Home › Knowledge Hub › Publications
Knowledge Hub
Key Publications & Reports
Specific, authoritative privacy and data-protection publications worth knowing exist — regulator and expert-body guidance, opinions and recommendations, and recognised research. Grouped by domain. Know one we should add or retire? Tell us.
What's listed: official guidance, opinions and recommendations from regulators and recognised bodies, plus research with a disclosed methodology. What isn't: legislation (see Regulators), standards and frameworks (see Standards & Frameworks), and vendor marketing. Time-sensitive reports are kept for about two years; older editions are retired.
EU/UK GDPR Core Guidance (20)
| Issuer | Title | Reference | Year |
|---|
| EDPB | Guidelines on personal data breach notification | Guidelines 01/2021 | 2021 |
| EDPB | Guidelines on the concepts of controller and processor | Guidelines 07/2020 | 2021 |
| EDPB | Guidelines on transparency under Regulation 2016/679 | Guidelines 2/2018 | 2018 |
| EDPB | Guidelines on the right to data portability | Guidelines 5/2019 | 2019 |
| EDPB | Guidelines on the territorial scope of the GDPR | Guidelines 3/2018 | 2019 |
| EDPB | Guidelines on data protection by design and by default | Guidelines 4/2019 | 2020 |
| EDPB | Guidelines on the right to erasure | Guidelines 5/2018 | 2019 |
| EDPB | Guidelines on processing of personal data through video devices | Guidelines 3/2019 | 2020 |
| EDPB | Guidelines on purpose limitation | WP203 | 2013 |
| EDPB | Guidelines on Data Protection Officers | WP243 rev.01 | 2017 |
| EDPB | Guidelines on consent under Regulation 2016/679 | WP259 rev.01 | 2018 |
| EDPB | Opinion on the notion of legitimate interests | WP217 | 2014 |
| EDPB | Guidelines on the right of access | Guidelines 01/2022 | 2023 |
| EDPB | Guidelines on the interplay between Article 3 and Chapter V | Guidelines 05/2021 | 2022 |
| ICO | Guide to the UK GDPR | — | 2021 |
| ICO | Accountability and Governance guidance | — | 2020 |
| ICO | Data Protection Impact Assessments guidance | — | 2021 |
| ICO | Records of Processing Activities guidance | — | 2021 |
| EDPB | Guidelines on codes of conduct as tools for transfers | Guidelines 04/2021 | 2022 |
| EDPB | Annual Report 2023 (published 2024) | — | 2024 |
International Data Transfers (12)
| Issuer | Title | Reference | Year |
|---|
| EDPB | Recommendations on measures that supplement transfer tools | Recommendations 01/2020 | 2021 |
| ICO | International data transfer agreement (IDTA) | — | 2022 |
| ICO | International data transfer addendum to EU SCCs | — | 2022 |
| ICO | Transfer Risk Assessment guidance | — | 2022 |
| EDPB | Recommendations on the European Essential Guarantees | Recommendations 02/2020 | 2020 |
| EDPB | Opinion on the UK adequacy decisions | Opinion 14/2021 | 2021 |
| EDPB | Adequacy referential | WP254 rev.01 | 2018 |
| EDPB | Guidelines on binding corporate rules for processors | Guidelines 07/2022 | 2022 |
| EDPB | Guidelines on binding corporate rules for controllers | Guidelines 05/2022 | 2022 |
| OECD | Declaration on Government Access to Personal Data held by Private Sector Entities | — | 2022 |
| EDPB | Information note on data transfers to the US post-Schrems II | — | 2020 |
| EDPB | Guidelines on the interplay between Article 3 and Chapter V GDPR | Guidelines 05/2021 | 2022 |
Data Breach & Security (10)
| Issuer | Title | Reference | Year |
|---|
| EDPB | Guidelines on personal data breach notification under GDPR | Guidelines 01/2021 | 2021 |
| EDPB | Guidelines on personal data breach notification | WP250 rev.01 | 2018 |
| ENISA | Threat Landscape 2024 | — | 2024 |
| ENISA | Data pseudonymisation: Advanced implementation guide | — | 2022 |
| ENISA | Technical guidelines for the implementation of minimum security measures for DSPs | — | 2017 |
| NIST | Guide to Protecting the Confidentiality of PII | SP 800-122 | 2010 |
| ICO | Guidance on security of personal data | — | 2022 |
