IAPP Privacy Governance Report 2024: Key Takeaways from an Australian Perspective

In November 2024, the International Association of Privacy Professionals (IAPP) published its annual Privacy Governance Report (the Report). The report details the IAPP’s research on the performance, structure and key issues faced by privacy teams across different organisations in different jurisdictions.

In this post, we summarise these findings, as well as our top 3 key takeaways for Australian organisations.

Increasingly complex legal, community and regulatory environment

The Report observes the growingly complex legal and regulatory environment for privacy obligations, driven by:

• the introduction or amendment to privacy laws across a large number of jurisdictions in 2024. Key examples of this include the EU AI Act and the passing of numerous State Privacy Acts in the United States;
• growing consumer expectations for privacy, with the Report observing increased workloads on privacy teams to respond to data subject rights requests and privacy complaints;
• increasing regulatory action following privacy or data breaches, followed by significant fines, such as the €251 million fine from the Irish Data Protection Commission against Meta;
• the adoption of new technologies, especially AI, into organisational business processes.

Implications of increasing complexity

The Report notes a number of implications of the increasingly complex privacy landscape, and offers insights into how organisations appear to be responding to it. Highlights include:

Privacy teams appear to be taking on additional responsibilities

Over 80% of respondents indicated that they have been asked to take on additional roles. The top 3 domains that these additional responsibilities fall into are:

• AI governance (68%)
• Data governance (60%)
• Cybersecurity as a regulatory compliance matter (40%)

Sufficient resourcing and senior leadership representation improves compliance confidence

Of the respondents who were not confident in their organisations’ compliance, 87% reported that their privacy budgets were not sufficient. These respondents were also more likely to work in organisations where the most senior privacy employee is more than 4 rungs below the C-suite.

Stabilisation of privacy teams; Fewer recruitments for senior roles

While privacy teams have on average grown by 5.7% in the last twelve months, the report observes that privacy teams appear to be stabilising. The majority of surveyed organisations have reported that their privacy teams have had a zero net change in their privacy teams. 73% of these organisations indicated that they had no recruitment underway, and 67% stated that here was no planned future recruitment. Where recruitment is occurring, the majority of the roles (38%) are for privacy analysts, with fewer organisations hiring for senior privacy roles, such as a CPO.

Strategic priorities driven by AI Governance and supporting activities

Consistent with the increased uptake of AI technologies, the strategic priorities for the majority of respondents are on AI governance (47%). Data inventory and mapping was the second most common strategic priority for organisations (40%). The report speculates that this may be driven by the need to understand the provenance of data being used in AI models. We believe that this also explains why PIAs and Privacy by Design are the third most common strategic priority for organisations (30%), as organisations try and understand the privacy implications of using personal information in model development and implementation activities.

Continued focus on privacy activities

Unsurprisingly, the report noted that larger organisations tended to have more consistent and mature approaches towards privacy compliance activities. For example, larger organisations were more likely to complete enterprise or business unit wide privacy risk assessments annually, and have formalised PIA triggers that result in PIAs being carried out regularly. Interestingly, there is continued reliance on manual/semi-automated processes even for activities that appear critical for responding to the increasingly complex environment and adoption of AI:

• Data mapping: majority of organisations reported relying on manual (49%) or semiautomated (42%) processes for completing this activity, despite being an organisational priority for a majority of organisations
• PIAs: similarly, PIAs were being conducted either manually (56%) or using semiautomated processes (32%)
• Regulation trackers: 62% of organisations reported relying on manual processes to track regulations
• Program management: 72% of organisations report relying on manual processes to carry out privacy program management, such as benchmarking and carrying out maturity/planning activities.

Takeaways for Australian Organisations

The Report does not include a breakdown of respondents, their positions, and where organisations are based. It is clear, however, that the focus is very much on North America, Canadian and Asian organisations. Despite this, we believe there are some relevant observations for Australian organisations:

Australia’s Privacy Landscape Increasing In Complexity

Like the rest of the world, the Australian privacy landscape is growing increasingly complex.

• In November 2024, the amendments to the Australian Privacy Act were introduced. We’ve previously covered these amendments, as well as what they mean for Australian organisations. Other key legislative and policy developments to keep an eye on include the possible introduction of mandatory guardrails around high-risk AI systems and models
• Similar to overseas sentiment, Australians’ expectations on privacy are evolving. For example, the Deloitte Privacy Index 2024 has reported that 50% of Australians now say that the data an organisation collects will influence their decision to purchase a product or service (up from 35% last year)
• There is an increasingly active Federal Privacy Commissioner, who has published important decisions that clarify how the Commissioner’s interpretation of key concepts in the Privacy Act apply. The Commissioner has also demonstrated a willingness to use her regulatory powers
• Similar to organisations overseas, there has been increased drive to adopt AI by Australian organisations and government. By way of example, the Deloitte Privacy Index reported that 72% of Australia’s leading brands are using AI or ADM.

Australian Organisations Have Smaller Privacy Teams

Despite this complexity, Australian organisations appear to have smaller privacy teams. According to the report, the average size of privacy teams in North America (28.8 internal, 1.2 external), Europe (26.2 internal, 2.8 external) and Asia (31.2 internal, 5.5 external) are noticeably larger than privacy teams “Elsewhere” (12.2 internal, 1.3 external), which would include Australia. Our regular review of Privacy Jobs also indicates that there are relatively few senior privacy roles being advertised. Given the positive impact that adequate resourcing and senior privacy leadership has on compliance confidence, our view is that Australian organisations should carefully consider the size of their privacy team, especially as they commence preparations for complying with the amended Privacy Act.

Australian Privacy Teams & AI Adoption

Australian Privacy teams, like their counterparts across the world, are likely busy helping their organisations adopt and implement AI and other new technologies. However, this should not come at the cost of ensuring that other privacy compliance activities, such as PIAs, are completed regularly. Privacy breaches can damage an organisation’s reputation, and erode consumer trust in the organisation’s ability to innovate and use AI responsibly. The majority of the respondents in the Report are carrying out activities such as third-party risk assessments, PIAs, and Business Unit or Enterprise privacy risk assessments regularly. Australian organisations should consider benchmarking themselves against these standards and if not already implemented, consider adopting such measures.