Weekly Guidance Watch — 26 June 2026
Each week we surface the resources that help you do the work — authoritative guidance, tools, frameworks and the definitive reports — including the excellent-but-hard-to-find material you would otherwise only meet by accident. This is deliberately not another feed of legislation news or fines; it is about what a privacy specialist actually needs to get hold of.
New & notable
Cost of a Data Breach Report 2025
IBM, with the Ponemon Institute · Annual report · Global
What it is. The most widely-cited annual breach-cost benchmark. The 2025 edition puts the global average at USD 4.44m (down 9% from USD 4.88m — the first fall in five years) and the US average at an all-time high of USD 10.22m; it reports a 241-day mean time to identify and contain a breach (a nine-year low), which it links in part to AI-assisted security, and flags shadow AI as a USD 670k cost-adder, with 97% of organisations that had an AI-related incident lacking AI access controls.
Why it matters. These are the numbers privacy and security leaders cite to justify budget and board attention — and this year's AI-risk findings are directly useful for framing AI-governance business cases.
Worth surfacing
Software Development with Data Protection by Design and by Default
Datatilsynet (Norwegian Data Protection Authority) · Practical guidance · Norway / EEA
What it is. A practical, developer-facing guide to building Article 25 data protection by design and by default into the software development lifecycle, prepared by the Norwegian DPA together with security experts and software developers.
Why it matters. It is one of the most concrete, build-it-into-the-SDLC treatments of Article 25 available, anticipates much of the EDPB's data-protection-by-design guidance, and is useful as a baseline for non-software teams too — yet it is easy to miss unless you already know it exists.
Guidelines 01/2025 on Pseudonymisation
European Data Protection Board (EDPB) · Guidelines (draft) · EU / EEA
What it is. The EDPB's guidance on the legal definition of pseudonymisation under the GDPR, its benefits, and when organisations are expected to use it — covering how it supports the Article 5 principles, Article 25 data protection by design and Article 32 security, with an annex of ten worked examples (three on medical data). At the time of writing the guidelines remain in draft following public consultation.
Why it matters. It turns “pseudonymisation” from a vague label into an operational technique, with worked examples you can map onto real processing — directly useful for DPIAs, security-measure design and research data flows.
Building Accountable AI Programs: Mapping Emerging Best Practices to the CIPL Accountability Framework
Centre for Information Policy Leadership (CIPL) · White paper · Global
What it is. A CIPL white paper mapping how leading organisations are building accountable AI programmes onto CIPL's seven-element Accountability Framework — translating established privacy-accountability practice into practical AI governance.
Why it matters. As AI governance lands on the privacy team's desk, this gives you a recognised, organisation-tested structure for an AI programme — not principles, but practices you can adopt and defend.