Privacy governance in action: Insights from the IAPP / EY Annual Privacy Governance Report 2021

Reading Time: 3 minutes
Audit and Assessment copy


Dr Rachel Finn | Director, Data Protection & Cyber-risk Services / Head of Irish Operations

Date: 24 November 2021

Released in October 2021, the International Association of Privacy Professionals (IAPP) / EU Annual Privacy Governance Report is an annual assessment of the professional privacy landscape among Association members. The report presents insights and findings on compliance with legislation, Covid-19 data processing, privacy leadership, budget, responsibilities and priorities of privacy teams, data subject rights requests and the use of third-party vendors to process personal data. Trilateral Research’s review of the findings highlights three trends that we think may be of interest to privacy practitioners in the UK and Europe and that we have also noticed on the ground. These trends include issues around privacy budgets and staffing, data subject rights implementation and work-related commuting and travel expectations in 2022.


Privacy budgets and staffing

Among our clients and colleagues, we have noticed an increase in C-suite and Board interest in privacy, data protection and data security and a willingness to invest more in safeguarding data subjects. The International Association of Privacy Professionals / EY report reinforces this anecdotal evidence and finds that according to international privacy practitioners:

  • Privacy budgets have increased significantly since 2020, including year-on-year growth of 29% from 2020 to 2021.
  • 45% of IAPP / EY respondent organisations are planning at least one or two additional hires within 6 months.
  • Six out of 10 privacy professionals expect their budget to increase over the next year.

Despite these increases and investments, 63% feel that their budget is less than sufficient to meet their needs, indicating that further investment is needed to secure robust protection for data subjects.

Data subject rights

A second trend that we have noticed is an increase in data subject access requests (SARs) and other requests by data subjects to exercise their rights (e.g., rights of correction, erasure, portability, etc.). This is also affirmed by the IAPP / EY report. Specifically, the report indicates that 59% of organisations have created a “dedicated team” for handling data subject rights requests. Any organisations concerned about how much investment they are making in this activity may be reassured to hear that:

  • more than half of organisations are handling rights requests manually,
  • four in ten say it takes them more than a week to respond to rights requests, and
  • almost half (47%) say that finding an individual’s data within the organisation was the most difficult part of fulfilling rights requests.

Another challenge reported was monitoring the practices of their data processors and gathering relevant information in the context of rights requests. This data indicates that increases in the scope and complexity of these activities are increasing across the board and are a common experience for organisations.

COVID-19 travel recovery

We also notice that while many of our clients and colleagues are back in the office occasionally, most are still working primarily from home and do not expect substantial commuting or business travel in the coming months. Similarly, the IAPP / EY privacy professionals are not expecting an immediate change to their working environment or travel commitments. Specifically, in line with trends across countries and industries, just under half of privacy professionals (46%) expect to be working in a hybrid manner in 2022 with time split equally between home and office work. Only 11% expect to return to the office full-time. In relation to travel, while many professionals were looking forward to a return to in-person events, most professionals indicate that they do not expect a substantial pick-up of business travel until mid-2022.

With many high-profile privacy and data protection issues over the last year, it is not surprising that privacy expertise is in demand and that workloads and budgets are increasing in tandem. Furthermore, increased opportunities for remote and hybrid working are creating new job markets for privacy practitioners. Organisations finding themselves in similar situations may be reassured by this data that indicates they are in line with international trends in this sector.

If you need additional resourcing for your privacy, data protection and cyber-security programme, our advisors in the Data Protection and Cyber-risk team would be happy to help. Contact us for more information.

Related posts

AI governance is a crucial – and ongoing – practice that can help you deploy and maintain responsible AI solutions.   Here, we answer the…

Let's discuss your career