Data privacy is playing a bigger role than ever as organizations look for smarter ways to protect sensitive information and keep pace with evolving regulations. With new technologies changing how data is stored and shared, privacy has evolved from being just a box to tick for compliance to become part of day-to-day decision-making. Strong data protection strategies are helping organizations respond faster, reduce risk, and keep their operations running smoothly.
To understand what’s shaping these strategies, we used AI-driven audience profiling to synthesize insights from online discussions over the 12 months leading up to May 5, 2025, to a high statistical confidence level. This analysis captured the perspectives of 21,377 data protection officers, offering a clear view of the risks they’re watching, the obstacles they’re working to overcome, and the priorities shaping their approach to data security.
How Do You Classify Sensitive Data Before Applying Encryption?
62% of US data protection officers use a mixed approach to classifying sensitive data prior to encryption
Before encryption locks down sensitive data, companies have to decide how they’re going to sort and label it:
For many US data protection officers, classifying sensitive data before applying encryption is a balancing act. 62% of our audience uses a mixed approach, blending automation with manual tagging to keep up with growing data volumes while relying on human judgment for critical decisions. But a surprising 35% still handle this process entirely by hand, tagging files manually and leaving plenty of room for errors or oversights. Only 3% have fully committed to a policy-driven approach, where automated systems classify data based on predefined rules without constant human involvement.
The slow move toward automation highlights a bigger challenge. Today’s AI systems can identify relationships between different pieces of data, understand the business value of data based on its context, and make classification decisions that are more accurate and consistent than manual methods. Yet, despite these advancements, many organizations are hesitant to let go of manual control. Until that changes, gaps in how sensitive data is identified and secured will remain, and that’s a risk no business can afford to ignore.
What Drives Your Encryption Upgrades Most Often?
For 42%, customer demand drives encryption upgrades
The reason behind an encryption upgrade seems to depend on what is driving the urgency:
Before upgrading encryption methods, companies have to weigh what’s pushing them to act, and the reasons are telling. For 42%, customer demand is the reason behind regularly upgrading encryption. As data privacy expectations grow, businesses know that staying competitive means proving they can keep sensitive information safe.
But external pressures aren’t the only factors at play. 21% of our audience say it takes a data breach to spark change, while for 19%, regulatory updates force their hand. Another 19% point to technological advancements, and this is where the future of encryption is already taking shape.
With quantum computing on the horizon, the National Institute of Standards and Technology has finalized its first three post-quantum encryption standards, laying the groundwork for stronger, future-proof data protection.
How Is Access To Encrypted Backups Managed?
100% of data protection officers use encryption keys for backups
Before backups can be protected, companies have to decide how they will control access:
Encryption keys control access to 100% of encrypted backups. That part is clear. What really matters is how those keys are handled. Strong key management starts when a key is created and continues through every stage: generation, distribution, storage, usage, rotation, and revocation.
Smart organizations rotate keys regularly, reducing the time any key stays in play and reducing risk. They also store keys in secure hardware, adding a physical barrier that makes unauthorized access harder. With the right management at every step, access stays controlled, and backup security stays right where it should be.
How Do You Verify Encryption Effectiveness Across Systems?
100% data protection officers verify encryption effectiveness using algorithms
When it comes to verifying encryption across systems, everyone takes the same approach:
There’s no debate about how encryption effectiveness is verified across systems. All 21,377 of the data protection officers in our audience rely on encryption algorithms to do so. And behind every check, there’s a choice to make between two proven methods: symmetric and asymmetric algorithms.
Symmetric algorithms use one key for locking and unlocking data. They’re fast, efficient, and the go-to choice when speed matters and there’s a lot of data to handle. Asymmetric algorithms use a public and private key pair and step in when security takes priority, even if things move a little slower. Get the balance right, and both security and performance stay exactly where they should be.
Which Best Describes Your Current Encryption Strategy?
End-to-end encryption strategies used by 97% of data protection officers
The vast majority favor a single encryption strategy to protect data:
End-to-end encryption clearly dominates current encryption strategies, with 97% of data protection officers using it to protect data. But for a solution to be truly end-to-end, it needs more than just encryption in transit. That’s why the strongest strategies combine client-side encryption with zero-knowledge authentication and smart key management. This approach keeps control with the organization, where it belongs, and ensures that no outside parties, including service providers, can access sensitive information.
