Originally posted on Substack
It’s Data Privacy Day, though it’s now been expanded to data privacy week. Things are quite turbulent for privacy these days, so we need to celebrate less and focus on how to respond to the challenges ahead.
Based on my anecdotal assessment, the CPO and DPO roles seem to have expanded to encompass AI. Unfortunately, despite the growing number of laws and issues CPOs and DPOs face, I don’t see big budget increases, team expansions, or salary increases.
In the 2026 ISACA State of Privacy Report, the following findings stood out to me:
- “Privacy teams are shrinking. The median privacy staff size of survey respondents is five, down from eight last year.”
- “Understaffing findings are consistent with last year’s findings. Technical privacy roles are more understaffed than legal/compliance roles, similar to previous years’ results.”
- “Many privacy professionals feel that their roles are more stressful now compared to five years ago.”
- “Fewer than half of survey respondents are very or completely confident in their privacy team’s ability to achieve compliance with new privacy laws and regulations.”
- “Budget optimism has waned. Less than a quarter of respondents expect their privacy budgets to increase in the next year, while half of respondents anticipate a decrease in their privacy budgets in the next 12 months.”
The Importance of Privacy Training
“Survey respondents identify lack of training or poor training as the most common privacy failure (51%, compared to 47% last year). The second most common failure is not practicing privacy by design, followed by data breaches/leakage.”
As the founder of a company that provides privacy training, I couldn’t agree more. Time to do my “I told ya so” dance (I think I’m a good dancer by now).
If you’re in need of privacy training, please give me a holler.
I created a whiteboard to summarize the various components of a privacy program, which is quite an intricate and complicated thing. Privacy professionals must know a lot of stuff and deal with countless laws and issues. Click here to download a free PDF of it.
Concerns About the Future of Privacy Professionals
I’m concerned about the future of privacy professionals. I see more work and issues to juggle but not much growth in the importance of the privacy professional role. There was a bump after the GDPR and CCPA, from about 2016 to 2022. Big potential fines and a barrage of new laws sparked some fear in upper management. But recently, I fear that there’s stagnation, even slippage.
I worry whether privacy professionals will be seen as a kind of nagging conscience that will be ignored in the rush to profit, the exuberance of developing and using new technologies, and the fear of losing the AI and tech race and falling hopelessly behind.
Here are some theories for what is going on:
Privacy Law Fatigue. There were so many new laws that after the GDPR and some of the state laws, upper management is tired of being told to step it up. “Didn’t we already do that?” they might be thinking.
Weak Enforcement. I recently wrote a paper, Enforcing Privacy Law: Why Private Litigation Is Essential where I examine the big picture of enforcement. I conclude that government privacy enforcement is woefully inadequate and will never come close to being effective given practical realities. There just haven’t been enough cases brought and penalties haven’t stung enough. The risk of a penalty (likelihood and severity of a sanction) is actually quite small and often doesn’t outweigh the benefits of just moving fast and ignoring the drag of following the law.
Cost Center. Privacy is often seen as a cost center. Privacy is seen as slowing things down or restraining things. With data, it’s like telling Shel Silverstein’s Hungry Mungry to stop eating. Nobody gets excited at “eat less” or “be careful” or “go slower.”
Risk Avoidance and Compliance Rather than Benefits and Growth. Privacy is often about risk avoidance and legal compliance, which are just not that fun for companies. The real value to upper management is in bringing benefits and growth. Privacy professionals must find ways to turn their roles into a means of increasing corporate revenue and growth, not just defending against losses.
Raising Up the Privacy Office
I believe that there is a way to raise up the Privacy Office into something not only viewed as a necessary chore for companies but something that is a part of the growth of the business. After all, privacy professionals are experts on data and how to use it; they think about consumer trust. Data and trust are the lifeblood of most businesses.
Privacy must be positioned more toward the brand and must make the case that using data responsibly not only keeps the company out of trouble but provides for business growth. I’ve heard this said many times, but what’s needed are concrete demonstrations of how privacy contributes to growth and specific strategies for how privacy professionals can link their role to growth.
Stay tuned for some online discussions about these issues I intend to have. Coming soon will be an online interview with Melanie Ensign of Discernible about reimagining the privacy office.
Check out my catalog of workforce privacy training courses.
* * * *
Professor Daniel J. Solove is a law professor at George Washington University Law School. Through his company, TeachPrivacy, he has created the largest library of computer-based privacy and data security training, with more than 180 courses.
Subscribe to Solove’s Free Substack
A supplement to Solove’s regular newsletter with more in-depth discussions
