Over the past decade, the privacy profession has shifted from a niche function to a core pillar of organisational governance. Yet even as companies invest more heavily in data protection, privacy performance varies sharply. New research from the 2025 Global Privacy Benchmarks Report shows a clear dividing line: organisations with centralised privacy teams consistently outperform those using fragmented or decentralised models.
As regulatory expectations intensify and AI systems create new layers of complexity, the structure of a privacy team has never mattered more. For employers facing rising workloads, skills shortages and constant enforcement pressure, the question is no longer whether to centralise privacy operations, but how.
Why centralised teams perform better
The TrustArc report identifies a distinct performance formula among high‑achieving privacy programmes, and centralisation is at its core. According to the data, 39% of high‑performing organisations use centralised privacy teams, and these teams score above both hub‑and‑spoke and decentralised models on the Global Privacy Index.
The advantages are multi‑layered. Centralised teams benefit from clearer accountability, a unified risk register and consistent interpretation of regulatory standards. In an era when privacy laws are evolving across jurisdictions - with 144 countries now enforcing national privacy regulations, covering roughly 82% of the global population - fragmentation is becoming a liability.
By contrast, centralised models reduce duplication, accelerate decision‑making, and enable organisations to respond more quickly to new guidance from regulators such as the European Data Protection Board. This agility is essential when enforcement frameworks increasingly test the practical effectiveness of privacy controls, not just the existence of policies.
Measuring what matters
One striking finding from the same report is the contrast between organisations that measure their privacy performance and those that do not. 82% of medium and large organisations actively measure their privacy programmes, achieving an average competence score of 74%. Those that do not measure score just 35% - a failing grade.
Centralised teams are far more likely to adopt standardised metrics, audit processes and clearer definitions of risk ownership. Measurement reinforces accountability, strengthens business cases for resources and ensures privacy leaders can communicate effectively with boards, who are increasingly scrutinising privacy as part of broader digital governance.
Why decentralisation is losing ground
Although decentralised models once promised flexibility, today they often struggle under the weight of modern privacy demands. With AI regulation intersecting directly with GDPR and other global laws, privacy obligations increasingly require cross‑functional interpretation and consistent governance. Dispersed teams rarely have the mandate or visibility to deliver this.
The growing overlap of privacy, cybersecurity and AI governance is accelerating this shift. Research shows that privacy teams are now expected to influence areas ranging from machine‑learning risk assessments to data‑minimisation strategies in digital products. Fragmented structures make this integration harder, leaving organisations vulnerable to blind spots.
The skills challenge
While centralisation offers clear performance advantages, many organisations face a critical barrier: the talent shortage. ISACA’s State of Privacy 2025 report indicates that 73% of employers find expert‑level privacy professionals the hardest to hire, with shortages intensified by competing pressures such as AI regulation, international data transfers and complex subject‑rights handling.
For organisations planning to restructure their privacy function, this means hiring strategically: focusing on roles with both depth (legal, regulatory, technical expertise) and breadth (cross‑functional collaboration, risk communication, AI governance literacy).
How to build a centralised privacy function
Building an effective centralised privacy team requires both structural change and cultural alignment. Organisations making the transition should:
1. Define ownership clearly
A centralised team should hold ultimate accountability for privacy governance, policies, training, data‑protection impact assessments and regulatory engagement, even if operational responsibilities are shared with business units.
2. Invest in multidisciplinary expertise
As privacy converges with AI, cybersecurity and ethics, teams need specialists capable of interpreting technical risks. Hybrid skillsets are becoming the foundation of high‑performing privacy functions.
3. Establish consistent processes
Standardised workflows - especially around data mapping, incident response, DPIAs and rights requests - reduce errors and ensure regulators see a coherent, reliable governance model.
4. Adopt a metrics‑driven approach
Measurement is now a differentiator. Organisations that track KPIs for privacy maturity, staff awareness, response times and compliance outcomes are better positioned to demonstrate accountability.
5. Centralise tooling and technology
Purpose‑built privacy platforms improve accuracy, reduce manual effort and allow for more defensible audit trails. High‑performing teams lean heavily on automation to handle operational volume.
Preparing for what comes next
With the EU AI Act continuing to phase-in through 2027, and the Digital Omnibus proposing a re‑alignment of GDPR, the privacy landscape is entering its most transformative period since the regulation’s introduction. Organisations that continue to rely on decentralised privacy models risk falling behind.
Centralisation isn’t just an efficiency measure, it is a resilience strategy. In a world where privacy, AI and digital governance are converging, a unified privacy team is becoming very much a competitive advantage.