FTI Consulting and the International Association of Privacy Professionals’s recent Privacy Governance Report showed that data privacy spending is up by 8% in 2020 from 2019, with more than 40% of respondents revealing privacy has become a higher priority due to COVID-19.

The Privacy Governance Report includes findings of a survey of more than 450 privacy professionals in the U.S. and Europe, and examines the impact of COVID-19 and heightening regulation on privacy programs and the privacy profession in general.

Throughout 2020, privacy professionals were focused on wrestling with the complicated links between working during a global pandemic and the data protection and privacy risks that have emerged as a result. In parallel, legislative activity on the data privacy front was accelerated among state and federal authorities around the world, creating a confluence of challenges and concerns for privacy professionals to prioritize.

“Privacy will continue to be a big focus for businesses in 2021,” Jake Frazier, senior managing director in the information governance, privacy and security practice within FTI Consulting’s technology segment, said. “There’s strong potential for heightened enforcement activities and continued changes to privacy laws in the U.S. and worldwide. In parallel, companies will grapple with maintaining compliance and avoiding privacy control breakdowns amid the complex business challenges that have resulted from the pandemic. The IAPP survey sheds light on the tremendous pressure privacy professionals have been under this year, but it also reveals progress in terms of the ways organizations are now prioritizing and budgeting for important privacy programs.”

More than 40% of survey respondents said privacy has become more important within their organization due to COVID-19, while only 5% said it has become less important. Many privacy professionals also have seen their day-to-day responsibilities shift this year, with more than half saying that maintaining and advising on employee privacy has become a priority. Roughly half are also dedicating more time to assessing platforms that support the organization’s remote workforce.

In terms of concerns over data collected from employees for COVID-19 purposes, respondents were split. Approximately 45% said they have conducted a privacy risk assessment or data protection impact assessment on this information, while about half had not.

Growth in Privacy Budgets and Priorities

Privacy spending is up by 8% in 2020 from 2019, with a mean budget of roughly $2 million for companies with annual revenues of more than $25 billion. Only 9% expect to see a decrease in their privacy budget in 2021, and of those who expect a budget increase, many said it will support new privacy program initiatives, tool acquisition and more privacy training. Moreover, the number of privacy professionals who believe their budget is sufficient to meet their obligations has increased 11% over last year.

Approximately four in 10 organizations are working toward a single privacy strategy that can be applied around the globe. Another 30% take an approach that segments data subjects by jurisdiction, handling each data subject’s personal data according to relevant local law. As was true in 2019, compliance issues — concerning GDPR, the California Consumer Privacy Act and beyond — continue to remain the top priorities for privacy professionals. Overall, 30% said that compliance with GDPR remained their top priority.

Legislative and Legal Changes

Data privacy laws picked up momentum around the world this year. While GDPR compliance is up from 2019, half of respondents are still not fully compliant. The CCPA also has triggered notable changes, with 38% of organizations reporting they have modified business practices to avoid selling data, and 32% confirming they have added a “Do Not Sell My Personal Information” link on their website.

The Schrems II ruling from earlier in 2020, which invalidated the Privacy Shield framework for cross-border data transfers, is another issue causing direct and indirect challenges for many companies. Nearly two-thirds of respondents said their organizations transfer data outside of the EU — 55% previously relied on Privacy Shield and 62% are adjusting their data transfer mechanism as a result of this year’s ruling. Another 88% use standard contractual clauses as their mechanism for the compliant transfer of data outside of the EU, but many experts agree this approach has been cast into doubt in the wake of Schrems II.

Privacy Leadership Expands, Staffing Plateaus

While privacy hiring has been on the rise in previous years, it has leveled off in 2020. Nearly half of organizations have implemented or plan to implement hiring freezes for privacy and non-privacy roles, and 71% expect the current number of full-time privacy staff to remain the same in the coming year. In four out of 10 organizations, the most senior “privacy leader” holds the title of chief privacy officer. Boards of directors maintain privacy leadership at 13% of organizations.

In terms of job duties, privacy professionals in Europe were more likely than their U.S. counterparts to handle privacy-related monitoring, GDPR compliance and proper cross-border data transfers, while U.S. respondents were more likely to have a focus on ethical decision-making around data use and CCPA compliance.

Download the full report here.