For marketers
who love technology
Home » , , , » Free study material for IAPP CIPM / CIPP / CIPT privacy certification & practice test - part 1

Free study material for IAPP CIPM / CIPP / CIPT privacy certification & practice test - part 1

When preparing CIPT, CIPP/e and other certification exams from the International Association of Privacy Professionals I found very limited free preparation material and test quizzes. So, I thought I might as well share my notes as a cheat sheet on this blog. They come from my reading of several reference books and training materials, etc.

Enjoy and save a lot of money!

Key concepts to be known for the CIPP and CIPT exams come below. If you want to read more on privacy related subjects, you should to have a look to the textbooks:
Reference material on IAPP CIPP and CIPT privacy certification Good books for preparing IAPP CIPP privacy exams

PS: have a look to part 2 of these notes to have a complete overview of what you need to remember to succeed in the exams.

Privacy definitions for IAPP certifications

  • Privacy is the right to be left alone
  • Information privacy / data protection (EU) : rights and obligation wrt collection use retention disclosure and disposal of personal information
  • Privacy categories: there is also bodily privacy (no finger in the ass please), territorial privacy (no trespassing) communication privacy (stop reading my emails) 
  • Personal information / data = related to an identified or identifiable individual
  • sensitive personal information = must be even better protected. Related to medical records, sexual life etc. Processing it requires explicit consent from the data subject in most cases.
  • Processing: anything you do with data is considered as "processing" from the legal side
  • Privacy notice = externauser-facingng privacy statement
  • Privacy Policy= internal statements defining information practices
  • Roles wrt data processing: data subject, data controller (defines why / how to process data), data processor (does the processing), privacy authority
  • Information life-cycle: collect, use, disclose, store & destroy
  • Opt-in: need explicit consent, opt-out: can do as long as data subject does not explicitly objects  
  • Threat: any event with the potential to adversely affect operations / assets. 
  • Active data collection: the data subject actively provides the data (e.g., through a form). Passive: e.g., through proxy and server logs.

Legal Frameworks Regulating Privacy

  • Fair Information Practices (1973): fundamental rights of data subjects for governmental use of personal information: notice, choice, consent, access, security, quality, collection limitation, appropriate use, retention, limited disclosure, management and administration, monitoring and enforcement
  • This list is hard to remember; so, categories help: 
    • Rights of the individual: notice, choice, consent, access
    • Controls: security, quality, collection limitation, appropriate use, retention, limited disclosure, monitoring, and enforcement
    • Lifecycle
    • Management 
  • Privacy protection approaches depending on countries:  sectoral (heath, credit, ads... like in Brazil) vs comprehensive approach (like in EU) vs co-regulatory model including laws and binding industry codes (like in Australia and Canada). 
  • OECD guidelines (1980): collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, accountability.
  • Followed by Council of Europe (COE) in 1981, a convention for data processing in public and private sectors. It covers also the trans-border exchanges of data and inter-state collaboration: US safe harbor, third party countries with "adequate" privacy protections... 
    • Switzerland, Iceland, Norway are European Free Trade Association (EFTA) members and follow the EU privacy directive. Switzerland has "adequate" privacy protections that simplify data exchanges with EU countries.
  • EU 95/46/EC directive (1995) is a comprehensive legal framework for the processing of individual data. 
  • Other EU data protection laws: EU e-privacy directive 2002 + EU cookie directive 2009  + article 29 working party
  • Asia: APEC privacy Framework (2004)
  • EU framework is probably the toughest in the world. For instance, employee data is better protected than in the USA.
  • Some countries have two legal layers  - federal vs state laws: 
    • EU law: EU members need to pass national laws to be consistent with the EU privacy directives.
    • USA: HiPAA (health), CoPPA (child protection), Can-SPAM (anti-spam... Some states such as Massachussets and California are in advance on these laws. For instance, location data related to children under 13 is protected by CoPPa: should be treated carefully. Cf. inmobi's fine from FCC.
    • Canada: federal privacy act vs provincial laws.
  • South America: very variable levels of protection. Uruguay and Argentina have "adequate" privacy protection according to EU.
  • Eastern European countries: most of them have similar frameworks as the EU privacy directive. Russia's law is considered as even more stringent than EU laws.
  • Middle East / Africa: little data protection in most countries. Very variable depending on countries.
  • Industry frameworks: digital advertising alliance (DAA), IAB, ...