| UK NCSC | Cyber Security Toolkit for Boards | — | 2023 |
| IBM / Ponemon Institute | Cost of a Data Breach Report 2024 | — | 2024 |
| Verizon | Data Breach Investigations Report 2024 | DBIR 2024 | 2024 |
AI & Automated Decision-Making (10)
| Issuer | Title | Reference | Year |
|---|
| EDPB | Guidelines on automated individual decision-making and profiling | Guidelines 5/2017 | 2018 |
| EDPB | Guidelines on Artificial Intelligence and data protection | Guidelines 02/2024 | 2024 |
| ICO | Guidance on AI and data protection | — | 2023 |
| ICO / Alan Turing Institute | Explaining decisions made with AI | — | 2020 |
| OECD | Recommendation of the Council on Artificial Intelligence | OECD/LEGAL/0449 | 2019 |
| ICO | Data protection and AI auditing framework | — | 2022 |
| Ada Lovelace Institute | Algorithmic Impact Assessment: A Case Study in Healthcare | — | 2022 |
| Ada Lovelace Institute | Examining the Black Box: Tools for Assessing Algorithmic Systems | — | 2020 |
| FPF | Understanding Automated Decisions | — | 2019 |
| ENISA | Artificial Intelligence Cybersecurity Challenges | — | 2021 |
Children's Privacy (9)
| Issuer | Title | Reference | Year |
|---|
| ICO | Age Appropriate Design Code (Children's Code) | — | 2021 |
| ICO | Children's code guidance and resources | — | 2022 |
| EDPB | Opinion on age verification and parental consent | WP181 | 2011 |
| UNICEF | Children's Online Privacy and Freedom of Expression | — | 2018 |
| FPF | Student Privacy Compass resources | — | 2023 |
| 5Rights Foundation | Risky Business: Children and Online Privacy | — | 2021 |
| ICO | Children's privacy — regulatory approach and strategy | — | 2022 |
| OFCOM | Children's safety online technology guide | — | 2023 |
| EDPB | Opinion on age assurance | Opinion 08/2024 | 2024 |
Health & Biometric Data (10)
| Issuer | Title | Reference | Year |
|---|
| EDPB | Guidelines on processing of health data for research | Guidelines 03/2019 | 2019 |
| EDPB | Opinion on the European Health Data Space | Opinion 03/2021 | 2021 |
| EDPB | Guidelines on the use of location data in the context of COVID-19 | Guidelines 04/2020 | 2020 |
| EDPB | Guidelines on processing of genetic data | Guidelines 05/2023 | 2023 |
| EDPB | Guidelines on scientific research under GDPR | Guidelines 1/2026 | 2026 |
| ICO | Special category data guidance | — | 2021 |
| ICO | Guidance on processing health data | — | 2022 |
| ENISA | Pseudonymisation techniques and best practices | — | 2019 |
| WHO | Ethics and Governance of Artificial Intelligence for Health | — | 2021 |
| ENISA | Data protection engineering — from theory to practice | — | 2022 |
Consent & Legitimate Interests (10)
| Issuer | Title | Reference | Year |
|---|
| EDPB | Guidelines on consent under Regulation 2016/679 | Guidelines 05/2020 | 2020 |
| EDPB | Guidelines on consent under Regulation 2016/679 | WP259 rev.01 | 2018 |
| EDPB | Opinion on legitimate interest of the data controller | WP217 | 2014 |
| EDPB | Guidelines on the interplay of PSD2 and GDPR | Guidelines 06/2020 | 2020 |
| ICO | Lawful basis for processing guidance | — | 2022 |
| ICO | Consent guidance | — | 2022 |
| ICO | Legitimate interests guidance | — | 2023 |
| EDPB | Guidelines on data protection by design and by default | Guidelines 04/2019 | 2019 |
| EDPB | Opinion on the notion of personal data | WP136 | 2007 |
| EDPB | Guidelines on automated individual decision-making and profiling | WP251 rev.01 | 2018 |
Data Subject Rights (12)
| Issuer | Title | Reference | Year |
|---|
| EDPB | Guidelines on the right of access | Guidelines 01/2022 | 2023 |
| EDPB | Guidelines on restrictions under Article 23 of the GDPR | Guidelines 10/2020 | 2021 |
| EDPB | Guidelines on the right to erasure | Guidelines 05/2018 | 2019 |
| EDPB | Guidelines on the right to data portability | Guidelines 05/2019 | 2019 |
| ICO | Right of access (subject access request) guidance | — | 2022 |
| ICO | Right to erasure guidance | — | 2021 |
| ICO | Right to data portability guidance | — | 2021 |
