CertPrepNow
ISACACDPSE106 concepts

CDPSE Cheat Sheet

Quick reference for the ISACA Certified Data Privacy Solutions Engineer exam.

Privacy Principles & Foundations

Privacy by Design (PbD)
Framework requiring privacy to be embedded into system design from the start. 7 principles: proactive not reactive, privacy as default, embedded into design, full functionality, end-to-end security, visibility/transparency, respect for user privacy.
Privacy by Default
Systems must be configured with the most privacy-protective settings by default. Users should not need to take action to protect their privacy — it should be automatic.
Data Minimization
Collect, process, and retain only the minimum personal data necessary for the specified purpose. Applies to volume, scope, and retention period.
Purpose Limitation
Personal data must be collected for specified, explicit, and legitimate purposes. Further processing must be compatible with the original purpose or have a new lawful basis.
Storage Limitation
Personal data should be kept only as long as necessary for the purpose it was collected. Requires defined retention periods and automated enforcement.
Accuracy Principle
Personal data must be accurate and, where necessary, kept up to date. Organizations must take reasonable steps to ensure inaccurate data is corrected or deleted.
Lawfulness, Fairness, Transparency
Processing must have a lawful basis, be fair to data subjects, and be transparent about what data is collected, why, and how it is used.
Accountability Principle
The data controller must demonstrate compliance with privacy principles. Requires documentation, policies, training, audits, and the ability to prove compliance on demand.

Key Privacy Regulations

GDPR (EU)
General Data Protection Regulation. Applies to processing of EU residents' data regardless of organization location. Opt-in consent model. Penalties up to 4% of global annual turnover or 20M EUR.
CCPA/CPRA (California)
California Consumer Privacy Act / California Privacy Rights Act. Opt-out model for sale/sharing of data. Applies to businesses meeting revenue/data volume thresholds. Right to delete, know, opt-out, and correct.
LGPD (Brazil)
Lei Geral de Protecao de Dados. Modeled after GDPR with 10 lawful bases for processing. Enforced by ANPD (national authority). Applies to processing of data of individuals in Brazil.
PIPEDA (Canada)
Personal Information Protection and Electronic Documents Act. Consent-based framework. Applies to commercial activities in Canada. Being updated by the proposed Consumer Privacy Protection Act (CPPA).
HIPAA (US Healthcare)
Health Insurance Portability and Accountability Act. Protects Protected Health Information (PHI). Applies to covered entities and business associates. Requires administrative, physical, and technical safeguards.
APEC CBPR
Asia-Pacific Economic Cooperation Cross-Border Privacy Rules. Voluntary certification framework for cross-border data transfers in the APEC region. Based on 9 privacy principles.
ePrivacy Directive (EU)
Governs electronic communications, cookies, and tracking technologies in the EU. Requires consent for non-essential cookies. Works alongside GDPR for online privacy.

GDPR Key Articles

Article 5 — Processing Principles
Lawfulness/fairness/transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, accountability. The foundation of all GDPR compliance.
Article 6 — Lawful Bases
Six lawful bases: consent, contract, legal obligation, vital interests, public task, legitimate interests. At least one must apply before processing. Cannot retroactively change basis.
Article 25 — Data Protection by Design/Default
Controllers must implement appropriate technical and organizational measures (pseudonymization, minimization) at the time of design and by default. Privacy must be built in, not bolted on.
Article 30 — Records of Processing (ROPA)
Controllers and processors must maintain records of processing activities. Required for organizations with 250+ employees OR those processing sensitive data regardless of size.
Article 32 — Security of Processing
Implement appropriate technical/organizational measures: pseudonymization, encryption, confidentiality, integrity, availability, resilience, and regular testing of security measures.
Article 35 — Data Protection Impact Assessment
DPIA mandatory when processing is likely to result in high risk. Required for: systematic monitoring, large-scale sensitive data processing, and automated decision-making with legal effects.
Article 44-49 — Cross-Border Transfers
Transfers outside EU/EEA only with adequate safeguards: adequacy decision, SCCs, BCRs, or derogations. Transfer Impact Assessments may be required to evaluate destination country protections.

Data Subject Rights

Right of Access (Art. 15)
Data subjects can request confirmation of processing and a copy of their personal data. Must respond within 1 month. Free of charge for first request.
Right to Rectification (Art. 16)
Data subjects can request correction of inaccurate personal data or completion of incomplete data. Must be implemented without undue delay.
Right to Erasure (Art. 17)
Right to be forgotten. Data subjects can request deletion when data is no longer necessary, consent is withdrawn, or processing is unlawful. NOT absolute — exceptions exist for legal obligations.
Right to Restriction (Art. 18)
Data subjects can request limitation of processing while accuracy is contested, processing is unlawful, or data is needed for legal claims. Data is stored but not processed.
Right to Data Portability (Art. 20)
Data subjects can receive their data in a structured, commonly used, machine-readable format and transmit it to another controller. Applies only to data provided by the subject.
Right to Object (Art. 21)
Data subjects can object to processing based on legitimate interests or public task. For direct marketing, the right is absolute — processing must stop immediately.
Automated Decision-Making (Art. 22)
Right not to be subject to decisions based solely on automated processing that produce legal or significant effects. Exceptions: contract, law, explicit consent. Must provide human intervention on request.

