You Can Pass This Exam For Free
Choose Your Study Path
You work in IT, compliance, legal, or business operations but have limited experience with formal privacy programs. You need to build foundational knowledge of privacy law concepts, program management frameworks, and the operational lifecycle before tackling scenario-based questions.
Exam Overview
Format
90 multiple-choice questions (75 scored + 15 unscored pretest items) in 150 minutes (2 hours 30 minutes). Includes scenario-based questions that present real-world privacy program management challenges. Multi-select questions require selecting a specific number of correct answers. No penalty for wrong answers -- always answer every question.
Scoring
Scaled score 100-500. Passing threshold: 300 out of 500. The scaled scoring accounts for question difficulty, so the exact number of correct answers needed varies by exam form. There is no penalty for incorrect answers.
Domains & Weights
- Privacy Program Governance33%
- Privacy Program Framework24%
- Privacy Program Operational Life Cycle26%
- Privacy Legislation and Regulation17%
Registration
$550 USD. Register through the IAPP website (iapp.org) and schedule at Pearson VUE testing centers or remotely via OnVUE online proctoring. Exam fee is $550 USD. Retake fee is discounted at $375 USD. Certification is valid for 2 years and requires 20 CPE credits per 2-year term and either a $250 maintenance fee or IAPP membership ($295/year).
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
Privacy Program Governance
The largest domain at 33% -- expect approximately 25-30 questions. Covers establishing privacy program governance structures, defining roles and responsibilities (including the DPO), creating policies and procedures, defining privacy metrics and KPIs, training and awareness programs, and demonstrating accountability. This domain tests your ability to BUILD and LEAD a privacy program, not just understand privacy law.
Key Topics
Must-Know Concepts
- Know when a DPO is mandatory under GDPR Article 37: public authorities, core activities involving regular and systematic monitoring at large scale, or large-scale processing of special category data. The DPO must be independent and report to the highest management level
- Understand how to select privacy metrics that demonstrate accountability: DSAR response times, breach notification compliance rates, DPIA completion before processing begins, training completion percentages, audit findings remediation timelines
- Privacy policies must cover: data collection and use practices, data subject rights procedures, retention schedules, breach notification procedures, cross-border transfer mechanisms, and vendor management requirements
- Training and awareness must be role-based: general awareness for all employees, specialized training for marketing (consent management), HR (employee data), IT (security controls), and customer service (DSAR handling)
- Privacy program governance requires cross-functional collaboration -- the privacy team cannot operate in isolation from IT, legal, HR, marketing, security, and business operations
- Understand accountability under GDPR Article 5(2) -- the controller must be able to DEMONSTRATE compliance, not just claim it. This requires documentation, metrics, audits, and governance structures
- Know how to communicate privacy program value to executive leadership: risk reduction, regulatory penalty avoidance, competitive trust advantage, and operational efficiency gains
- Privacy committees and steering groups should include representatives from key business functions to ensure privacy considerations are embedded in business decisions
Common Exam Traps
Privacy Program Framework
Covers 24% of the exam -- expect approximately 18-22 questions. This domain tests your ability to develop a privacy program framework: defining program scope, developing a privacy strategy aligned with organizational mission, identifying applicable laws and regulations, and selecting appropriate privacy frameworks (NIST Privacy Framework, GAPP, FIPPs, OECD Guidelines) to structure the program.
Key Topics
Must-Know Concepts
- Know how to define a privacy program's scope: which data, which jurisdictions, which business units, which processing activities are covered. Scope must align with the organization's actual data processing footprint and regulatory exposure
- Understand the NIST Privacy Framework five core functions: Identify-P (understand organizational context), Govern-P (establish governance structures), Control-P (manage data processing), Communicate-P (maintain dialogue), Protect-P (manage ecosystem risks). Know how they map to CIPM operational lifecycle phases
- Know the ten GAPP principles: Management, Notice, Choice and Consent, Collection, Use/Retention/Disposal, Access, Disclosure to Third Parties, Security for Privacy, Quality, Monitoring and Enforcement
- Know the five FIPPs: Notice/Awareness, Choice/Consent, Access/Participation, Integrity/Security, Enforcement/Redress -- and understand that FIPPs are the historical foundation underlying modern privacy laws
- Know the eight OECD Privacy Guidelines principles: Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation, Accountability
- Understand how to identify applicable privacy laws based on organizational activities: GDPR (processing EU data subjects' data), CCPA/CPRA (California residents), LGPD (Brazil), PIPEDA (Canada), sector-specific laws (HIPAA for healthcare, GLBA for financial services)
- Privacy strategy must align with organizational mission and business model -- a technology company, healthcare provider, and financial institution each need different privacy program emphases
- Regulatory landscape monitoring is an ongoing activity -- privacy laws evolve constantly and the program must adapt to new requirements
Common Exam Traps
Privacy Program Operational Life Cycle
Covers 26% of the exam -- expect approximately 19-23 questions. This domain spans the full operational lifecycle: assessing data (data inventories, DPIAs, vendor evaluation, M&A risks), protecting data (security controls, Privacy by Design, contractual safeguards), sustaining performance (auditing, maturity assessment, continuous improvement), and responding to incidents and requests (breach management, DSARs, complaint handling).