| ICO | Right to object guidance | — | 2021 |
| ICO | Exemptions guidance — data subject access requests | — | 2021 |
| EDPB | Guidelines on the right to data portability | WP242 rev.01 | 2017 |
| EDPB | Guidelines on the right to be forgotten in search engines | Guidelines 5/2019 | 2019 |
| EDPB | Interplay of ePrivacy and GDPR concerning individual rights | — | 2021 |
Privacy by Design & Engineering (7)
| Issuer | Title | Reference | Year |
|---|
| EDPB | Guidelines on data protection by design and by default | Guidelines 4/2019 | 2020 |
| ENISA | Data protection engineering — from theory to practice | — | 2022 |
| ENISA | Pseudonymisation techniques and best practices | — | 2019 |
| ENISA | Privacy and data protection in mobile applications | — | 2021 |
| ICO | Privacy by design and default guidance | — | 2021 |
| ICO | Guidance on Data Protection Impact Assessments (DPIAs) | — | 2021 |
| FPF | Privacy by Design: Essential Building Blocks | — | 2022 |
International Frameworks & Instruments (7)
| Issuer | Title | Reference | Year |
|---|
| OECD | Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data | — | 2013 |
| UN | Resolution on the right to privacy in the digital age | A/RES/68/167 | 2013 |
| OECD | Recommendation on Health Data Governance | OECD/LEGAL/0433 | 2017 |
| CoE / FRA / EDPS | Handbook on European Data Protection Law | — | 2018 |
| OECD | Declaration on Government Access to Personal Data | — | 2022 |
| G7 | Data Free Flow with Trust (DFFT) — Osaka Track | — | 2019 |
| UNESCO | Recommendation on the Ethics of Artificial Intelligence | — | 2021 |
Research, Statistics & Archiving (8)
| Issuer | Title | Reference | Year |
|---|
| EDPB | Guidelines on processing of personal data for scientific research | Guidelines 03/2019 | 2019 |
| EDPB | Guidelines on scientific research under GDPR (updated) | Guidelines 1/2026 | 2026 |
| ICO | Research, public task and official authority guidance | — | 2021 |
| ICO | Anonymisation, pseudonymisation and privacy enhancing technologies guidance | — | 2022 |
| ONS | Data Access and Research — UK statistics authority guidance | — | 2022 |
| UKRI | Policy on open access and research data | — | 2021 |
| EDPB | Opinion on the concept of personal data | WP136 | 2007 |
| ENISA | Recommendations on shaping technology according to GDPR provisions | — | 2018 |
Marketing, Tracking & Cookies (13)
| Issuer | Title | Reference | Year |
|---|
| EDPB | Guidelines on the use of location data and contact tracing tools | Guidelines 04/2020 | 2020 |
| EDPB | Guidelines on consent for online analytics and tracking | Guidelines 05/2020 | 2020 |
| EDPB | Opinion on cookie consent exemption | WP194 | 2012 |
| ICO | Guidance on cookies and similar technologies | — | 2020 |
| ICO | Direct marketing guidance | — | 2021 |
| ICO | Guide to Privacy and Electronic Communications Regulations (PECR) | — | 2021 |
| ICO | Live chat and online messaging guidance | — | 2022 |
| EDPB | Guidelines on the use of dark patterns in social media | Guidelines 03/2022 | 2022 |
| CNIL | Cookie depositing conditions | — | 2020 |
| CNIL | GDPR guides for professionals | — | 2022 |
| FPF | Understanding the Digital Advertising Ecosystem | — | 2021 |
| EDPB | Guidelines on the use of personal data in the electoral process | Guidelines 03/2019 | 2019 |
| EDPB | Opinion on online behavioural advertising | WP188 | 2010 |
Benchmarks & Profession Reports (8)
| Issuer | Title | Reference | Year |
|---|
| IAPP | Privacy Tech Vendor Report 2024 | — | 2024 |
| IAPP | Organizational Digital Governance Report 2024 | — | 2024 |
| IAPP | AI Governance Profession Report 2024 | — | 2024 |
| IAPP-EY | Annual Privacy Governance Report 2024 | — | 2024 |
| Cisco | Data Privacy Benchmark Study 2024 | — | 2024 |
| TrustArc | Global Privacy Benchmarks Report 2024 | — | 2024 |
| ISACA | State of Privacy 2024 | — | 2024 |
| OneTrust DataGuidance | Global Privacy Laws and Regulations Guide | — | 2024 |
← Back to the Knowledge Hub
