Diletta De Cicco advises clients on cybersecurity, data and privacy issues. In particular, she assists clients to comply with existing EU and national cybersecurity, data and privacy laws, such as the NIS Directive, GDPR and the Cybersecurity Act, and on upcoming developments, such as the AI Act and the ePrivacy Regulation.

She has experience managing incidents in a cross-border context, where it is necessary to consider multiple cybersecurity, privacy and other regulatory and enforcement frameworks. Her work helps clients in developing compliance and awareness programmes and dealing with global data transfer mechanisms and the negotiation of data processing agreements.

Diletta holds a Certified Information Privacy Professional/Europe (CIPP/E) certification, as well as a Data Protection Officer Certificate from Maastricht University. She is a member of the International Association of Privacy Professionals (IAPP), now a chair of the Brussels KnowledgeNet Chapter and a member of the IAPP Diversity in Privacy Board. She also serves as a project lead at W@Privacy.

Diletta is an academic assistant at CRIDES, UCLouvain, part of the research group Data, Robotics, Artificial Intelligence, Law and Society (DRAILS). In 2022, she was recognised as one of the 100 most powerful cyber women by the Wome4Cyber Foundation in its book Hacking gender barriers, Europe top cyber women. She speaks English, Italian and French.

Award Mouse thought multimedia interface book medal screen monitor
  • Assisted a cryptocurrency player in the cybersecurity and privacy compliance aspects of its global operations and online platforms taking EU GDPR as a benchmark.
  • Assisted a podcast platform in dealing with information requirements under the GDPR and ePrivacy Directive, including drafting the website’s privacy notice and cookies notice.
  • Worked on the development and setup of an API used to facilitate acceptance by merchants of cryptocurrency as means of payment on their platforms. From a privacy compliance point of view, the indirect collection of data and complexity of the supply chain made the representation particularly innovative.
  • Participated in the deployment of a cryptocurrency designed as digital cash on phones by reviewing privacy settings and disclosure language.
  • Counselled various clients with global operations in assessing the impact of the EU developments around personal data transfers post-Schrems II decision and in implementing supplementary measures for data transfers. A data transfer tool we developed was used for assessing and documenting the steps undertaken to authorise the data transfers to take place on the basis of standard contractual clauses.
  • Contributed (in a personal capacity) to the INTERLINK consortium, a Horizon 2020 project, aiming at developing a new collaborative governance model between administrations and private partners, including citizens. INTERLINK will provide a set of digital building blocks, called “Interlinkers”, with the view to implement the defined governance model and standardise the basic functionalities needed to enable private actors to cooperate in the delivery of a service.
  • Assisted a global insurance brokers group of companies in ensuring their readiness for uninterrupted personal data flows at the end of the Brexit transition period, taking into account the upcoming revision of standard contractual clauses and the post-Schrems II situation.
  • Assisted a client in developing a line of defence and arguments to challenge the request from a non-EEA-based enforcement to access the personal data of some of its EU-based customers, while preserving a good level of cooperation and constructive dialogue.
  • Counselled an international financial service institution in assessing roles of parties under GDPR and consequent compliance steps (including applicable contractual settings) in relation to the development of an e-wallet API. The representation included a determination of the likely GDPR nexus arising from the specifics of the EMV SRC “Click to Pay” standards.
  • Represented ILGA Europe on a pro bono basis in the privacy and cybersecurity aspects of the Hub, a resource-sharing tool for LGBTI activists in Europe and Central Asia.
  • Represented a major insurance group in its integration of EU operations from a cybersecurity and data privacy point of view.*
  • Assisted a regulated institution in the management, follow-up and remediation of a data breach. The representation includes dealing with the cross-border regulatory context.*
  • Counselled a chemical manufacturer in the privacy aspects of the deployment of a whistleblowing hotline solution.*
  • Advised, on a pro bono basis, the Red Cross EU Office, the European Council on Refugees and Exiles, Medair and the International Lesbian, Gay, Trans & Intersex Association in the review of their data mapping, legal basis for processing, privacy notices and privacy policies, and in their vendor remediation exercise.*
  • Represented clients in the cybersecurity and data privacy aspects of due diligence, SPA negotiation and integration.*
  • Counselled a Chinese financial institution in relation to the technical standards, organisational measures and incident reporting under the PSD2 and the interplay with GDPR and national laws implementing the NIS Directive.*
  • Assisted US B2B marketing companies, email service providers, payment services providers and an actor in the entertainment industry in assessing the impact of GDPR on their operations.*
  • Represented a hospitality client in the management of a high-profile data breach of its booking platform.*
  • Counselled an international financial service institution in designing and implementing a cloud-based SaaS monitoring tool aiming to protect the integrity of its systems and networks.*
  • Advised the United Nations regarding international legal issues related to e-evidence and processing of personal data for law enforcement purposes.*
  • Represented an Italian brand of shoes and clothing in its GDPR readiness exercise.
  • Assisted a global company providing payment solutions for an e-commerce app in assessing its role (data controller/data processor) and related requirements under GDPR.*
  • Advised clients in a number of industries, such as financial, marketing and insurance, in the drafting and negotiation of Art. 28 GDPR data processing agreements, representing both controllers and processors.*
  • Represented a leading supplier of automotive parts in dealing with the data privacy aspects of its global HR management and operations. The representation includes the assessment of the role of various group entities and analysing appropriate data transfer mechanisms to support the exchange of data necessary for staff appraisal.*
  • Developed a structured approach to GDPR compliance for several trade associations in multiple EU countries.*
  • Contributed to the HTNG Working Group on GDPR. The outcome is a white paper and self-assessment tool adopted in March 2018. The white paper describes key considerations of GDPR for the hospitality industry. The assessment tool aims to help professionals in the industry to evaluate their company’s ability to comply with the new regulation. Over 50 companies (from hotel brands, to software companies) participated in HTNG’s GDPR for Hospitality Workgroup.*