Data Lifecycle Management

Data Collection Controls
Implement notice and consent mechanisms, minimize data collected, verify lawful basis, apply purpose limitation, and document collection practices in ROPA.
Data Classification
Categorize data by sensitivity: public, internal, confidential, restricted. Also classify by type: PII, sensitive PII (race, health, biometric), financial, PHI. Classification drives control requirements.
Data Inventory & Mapping
Document all personal data: what is collected, where stored, how it flows, who accesses it, what processing occurs, and retention periods. Foundation for ROPA and compliance.
Data Retention Policies
Define retention periods based on legal requirements, business need, and data type. Implement automated enforcement. Account for legal holds and regulatory preservation requirements.
Data Sharing Controls
Implement data sharing agreements (DSAs), data processing agreements (DPAs), and data use agreements (DUAs). Verify recipient privacy practices. Apply privacy-preserving sharing techniques.
Consent Management Platforms
Technical systems for collecting, storing, managing, and honoring consent preferences. Must support granular consent, withdrawal, preference changes, and audit trails.
DSAR Fulfillment
Data Subject Access Request processes: intake, identity verification, data search across all systems, response compilation, redaction of third-party data, delivery within legal timelines (30 days GDPR).
Secure Data Disposal
Methods: overwriting (NIST 800-88 guidelines), degaussing (magnetic media), cryptographic erasure (destroy encryption keys), physical destruction (shredding). Must verify and document destruction.

Privacy Governance & Roles

Data Protection Officer (DPO)
Mandatory under GDPR for public authorities, large-scale monitoring, or large-scale sensitive data processing. Must be independent, report to highest management, cannot be dismissed for performing duties.
Data Controller
Entity that determines the purposes and means of processing personal data. Bears primary responsibility for compliance, breach notification, and data subject rights fulfillment.
Data Processor
Entity that processes personal data on behalf of the controller. Must follow controller instructions, implement appropriate security, assist with DSARs, and notify controller of breaches.
Privacy Program Components
Strategy, policies, procedures, roles and responsibilities, training and awareness, monitoring and auditing, incident response, vendor management, and continuous improvement.
Privacy Committee
Cross-functional governance body with representatives from legal, IT, security, HR, marketing, and business units. Sets privacy strategy, reviews DPIAs, and resolves privacy issues.
Privacy Training
Role-based privacy awareness training for all employees. Developers need privacy engineering training. Annual refreshers plus event-driven training for new regulations or incidents.

Privacy Risk Management

Privacy Impact Assessment (PIA)
Broad assessment evaluating overall privacy impact of a project or initiative. Covers organizational, operational, and technical privacy considerations. Best practice for all new projects.
Data Protection Impact Assessment (DPIA)
GDPR-mandated (Art. 35) for high-risk processing. Must contain: description of processing, necessity assessment, risk assessment, and mitigation measures. Required BEFORE processing begins.
Privacy Risk Assessment
Systematic identification and evaluation of privacy risks. Uses risk matrices (likelihood x impact). Considers both organizational risks and risks to data subjects.
Vendor Risk Assessment
Evaluate third-party privacy practices: data handling, security controls, sub-processor management, breach notification capabilities, and cross-border transfer mechanisms.
Data Processing Agreement (DPA)
Contract between controller and processor. Must specify: processing scope, obligations, security measures, sub-processor rules, breach notification, audit rights, and data return/deletion on termination.
Breach Notification — GDPR
Notify supervisory authority within 72 hours of becoming aware. Notify data subjects without undue delay if high risk. Document all breaches regardless of notification. Include: nature, categories, consequences, measures.
Transfer Impact Assessment (TIA)
Required when using SCCs for cross-border transfers. Evaluates destination country's surveillance laws and data protection framework. Determines if supplementary measures are needed.