Rounding out the list, 3% of data protection officers still rely on TLS or SSL. These methods help protect data as it moves between systems, but the protection stops once the data arrives. Less than 1% depend entirely on AES encryption. While AES is a strong algorithm, using it on its own does not create a complete security framework. Another less than 1% turn to data masking, which hides information from view but doesn’t actually secure it. That’s why leading organizations aren’t settling for halfway solutions. They’re locking down their data from every angle and setting a higher standard for what real security looks like.
Which Best Describes Your Current Data Loss Prevention DLP Setup?
Data loss prevention setups in the testing stage for 43% of data protection officers
The path to stronger data protection is clear, but not everyone is moving at the same speed:
Most organizations are still figuring out their approach to data loss prevention. Of our audience, 43% are in the testing stage in their current data loss prevention (DLP) setup, exploring what works without fully locking in a strategy. Another 37% have started rolling out solutions but haven’t reached full implementation. Only 16 % have a fully established DLP program, and just 4% have deployed it organization-wide.
This slow adoption isn’t stopping the market from growing fast. With the DLP industry expected to reach $7 billion by 2030, organizations clearly understand the stakes. Protecting sensitive data has become a top priority, especially with remote work expanding the risks.
What Is Your Biggest Challenge When Managing Encryption Across Multiple Vendors?
Compliance the biggest challenge in managing encryption across multiple vendors for 100% data protection officers
There’s unanimous agreement on what makes managing encryption across vendors so challenging:
Across the board, vendor compliance is the top challenge when it comes to managing encryption across multiple vendors. With 100% pointing to this as their biggest hurdle, it’s clear that working across different systems isn’t as seamless as it should be.
One major issue is the lack of standardized encryption protocols. Without universal standards, integrating solutions from multiple vendors becomes complicated, leading to inefficiencies and, more critically, potential security gaps. Until standards catch up, organizations will need to stay proactive in managing these complexities to keep their data protected.
What’s Your Top Concern When Securing Data Across Hybrid Environments?
Cloud exposure the biggest problem in securing data across hybrid environments for 73%
Hybrid environments present a clear split in what organizations see as their biggest security challenge:
Cloud exposure is the top concern when securing data across hybrid environments, with 73% of data protection officers in the US pointing to it as their biggest challenge. Moving between on-premises systems and multiple cloud platforms creates gaps that are hard to close without the right tools. Governance tools, automation, and emerging AI solutions are helping organizations standardize security policies across these complex environments, reducing the risks that come with inconsistent controls.
Meanwhile, 27% say access control is their primary worry. Managing who has access to what becomes far more complicated in hybrid setups, making identity and access management a critical part of any security strategy.
Where Do You See The Highest Risk For Data Leakage?
87% of data protection officers rank insider threats as the highest data leakage
Data leakage risks come from many directions, but one stands out:
Insider threats dominate as the biggest concern for data leakage, with 87% of data protection officers pointing to it as their highest risk. And it’s not just a worry, it’s where the money is going. Insider risk management budgets have more than doubled over the past year, rising from 8.2% of total cybersecurity spending in 2023 to 16.5% in 2024. The cost of these incidents is rising, too, with the average annual cost of insider threats now reaching $17.4 million.
While insider threats lead the list, other risks haven’t disappeared. 5% of data protection officers highlight remote work as a concern, largely because it expands the perimeter and makes monitoring more difficult. 4% say file sharing poses the biggest risk, especially when sensitive data moves between unsecured platforms. Another 4% point to cloud platforms, where misconfigurations and weak controls can create gaps if not managed carefully.
These findings paint a clear picture. While insider threats demand the most attention and budget, data protection officers can’t afford to ignore the broader risk landscape.
Which Compliance Framework Most Influences Your Encryption Standards?
GDPR influences 39% of data protection officers' encryption standards
When building data security strategies, organizations take their cues from a range of established frameworks:
Compliance frameworks set the tone for how organizations approach encryption, and right now, the GDPR leads the way, with 39% of US data protection officers saying it has the biggest influence on their standards. As the Future of Privacy Forum, a US-based advocacy group focused on data privacy, puts it, the GDPR has had an “unprecedented regulatory impact around the world,” inspiring laws everywhere from California to India. Its reach is growing even further with new regulations like the EU AI Act, keeping it at the center of global privacy conversations.