*Matters handled at a prior firm.


  • Maastricht European Center of Privacy and Cybersecurity, DPO Certification Course, 2016
  • College of Europe, LL.M., 2016
  • Salento University, Master’s Degree, 2015


  • Brussels, 2020
  • Lecce, 2019


  • English
  • Italian
  • French

{{insights.date}} {{insights.type}} {{insights.contentTypeTag}}
{{blog.title}} {{blog.source}}

  • Speaker, “Practical Perspectives on International Transfers”, CPDP Conference, Brussels, 25 May 2022.
  • Speaker, “Cookies ... Old Recipe, Bad Taste?” IAPP Virtual Conference, 30 March 2022.
  • Speaker, “Virtual New Delhi KnowledgeNet”, IAPP KnowledgeNet Meeting, 25 March 2022.
  • Speaker, “The EU Al Act – Towards a ’Human-Centric’ Al”, Law & Tech Course UCLouvain, 2 March 2022.
  • Speaker, “The Challenges of the Digitalization of the Sector: Artificial Intelligence Cyberattacks?” Abilways (Belgium) Compliance and Insurance Conference, 25 February 2022.
  • Speaker, “Law & Tech Governance Inaugural Lecture”, Law & Tech Course UCLouvain, 9 February 2022.
  • Speaker, “Workshop: Cybersecurity & Pharma: Patient Data, Public Perception & Preventing Attacks”, European Pharma Law Academy Day 5, Brexit & Beyond – Legal & Regulatory Compliance Issues, 21 January 2022.
  • Speaker, “Open Talk Around the EU Regulation of #AI”, Research Group on Data, Robotics, Artificial Intelligence, Law & Society (DRAILS), 4 May 2021.
  • Speaker, “2021 Privacy Challenges: Women Leading Privacy Have Their Say”, International Association of Privacy Professionals International Women’s Day Virtual Event, 11 March 2021.
  • Speaker, “Privacy is Fundamental, Right?” EU Law and Human Rights Course of the CEELI Institute, Prague, Czech Republic, 26 February 2021.
  • Speaker, “Shifting Responsibilities: The Challenges of Joint-Controllership”, Computer, Privacy & Data Protection International Conference, 28 January 2021.
  • Speaker, “Brexit and International Transfers of Personal Data 5 Action Points in 15 Days”, BIPAR Webinar, 14 December 2020.
  • Speaker, “Privacy & Cybersecurity Brexit Planning: 15 Actions in 15 Days Before the UK Goes Away”, CLEPA Webinar Series, 9 December 2020.
  • Speaker, “Data as a (New) Core Company Asset to Protect: Who’s Who?” UCLouvain Cybersecurity Month Seminars, 29 October 2020.
  • Speaker, “A Fireside Chat with Commissioner Didier Reynders on Europe’s Digital Future & Where Does Privacy Stand?” IAPP Brussels KnowledgeNet Chapter Meeting, Brussels, Belgium, 27 October 2020.
  • Speaker, “Cybersecurity as a Key European Policy: Right or Wrong?” Louvain-La-Neuve University Online Courses, 22 October 2020.
  • Speaker, “An Inside View from the Lawyer that Defended Max Schrems”, IAPP Brussels, Luxembourg, and Paris Joint KnowledgeNet Chapter Meeting, 24 September 2020.
