Privacy Teams in Indian Companies Expect Budget Cuts in 2024 – ISACA Survey on Privacy in Practice 2024

Harsha Vardhan

January 29, 2024

In the wake of the Digital Personal Data Protection (DPDP) Act of India, enacted in August 2023, we saw digital-first organizations increase their spending on data privacy and information security. However, according to ISACA’s Privacy in Practice 2024 survey, a third of Indian privacy professionals foresee a budget cut on privacy spending in 2024.

According to ISACA, half (51 per cent) of the India-based respondents say their organizations find it easy to understand their privacy obligations, and a majority (62 per cent) are very or completely confident in their organization’s privacy team’s ability to ensure data privacy and achieve compliance with new privacy laws and regulations.

Commenting on the survey findings, RV Raghu, ISACA India Ambassador and Director, Versatilist Consulting India, said, “As privacy regulations the world over continue to evolve, it's promising to see the growing confidence among Indians in overcoming issues. ISACA's survey clearly shows that organizations today are more adept at understanding their privacy obligations and are also confident in the ability of their teams to ensure compliance and data privacy.”

However, a third of respondents (32 per cent) expect a decrease in budget, which is higher than last year, when only 6 per cent expected a decrease in budget. When looking at the year ahead, 42 per cent of the survey respondents also say that they expect their budget will increase (down 20 points from last year), and only 1 per cent say it will remain the same (down 8 points from last year).

“The anticipated shifts when it comes to budgetary expectations show that it is important for companies to strategically enhance their resource allocation, especially with impending financial constraints,” said Raghu.

Challenges to Data Privacy and Information Security

The path to forming a privacy program does not seem to be a smooth one, with Indian respondents indicating that the top obstacles include:

Lack of competent resources (44 per cent)

Complex international legal and regulatory landscape (35 per cent)

Management of risks associated with new technologies (35 per cent)

Lack of clarity on the mandate, roles, and responsibilities (34 per cent)

Safia Kazi, ISACA principal of privacy professional practices, said, “When privacy teams face limited budgets and skills gaps among their workforce, it can be even more difficult to stay on top of ever-evolving and expanding data privacy regulations and even increase the risk of data breaches.”

In seeking those competent resources, technical privacy positions are in the highest demand, with 75 per cent of Indian respondents indicating there will be increased demand for technical privacy roles in the next year. Legal/compliance roles come a close second, with 73 per cent feeling that there will be increased demand.

However, respondents indicate there are skills gaps among these privacy professionals and cite experience with different types of technologies and/or applications (58 per cent) as the biggest one.

Safia added, “By understanding where these challenges lie, organizations can take the necessary measures to remedy them and change course to strengthen their privacy teams and programs.”

When looking at common privacy failures, respondents in India pinpointed the non-compliance with applicable laws and regulations (44 percent), data breach/leakage (42 percent) and not practicing privacy by design (41 percent) as the main concerns.

Taking Action

One of the ways that organizations are mitigating both workforce gaps and privacy failures is through training. A majority of India-based respondents (61 percent) note they are training to allow non-privacy staff to move into privacy roles, while 45 percent have increased reliance on credentials to attest to actual subject matter expertise.

To assess the effectiveness of privacy programs, survey respondents in India note their organizations are most often taking the approach of:

Performing a privacy risk assessment (68 percent)
Performing a privacy impact assessment (PIA) (61 percent)
Undergoing a privacy audit/assessment (46 percent)
Performing a privacy self-assessment (41 percent)

Value of Privacy by Design

One of the clearest takeaways from the survey results is that globally, organizations that practice privacy by design experience some key advantages:

They have more employees in privacy roles (median staff size 15 vs. nine among all respondents) and are more likely to say their technical privacy department is appropriately staffed (42 percent vs. 34 percent among all respondents).
They strongly believe their board of directors prioritizes organization privacy (77 per cent vs. 57 per cent total).
They are much less likely to see organizational privacy programs as purely compliance-driven (35 per cent vs. 44 per cent total), and more likely as a combination of compliance, ethics and competitive advantage (39 per cent vs. 29 per cent total).
They are much more likely to see their organization’s privacy strategy aligned with organizational objectives (90 per cent vs. 74 per cent total).

Organizations that practice privacy by design also seem to use many more privacy controls in total, overall, than are legally required. Data minimization and retention controls, data quality and integrity, and cryptographic protection seem to be key areas they concentrate on that are not mandated by law yet.

Ultimately, organizations globally that always practice privacy by design are also much more likely to be very or completely confident in their organization’s privacy team’s ability to ensure data privacy and achieve compliance with new privacy laws and regulations.

ISACA conducted this survey with more than 1,300 professionals globally, who weighed in on privacy topics such as staffing, organization structure, policies, budgets, and training.