or followed up on, there are budget constraints, and there is a lack
of AI governance representation in senior levels of the organization.
Stay tuned for a full report on these challenges and other AI
governance industry insights.

Privacy Governance Report 2024 | 51

 We focus on bringing our
membership accurate, meaningful
and actionable research.
The IAPP Research and Insights team focuses on bringing our
membership accurate, meaningful and actionable research and
insights in a digestible way. We do this by leveraging our team of
internal experts and global network of subject matter experts,

Our research
professionals and volunteer contributors.

Scope
We asked our global membership base to complete the 78-question
governance survey. Over the course of eight weeks, from April

approach
to May 2024, more than 670 individuals from 45 countries and
territories responded.

Visit the IAPP Resource Center for more resources, including

legislation trackers, tools, guidance, surveys and in-depth reports.

More than 670 individuals from

45 countries and territories responded
to this 78-question governance survey.

Privacy Governance Report 2024 | 52

 Connect with the team
Saz Kanthasamy
Principal Researcher, Privacy Management, IAPP
[email protected]

Cheryl Saniuk-Heinig
Research and Insights Analyst, IAPP
[email protected]

Luke Fischer
Former Westin Fellow, IAPP

Joe Jones

Contacts
Director of Research and Insights, IAPP
[email protected]

Follow the IAPP on social media

+ C Q E

Published November 2024.

IAPP disclaims all warranties, expressed or implied, with respect to

the contents of this document, including any warranties of accuracy,
merchantability, or fitness for a particular purpose. Nothing herein
should be construed as legal advice.

© 2024 IAPP. All rights reserved.