  • Speaker, “Workshop: Cybersecurity & Pharma: Patient Data, Public Perception & Preventing Attacks”, EU Pharma Law Academy, 24 September 2020.
  • Speaker, “GDPR Second Year Anniversary Quiz”, International Association of Privacy Professionals, 25 May 2020.
  • Speaker, “Is Certification the Future of Privacy? Yes, No, Maybe?” International Association of Privacy Professionals Brussels KnowledgeNet Chapter, 3 February 2020.
  • Speaker, “Celebrate Data Privacy Day 2020”, International Association of Privacy Professionals Brussels KnowledgeNet Chapter, 28 January 2020.
  • Speaker, “Brexit, What does it mean?” Annual Hotels Technology Next Generation (HTNG) European Conference, Monte Carlo, Monaco, 18-19 November 2019.
  • Speaker, “University of Louvain Debate: Would You Trade Privacy Rights Against Data Security? Is There A (Healthy) Cyber Balance?” University of Louvain, Louvain, Belgium, 31 October 2019.
  • Speaker, “WWW (or What we Want for your Website)”, European Pro Bono Alliance, 25 October 2019.
  • Speaker, “Cybersecurity & Pharma: Patient Data, Public Perception & Preventing Attacks”, European Pharma Law Academy, Cambridge, UK, 9-12 September 2019.
  • Speaker, “GDPR After GDPR Day: Which Rating Does it Deserve?” Data Protection Forum Association of Consumer Credit Information Suppliers, Brussels, Belgium, 13 March 2019.
  • Speaker, “Drafting Vendor Agreements to Comply With EU GDPR: Steps to Take Now”, Strafford Webinar, 31 January 2019.
  • Speaker, “The Impact of GDPR on Clinical Trials”, Patient Engagement Through Education (EUPATI) Webinar, 29 October 2018.
  • Speaker, “GDPR & Data Breaches Management: 5 Lessons Learned”, European Conference of Hotel Technology Next Generation (HTNG), Lisbon, Portugal, 23-24 October 2018.
  • Speaker, “Public Affairs Post-GDPR: What You Need to Know”, Public Affairs Council Webinar, 12 June 2018.
  • Speaker, “GDPR Workshop – GDPR is There: Are you Ready?” European Council of Optometry and Optics Annual General Assembly, Pula, Croatia, 30 May 2018.
  • Speaker, “GDPR Workshop – GDPR is Coming: Are you Ready?” European Council of Optometry and Optics, 11 May 2018.
  • Speaker, “General Data Protection Regulation and NGOs: Are you Ready?” Advocates for International Development, 24 April 2018.
  • Speaker, “GDPR Breakfast Session”, United Network of Interventional Corporate Events Organizers, 30 March 2018.
  • Speaker, “Skills Development Program”, European Public Affairs Consultancies’ Association (EPACA), 26 March 2018.
  • Speaker, “General Data Protection Regulation”, Association of Mutual Insurers and Insurance Cooperatives in Europe (AMICE), Brussels, Belgium, 21 March 2018.
  • Speaker, “Legal Perspectives”, Humentum Legal Roundtable Covering Trending Cyber & Data Issues, Washington DC, 8 March 2018.

Award Mouse thought multimedia interface book medal screen monitor