Law regulations

what dpo need to know every moment. At first DPO need to know many law regulations concerning data protection and cybersecurity.


Like the GDPR, the NIS Regulations impose security and incident reporting requirements and provide for high penalties (up to £17,000,000 in the case of the NIS Regulations), but their focus is on security of IT systems, rather than security of the personal data processed by those systems, but in practice the two regimes are inextricably linked.

EU Cybersecurity Act

A European cybersecurity certification scheme specify three sets of assurance level on aspects such as, among others, resilience to accidental or malicious data loss or alteration: basic, substantial or high. It’s an indication of the requirements and evaluations the products, services or processes went through. The schemes are based on a set of rules, technical requirements, standards and procedures and cover the full life cycle of products, services or processes. Depending on the assurance level (and risks involved), the certification would be issued by the manufacturer or provider of ICT products and services themselves (self-certification) or by either a national cybersecurity certification authority or a conformity assessment body.

The California Consumer Privacy Act, A.B. 375 — affords California residents an array of new rights, starting with the right to be informed about what kinds of personal data companies have collected and why it was collected. Among other novel protections, the law stipulates that consumers have the right to request the deletion of personal information, opt out of the sale of personal information, and access the personal information in a “readily useable format” that enables its transfer to third parties without hindrance.

What dpo need to know every moment: Standards

Exmples what dpo need to know every moment about standards:

For data encription:

ISO/IEC 23009-4:2013 Information technology – Dynamic adaptive streaming over HTTP (DASH) – Part 4: Segment encryption and authentication

ISO 14819-6:2006 Traffic and Traveller Information (TTI) – TTI messages via traffic message coding – Part 6: Encryption and conditional access for the Radio Data System – Traffic Message Channel ALERT C coding
IEEE 802.1AEbn-2011 IEEE Standard for Local and metropolitan area networks–Media Access Control (MAC) Security Amendment 1: Galois Counter Mode–Advanced Encryption Standard– 256 (GCM-AES-256) Cipher Suite
FED-STD-1026 Interoperability and Security Requirements for Use of the Data Encryption Standard in the Physical Layer of Data Communications
FED-STD-1027 General Security Requirements for Equipment Using the Data Encryption Standard

For Tokenization

Tokenization is currently in standards definition in ANSI X9 as X9.119 Part 2. X9 is responsible for the industry standards for financial cryptography and data protection including payment card PIN management, credit and debit card encryption and related technologies and processes.

The PCI Council has also stated support for tokenization in reducing risk in data breaches, when combined with other technologies such as Point-to-Point Encryption (P2PE) and assessments of compliance to PCI DSS guidelines.

Visa Inc. released Visa Tokenization Best Practices[24] for tokenization uses in credit and debit card handling applications and services.

In March 2014, EMVCo LLC released its first payment tokenization specification for EMV.

NIST standardized the FF1 and FF3 Format-Preserving Encryption algorithms in its Special Publication 800-38G.[26]

What dpo need to know every moment: Frameworks

SOC and Real time communication with developers, information security managers and system administration


knowledge about obsolete technologies


National Institute for Standards and Technology (NIST) advised against using SMS-based 2FA. Academics have bypassed SMS-based 2FA for a few years now, but in recent weeks, SMS-based 2FA has been proven to be broken in the real world [12]. Nevertheless, despite its problems, security researchers still recommend SMS-based 2FA over not using 2FA at all.

Statistical researches – proving against management about budget and corporate cultute actions

CAMBRIDGE, Mass.April 4, 2018 /PRNewswire/ — IBM Security (NYSE : IBM) today announced results from the 2018 IBM X-Force Threat Intelligence Index which found the number of records breached dropped nearly 25 percent in 2017, as cybercriminals shifted their focus on launching ransomware and destructive attacks that lock or destruct data unless the victim pays a ransom.

Last year, more than 2.9 billion records were reported breached, down from 4 billion disclosed in 2016. While the number of records breached was still significant, ransomware reigned in 2017 as attacks such as WannaCry, NotPetya, and Bad Rabbit caused chaos across industries without contributing to the total number of compromised records reported.

Other key findings include:

  • A historic 424 percent jump in breaches related to misconfigured cloud infrastructure, largely due to human error;
  • For the second year in a row, the Financial Services industry suffered the most cyberattacks against it, accounting for 27 percent of attacks across all industries.