Key Topics
Must-Know Concepts
- Data inventory is the foundation of privacy program operations -- you cannot protect what you do not know you have. Inventories must cover data categories, storage locations, processing purposes, legal bases, retention periods, access controls, and data flows including cross-border transfers
- DPIA triggers under GDPR Article 35: systematic and extensive profiling with significant effects, large-scale processing of special category data, systematic monitoring of publicly accessible areas. The DPIA must assess necessity, proportionality, and risks, and document mitigation measures
- Vendor assessment for privacy must evaluate: the processor's security practices, data handling procedures, breach notification capabilities, subprocessor management, data return/deletion upon contract termination, and audit rights. These requirements must be documented in a Data Processing Agreement per GDPR Article 28
- M&A privacy due diligence must assess: target company's privacy compliance posture, data assets and liabilities, pending regulatory actions or complaints, consent bases that may not survive the transaction, and data integration risks
- Information security controls for privacy include: encryption at rest and in transit, access controls based on least privilege, pseudonymization, data loss prevention (DLP), audit logging, and secure data destruction. Security is necessary but not sufficient for privacy -- privacy also requires purpose limitation, data minimization, and lawful processing
- Privacy auditing must evaluate: policy compliance, procedural adherence, technical control effectiveness, DSAR response timeliness, breach notification compliance, training completion, and vendor management practices
- Breach response requires: detection and classification, containment, investigation, notification decision (72-hour authority notification, data subject notification if high risk), remediation, and post-incident review with documented lessons learned
- DSAR workflows must include: request receipt and acknowledgment, identity verification, data retrieval across all systems, response preparation, response delivery within regulatory timelines (30 days under GDPR), and documentation of the process
- Program maturity assessment evaluates the program against defined maturity levels from ad hoc/reactive through optimized, identifying strengths, gaps, and improvement targets
- Privacy by Design must be integrated into the SDLC: privacy requirements in specification, privacy review in design, privacy testing in development, DPIA in deployment, and ongoing privacy monitoring in operations
Common Exam Traps
Privacy Legislation and Regulation
Covers 17% of the exam -- expect approximately 13-15 questions. This domain tests your understanding of privacy legislation and regulation as it applies to privacy program management. Unlike the CIPP certifications which test deep legal knowledge, the CIPM tests how privacy managers operationalize legal requirements: identifying applicable laws, translating legal obligations into program requirements, monitoring regulatory changes, and ensuring cross-jurisdictional compliance.
Key Topics
Must-Know Concepts
- GDPR key operational provisions: lawful bases for processing (Article 6), special category data protections (Article 9), data subject rights (Articles 15-22), controller and processor obligations (Articles 24-28), DPO requirements (Articles 37-39), DPIA requirements (Article 35-36), breach notification (Articles 33-34), ROPA (Article 30), cross-border transfers (Chapter V)
- CCPA/CPRA key differences from GDPR: opt-out model for sale/sharing of personal information, Do Not Sell or Share rights, right to limit use of sensitive personal information, no consent-based processing requirement, different thresholds for applicability
- Cross-border data transfer mechanisms under GDPR: adequacy decisions (Commission determines third country provides adequate protection), Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and derogations under Article 49. Post-Schrems II, Transfer Impact Assessments (TIAs) are required for SCCs and BCRs
- Regulatory enforcement trends: increasing fines, focus on accountability and documentation, cross-border cooperation between supervisory authorities, sector-specific enforcement priorities
- Know the distinction between data protection laws (GDPR, CCPA, LGPD) and sector-specific regulations (HIPAA for healthcare, GLBA for financial services, COPPA for children's data) and how they layer together
- Privacy managers must establish regulatory monitoring processes: track new legislation, regulatory guidance, enforcement decisions, and court rulings that affect the organization's privacy obligations
- Understand that privacy law compliance is not static -- laws are amended, new regulations enacted, and enforcement interpretation evolves. The privacy program must have a process for identifying and implementing regulatory changes
- GDPR fines can reach 20 million EUR or 4% of annual global turnover (whichever is greater) for the most serious infringements, and 10 million EUR or 2% for less serious violations. These thresholds create strong business justification for privacy program investment
Common Exam Traps
Concepts You Must Not Confuse
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Exam-Ready Checklist
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.