I have recently started my preparation for the CIPP/E Certification from the IAPP. If you don’t yet know the IAPP, they are a not-for-profit association, recognized by many and self-proclaimed the largest and most comprehensive global information privacy community. The CIPP/E is not the only IAPP promoted certification, they also promote the other CIPP concentrations; the CIPT - Certified Information Privacy Technologist; and the CIPM - Certified Information Privacy Manager, which I’m a holder. You can read about my preparation for the CIPM here.

Why CIPP?

The “what” of privacy, and why you need it.

Considered by many people the preeminent credential in the business of privacy, the program focuses on privacy laws and regulations, In other words, the “what” and “why” of privacy.

It will show the world that you know privacy laws and regulations and how to apply them, and that you know how to secure your place in the information economy. IAPP Website

It is a natural complement to the CIPM certification that focuses on a privacy program management (the “how” of privacy operations), that of course, covers some aspects of privacy laws, but in a broad and general way. This is where the CIPP complements with the specifics of the laws. There are four CIPP concentrations, each focused on a specific region, I choose the CIPP/E focused on the European data protection laws.

Why the European concentration?

One might wonder why I choose the European concentration of the CIPP program. The CIPP/E certification program encompasses pan-European and national data protection laws, key privacy terminology and practical concepts concerning the protection of personal data and trans-border data flows. Not only the GDPR is currently the most relevant law on data protection, but also it was clearly used as a reference to the recent Brazilian data protection law. Although it worth to mention that the CIPP/E is not only about the GDPR. Another reason is that the IAPP does not (should I say yet?) promotes a CIPP concentration based on the Brazilian law.

What is in the body of knowledge?

The current outline of the body of knowledge for the CIPP/E is available at the IAPP website in PDF form, but I summarized it in a mind map for my own study process:

The major areas of the body of knowledge are:

• Introduction to European Data Protection
• European Data Protection Law and Regulation
• Compliance with European Data Protection Law and Regulation

How have I prepared?

The IAPP recommends a minimum of 30 hours of study to prepare for their certifications. I see no value in counting hours, sometimes I have great fully concentrated 30 minutes study sessions, occasionally I try to cram some content for hours with no retention or learning at all. So, as I normally do, I didn’t count hours. My main resource for my preparation was the official CIPP/E textbook, from the content of the book I’ve created my own mind maps. Another valuable resource was the European Union official website particularly for information on EU Institutions, relevant for the exam and my weakest topic in the CIPP/E body of knowledge.

Exam Day

This was not my first IAPP exam, but the experience was a little bit different as the IAPP changed their exam proctoring partner from Kryterion to Pearson VUE. Another venue, slightly different check-in procedure, everything comprehensive described in the instructions you get after registering and as well as when you arrive at the test center.

Once you pass the check-in process, you sit in front of the computer, accept the NDA, and terms of the exam, and from that moment on, you will have 150 minutes to answer the 90 multiple-choice questions. You will be able to freely browse through all items, answer them and go back to change your answer later if you like, you can also flag questions, so you can review them before submitting the exam.

In an exam like that, I tend to follow the strategy described in this post, which consists of 3 passes through the questions. In the first pass, I quickly went through all the questions, answered all, flagged some for review. In the second pass, I reviewed the flagged items, removing the flag from those I was confident in the selected answer. In the third and last pass, I spent all the remaining time on those questions still flagged. I followed this strategy, and after the third pass, I had 3 or 4 flagged questions. At that point, I had some degree of confidence that those questions wouldn’t make me fail the exam. Confirm submission? YES!

Topic Level Scoring:

I. Introduction to European Data Protection 70%

II. European Data Protection Law and Regulation 92%

III. Compliance with European Data Protection Law and Regulation 85%

Immediately after submission, you get your result. For those of you who will sit for the exam after reading this, I hope it is a PASS.