The privacy skills gap – and how to fill it

Shocking data on privacy teams forces a handful of questions that companies should really be asking.
1 June 2023

Data privacy teams – what do they need, and how do we give it to them?

Getting your Trinity Audio player ready...

• Almost all European companies have a data privacy skills gap.
• People are the key to filling the gap.
• Training should be an ongoing process to change corporate cultures.

Does your business struggle to meet its own needs when it comes to staffing your privacy team? If it does, you’re in no sense alone. In fact, you’re among the majority. Privacy is an increasingly critical element of any business’ operating function, underpinning the digital trust without which modern businesses can barely function. And yet new research from ISACA, (the organization formerly known as the Information Systems Audit and Control Association) has revealed a significant “privacy skills gap” throughout the technology industry, affecting 94% of businesses across Europe.

59% of privacy teams are understaffed, and one in five of those teams say it takes more than six months to fill a technical vacancy – leaving unacceptable gaps in their privacy profile.

We sat down with Chris Dimitriadis, ISACA’s global chief strategy officer to find out why privacy teams were so hard to staff – and what the results of that difficulty might look like.


What is the likely impact of a statistic like 94% of companies in Europe having a known privacy skills gap? Translate that into real business impacts for us.


The most obvious impact is in compliance. Privacy is very highly regulated – much more than many other professions or domains. And obviously, every board and every CEO are concerned about compliance. But beyond the compliance issue, there’s a real danger to the notion of customer trust, whether the customer is a business or an end user. Every single privacy breach has a negative impact on customer trust, and that takes a long time to recover from.

Sometimes, very large privacy breaches that hit the news impact the long-term reputation of the organization, and the trust of the consumers. In some cases, after breaches like that, we’ve seen the stock price for public companies influenced very heavily. In other cases, we have seen partnerships which were in the works be delayed or halted because of privacy breaches.

So it’s a very important matter for the overall trust of the organization.

Filling the gaps.


So, if it’s that important, why is it currently so difficult to fill vacancies in privacy teams? Because it seems an unreasonable amount of time and uncertainty, not to mention potential expense and vulnerability to leave things like that for months at a time.

Is there something that’s driving people not to join privacy teams? Or are the criteria for being members of a privacy team just discouragingly high?


It’s more about being able to follow a holistic framework, and to embed privacy in all the products and services of an organization, because a lack of a privacy skill doesn’t necessarily mean that companies don’t have a DPO (Data Protection Officer).

Some companies do, but even then, there is a lack of skill to implement privacy in practice, and embed it in a product design development process, or within a service provision or operation. And that primarily has to do with awareness about what privacy really means for a specific organization.

So, especially with the rise of GDPR a few years ago, we’ve seen a very big wave of companies trying to implement frameworks for complying with GDPR.

But addressing this purely from a compliance point of view doesn’t really provide value to the organization, and doesn’t mean that privacy by design is really there.

So going back to the skills question, that’s what we’re trying to do with digital trust – trying to explain that privacy as a standalone function or capability doesn’t really help. It needs to be combined with other domains.

For example, privacy professionals need to understand and have knowledge about the technologies that are involved within the digital ecosystem.

If a company is trying to innovate a digital transformation project that involves AI, or a blockchain, or even even cloud, if those professionals don’t have an understanding of those technologies, there is no way that privacy can be implemented within the digital ecosystem, because you can’t really protect personal data in an ecosystem that you don’t understand.

So it has to do with more holistic training and the understanding of those privacy professionals. And then it has to do with a better understanding of the decision-makers in the organization in terms of really monetizing the value or the impact of privacy.

And it also involves other roles, like those who are building technology ecosystems, designing architectures and so on – they also need to understand the value of privacy in order to prioritize it within projects. So there’s not one root cause, there are many. At the end of the day, it has to do with the maturity of the organization in the broader digital trust domain.

Pathways to a solution.


If it’s a complicated problem, with multiple strands leading to the situation we have, how do we solve it?


It should start with people.

The more we upskill people, the more we create awareness, the more we develop skills that are outside the vertical expertise of those functions within an organization, the more likely we are to address the problem, because decisions are made by people. Frameworks are implemented by people. Priorities are set by people.

I believe that training and awareness for employees of several different functions and professional domains within an organization is the key to addressing this gap.

That doesn’t mean it’s necessarily complex. There’s simple and effective training programs that can be applied in order to create this awareness. And then people will give us a solution, people will budget accordingly.

People will embed privacy in an overall system development lifecycle. People will create this organizational capability in order to not only protect against breaches, but also to be able to respond and recover from privacy breaches.


This sounds confrontational, but if it’s as straightforward as that to deal with a problem affecting over 90% of companies in Europe – why hasn’t it been done before now? Before the problem got to this stage?


It’s very similar to the situation we see in cybersecurity. What we see globally is that silos between those adjusting domains still exist.

So we see a privacy department operating in a silo versus the audit department versus the cybersecurity department versus the technology department, each of which has its goals in order to deliver on time, on quality, and on budget.

We identified those silos as a key root cause, and we have also identified the emerging need for better collaboration between those domains under a more holistic framework that focuses on implementing privacy in an aligned manner to the business objectives of an organization.

The training burden.


It sounds like there’s a need for significant amounts of training across the board, as well as the collaboration process, which can be tricky where teams are already highly siloed. What kind of impact in terms of time and budget are we asking companies to take on in order to address this issue?


Those training programs are definitely important, but I wouldn’t set a specific timeframe, because what really is effective is continuous training, in order to keep people updated with small portions of time and training, so you create that culture within the organization.

It’s more like a journey, and less than one single explosive change.

Budget-wise, I think we’re talking about the positive impact, because what’s funny about this situation is that many organizations that operate in silos, and don’t embed privacy in their solutions and operations as well, have to patch around privacy.

That’s much more expensive than privacy by design, when you design something and you budget for it based on the profit and loss of a project, because it all has to do with financial feasibility as well.

Privacy by design is much more cost effective than to be terrified by a privacy threat, and trying to implement privacy afterwards.

When you really value your privacy, you can go this way… or you can commit to continous training of staff. Whichever you find easier…

In Part 2 of this article, we’ll explore the ins and outs of privacy by design – the profitable future of privacy skills and the teams that need them.