Data protection challenges and priorities 2023: The Annual IAPP-EY Privacy Governance Report

Reading Time: 3 minutes


Dr Rachel Finn | Director, Data Protection & Cyber-risk Services / Head of Irish Operations

Date: 29 December 2022

Each year the International Association of Privacy Professionals and Ernst & Young team up to survey the privacy landscape across the globe. To do so they survey hundreds of privacy professionals in different regions, sectors and countries to identify key trends in professionals’ and organisations’ experience and expectations to guide activities for the following year. This year, the 2022 Privacy Governance Report surveyed 700 privacy professionals across 44 countries and examined issues like the privacy governance models, strategy and planning, compensation and budget and performance metrics. This article outlines two of the key trends identified in the report to assist privacy and data protection programme managers to create strategic plans that integrate and anticipate challenges around building their team and prioritising activities for the following year.

Staff investment and team building

The Report highlights another year of growth for the privacy profession across the world and points out that the skills required for effective privacy and data protection have expanded substantially. Over the course of 2022, professionals have reported an average increase in size of their privacy and data protection teams of 12% (pg. 34). However, privacy and data protection offices are struggling with recruitment and retention. Like other sectors, privacy programme managers are navigating “the great resignation”. At the same time, they are finding that spiralling salary costs are making it difficult to recruit a sufficient number of talented individuals within their budget.

In terms of privacy and data protection team composition, the report also highlights the changing nature of the profession. While both privacy and data protection have roots in the legal sector, a wider skillset is now required to achieve effective governance across the organisation. These emerging skills include expertise in technology, risk & compliance management, law, organisational science and data governance. Globally, the risk and compliance expertise are the most sought after in terms of closing internal gaps on existing privacy teams. In some cases, external support is closing this gap. While 80% of privacy and data protection team members are in-house, 20% comprise external service providers (pg. 29). External support is primarily used for functions like incident response, impact assessment and data mapping to augment both internal resources and internal skills.

2023 strategic privacy programme priorities

As mentioned above, the report also examined key priorities for 2023 in privacy and data protection offices. Importantly, the survey found that 87% of organisations have a privacy strategy in place, and that it is at least partially aligned with their wider organisational strategy. However, this figure drops to 76% in the governmental sector (pg. 15). Within these strategies the following issues were reported by respondents as their 2023 priorities (pg.53):  

  • International transfers (31% indicating this as a top priority)
  • Privacy impact assessment or privacy by design (31%)
  • Data deletion (30%)
  • Governance and operating model (28%)
  • Incident management (24%)

In Europe, governance around AI and machine learning replaced incident management as a top priority, with 24% of organisations indicating this is an area of action for 2023. This is likely a response to new and forthcoming regulatory instruments like the Digital Services Act, AI Act, Digital Markets Act, Data Act and Data Governance Act that seek to provide stronger protection and better governance in relation to emerging technologies.


The 2022 Privacy Governance Report clearly demonstrates the growing significance and complexity of privacy and data protection functions across the globe. As the technology and regulatory landscape continues to evolve, privacy needs are growing alongside the skills and resources required to meet those needs. The report also demonstrates how having a privacy strategy can assist organisations to better anticipate and meet these evolving needs.

Trilateral Research’s Data Protection and Cyber-risk Team can help your organisation create a privacy strategy and identify your priorities for 2023. Furthermore, our interdisciplinary team of legal, technical, compliance and risk management experts can also help you close any skill gaps within your existing team to better implement your privacy strategy in the current labour market. For more information or to talk to one of our advisors, please contact us.

Related posts

Get the latest insights from Trilateral in our new monthly article, featuring the latest developments from across our innovation and researc…

Let's discuss your career