Best Practices For Information Security and Privacy

  • There is no information privacy (rules governing collection & handling of information) without information security (protection of information). Some aspects are quite distinct: notice is pure privacy, integrity is pure security. There is also some overlap between both concepts: use, confidentiality, and access to data.
  • Security is not just technical: it involves people, processes, and technology
    •  Example: threat and vulnerabilities identification, security policies, legal/regulatory and contractual duties... 
  • ISO 27001 and 27002 cover well the organizational parts of information security. In particular, they pay attention to:
    • security policies (can I use passw0rd as password?)
    • asset management (my laptop was stolen and all my confidential work is on it. What do I do?)
    • physical and environmental security (put a lock on this door!)
    • access control (who read my personal diary?)
    • incident management (what do we do when there is a problem?)
    • compliance (are we breaching the law?)
    • organization and processes for information security (who does what)
    • HR security (hiring and stuff)
    • business continuity, purchasing, decommissioning hardware, etc.
  • The list of the main information security operations needed to ensure privacy comes below:
    1. Trainings!
    2. Information security policy definition,
    3. Data asset inventory,
    4. Risk assessment
    5. Employees / suppliers / customers credential management
    6. Process identification / data flows,
    7. Definition of technical mechanisms for data protection,
    8. Implementation of industry security standard,
    9. Implementation of standard privacy frameworks,
    10. Implementation of KPI tracking (number of outages, breaches, data losses, unauthorized access) and continuous improvement.
  • The classical threats on information security you must know for IAPP CIPT and CIPP certifications: malware, social engineering, phishing...
  • Security controls: preventive (examples: firewalls, intrusion prevention), detective (example: intrusion detection), and corrective mechanisms
  • Identity and access management (IAM): 
    • Authentication and Authorization
    • Access control: control access to network, OS, Apps, remote access...
  • You should know basics of cryptography. Authentication factors: something you have / know / are.
  • You should know the basics on the web and how it works: basic protocols, cloud, social media..
  • CIA online security triangle: Confidentiality, Integrity, Availability 

How to write a privacy notice for a website

You can get it done for about 15$ on Fiverr. Do not get ripped off by expensive lawyers :).
  • Notice is a fundamental rights of data subjects. It's not so easy to write a good privacy notice.
  • Layered privacy notices: high-level info and links to more details
I hope these notes have helped you. Now if you want to help me, you can link to this page to make it more visible on Google, it will help others in their preparation too!

More resources to prepare IAPP privacy certification exams

If you want to read more on privacy and information security subjects, I advise you to have a look to following books:


About Gilles


  1. Thanks for your helpful tips! It is a struggle to find some tips and tricks on the cipp exam. I was wondering if you have any recommendations on CIPP/E books? I have difficulties finding them... Thanks! Mandy

  2. Same problem here! I am seeking a decent comprehensive handbook so as to prepare for CIPP/E.
    Any suggestion?

  3. CIPP/E book should be released soon (late fall)

  4. Do you have CIPM text book?

  5. Can anyone recommend a digital CIPT online ressource (paper medium.. tch)

  6. You can look around in different forums (such as techexams), there is a lot of information and material. You can also use the online training from CIPPTraining dot com. This is an effective training in which all highlights are discussed and you can answer practice questions (other than those from the IAPP). A summary is also sent, so that you do not have to read the book, or less often.

  7. John Watts books for CIPP/US, what is latest version now?

  8. John Watts books for CIPP/US, what is latest version now?

  9. The official text books can be purchased through the IAPP. They have not been updated since the last change of September 1, 2019.

    1. which book was update in September 2019?

  10. The Community-Driven Education is the best to help us and provide great results. The Project Ownership Where it Belongs is amazing and I like that you shared this post for us to know about these ideas. Also from 220-902 Exam Dumps Questions I realize that it is more helpful for us.


Spam / promotional comments will be deleted. Links ok only for "real" comments. Please refer to the legal notice of this blog in case of questions.

Note: Only a member of this blog may post a comment.