HIPAA shapes the approach for 30% of data protection officers, especially where health data is on the line. The CCPA drives decisions for 16%, presumably mostly among companies doing business in California. Another 13% follow PCI DSS to stay on top of payment security, and 1% look to ISO 27001 for broader data protection controls. Wherever the influence comes from, encryption strategies are evolving fast to keep pace with rising privacy expectations.
Which Factor Most Limits Your Current Data Privacy Initiatives?
Outdated tech limits data privacy initiatives for 100% data protection officers
There’s full agreement on what’s slowing progress toward stronger data protection:
There’s no question about what’s standing in the way of stronger data privacy efforts. All 21,377 data protection officers in our audience say outdated technology is the primary limitation in their current data privacy initiatives.
It’s no surprise this is the case as studies show that 80% of organizations admit that outdated technology holds back innovation, and 94% of C-suite leaders say legacy infrastructure limits their ability to respond quickly to new challenges. Until these aging systems are replaced, moving data privacy programs forward will remain a slow and frustrating process.
Which Emerging Risk Keeps You Most Alert In Your Daily Role?
Ransomware a daily concern for 74% of data protection officers
Emerging risks are keeping data protection teams on high alert, but one threat rises above the rest:
When it comes to emerging risks that data protection officers are most alert to in their daily role, 74% say ransomware is the biggest concern. This concern is well-founded. The 2024 Verizon Data Breach Investigations Report shows ransomware was involved in 235 breaches, and when combined with other extortion tactics, that number climbs to 32%.
Another 19% of data protection officers worry most about the general misuse of data and systems. This risk often flies under the radar but can lead to significant exposure. Supply chain vulnerabilities are the top concern for 4%. Verizon reports that supply chain-related breaches now account for 15% of incidents, a sharp 68% increase from last year, highlighting how quickly this risk is growing.
Human error remains a critical factor for 3%. That’s surprising considering Verizon found it contributes to 28% of breaches. Rounding out the list, only 1% are most concerned with shadow IT, where unknown or unmanaged tools quietly increase risk behind the scenes.
This suggests that while ransomware may top the list of daily concerns, growing risks like data misuse, supply chain vulnerabilities, and human error show that the threat landscape is broad and evolving.
Even lower-profile issues like shadow IT pose hidden dangers, highlighting the need for comprehensive, adaptable security strategies.
Where Is Your Team Mainly Based?
66% of data protection officers’ team are based in New York
Most data protection teams are based in major business hubs, and the numbers show a clear concentration:
Of our audience, 66% of US data protection officers have teams primarily based in New York. With its position as a global financial and corporate center, New York remains a natural choice for companies focused on high-level data security and compliance.
Another 34% say their teams are based in Chicago. Known for its strong presence in the financial and healthcare sectors, Chicago continues to be a key location for organizations managing sensitive data and privacy initiatives.
Both cities are likely to remain at the forefront as data privacy demands grow and new regulations emerge.
These insights from data protection officers highlight exactly where the pressure points are and where opportunities for improvement lie. From tackling ransomware head-on to modernizing outdated technology and closing compliance gaps, the message is clear: staying ahead of data privacy risks means taking bold, proactive steps.
Methodology
This data is based on a representative sample of 21,377 USA Data Protection Officers across platforms including X, Quora, Reddit, TikTok, Bluesky, and Threads. All responses are inferred within a 65% confidence interval and a 17% margin of error. Engagement reflects how many individuals participated in conversations relevant to data privacy in the USA. Demographics are inferred using metadata such as usernames, locations, and bio descriptions. User privacy is protected using k-anonymity and differential privacy. These results are based on publicly shared online data; no direct survey questions were asked to individuals in the sample.
About the representative sample:
- 64% of data protection officers in the USA are over the age of 45.
- 59% identify as male and 41% as female.
- The largest number (37%) earn between $200,000 and $500,000 annually.
- 51% are based in the Pacific US and 23% in the East North Central.