Encryption & Cryptography

Symmetric Encryption (AES)
Same key for encryption and decryption. Fast and efficient. AES-256 is the standard. Used for data at rest (disk encryption) and bulk data encryption.
Asymmetric Encryption (RSA/ECC)
Public key for encryption, private key for decryption. Slower but enables key exchange and digital signatures. RSA (2048+ bits) and ECC (256+ bits) are common.
Encryption at Rest
Protecting stored data: database encryption, full-disk encryption, file-level encryption. Uses symmetric encryption (AES-256). Key management is critical — keys must be stored separately.
Encryption in Transit
Protecting data during transmission: TLS 1.2/1.3 for web traffic, VPN for network tunnels, S/MIME or PGP for email. Prevents interception and man-in-the-middle attacks.
Encryption in Use
Protecting data during processing: homomorphic encryption (compute on encrypted data), secure enclaves (Intel SGX, ARM TrustZone), confidential computing. Most complex encryption state.
Hashing
One-way function producing fixed-length digest. Irreversible. Uses: password storage, data integrity verification, pseudonymization. Algorithms: SHA-256, SHA-3, bcrypt (passwords).
Key Management
Lifecycle management of encryption keys: generation, distribution, storage, rotation, revocation, and destruction. Keys must be stored separately from encrypted data. HSMs for high-security key storage.
Cryptographic Erasure
Destroying encryption keys to render encrypted data permanently unrecoverable. Faster than overwriting. Effective only if encryption was properly implemented with strong key management.

Anonymization & De-identification

Anonymization
Irreversibly removing all identifying information so data can NEVER be re-identified. Anonymized data is NOT personal data under GDPR. Techniques: aggregation, generalization, noise addition.
Pseudonymization
Replacing identifiers with tokens/pseudonyms. Reversible with the key. Data IS still personal data under GDPR. Key must be stored separately from data. Reduces but does not eliminate risk.
k-Anonymity
Each record is indistinguishable from at least k-1 other records based on quasi-identifiers (age, zip, gender). Prevents singling out individuals. Vulnerable to homogeneity and background knowledge attacks.
l-Diversity
Extension of k-anonymity requiring at least l well-represented values for sensitive attributes within each equivalence class. Protects against homogeneity attack where all k records share the same sensitive value.
t-Closeness
Extension of l-diversity requiring the distribution of sensitive attributes within each equivalence class to be within threshold t of the overall distribution. Prevents skewness attacks.
Data Masking
Replacing sensitive data with realistic but fake values while preserving format. Static masking (permanent) vs dynamic masking (on-the-fly). Used for non-production environments and limited access views.
Tokenization
Replacing sensitive data with non-sensitive tokens. Token-to-data mapping stored in a secure vault. Commonly used for payment card data (PCI DSS). Reversible only with vault access.
Data Generalization
Replacing specific values with broader categories. Example: exact age 34 becomes age range 30-40, exact address becomes city/region. Reduces precision to prevent identification.

Privacy-Enhancing Technologies (PETs)

Differential Privacy
Adds calibrated mathematical noise to query results. Prevents individual records from being inferred from aggregate statistics. Preserves statistical utility while protecting individuals. Used by Apple, Google, US Census.
Homomorphic Encryption
Enables computation on encrypted data without decrypting it. Results, when decrypted, match operations on plaintext. Significant performance overhead. Fully homomorphic (FHE) supports all operations.
Secure Multi-Party Computation (SMPC)
Multiple parties jointly compute a function over their inputs without revealing individual inputs to each other. Used for collaborative analytics, joint fraud detection, and private set intersection.
Federated Learning
ML training across decentralized devices without transferring raw data. Only model updates (gradients) are shared. Data stays local. Used for mobile keyboard prediction, healthcare AI.
Trusted Execution Environments (TEE)
Hardware-based secure enclaves (Intel SGX, ARM TrustZone) that isolate sensitive computations. Code and data inside the enclave are protected from the OS, hypervisor, and other processes.
Synthetic Data Generation
Creating artificial datasets that statistically mirror real data without containing actual personal information. Used for testing, development, and analytics without privacy risk.
Zero-Knowledge Proofs
Cryptographic method allowing one party to prove knowledge of a fact without revealing the fact itself. Used for identity verification without exposing personal data.

Identity & Access Management for Privacy

Role-Based Access Control (RBAC)
Access permissions assigned based on organizational roles. Users inherit permissions from their role. Simple to manage but may be too coarse for fine-grained privacy requirements.
Attribute-Based Access Control (ABAC)
Access decisions based on attributes: user attributes, resource attributes, environment attributes, and action attributes. Enables fine-grained, context-aware access policies for privacy.
Purpose-Based Access Control
Access granted only for specified, documented purposes. Implements purpose limitation principle technically. Users must declare the purpose of access, and the system enforces allowed purposes.
Just-in-Time (JIT) Access
Access provisioned only when needed and automatically revoked after use. Reduces standing access to sensitive data. Implements data minimization at the access level.
Privileged Access Management (PAM)
Controls and monitors access by privileged users (admins, DBAs). Session recording, approval workflows, credential vaulting, and time-limited access for sensitive data operations.
Least Privilege
Users and systems receive only the minimum permissions necessary for their function. Reduces exposure of personal data. Must be regularly reviewed and adjusted.

Secure Development & Privacy Engineering

Privacy in SDLC
Integrate privacy at every SDLC phase: requirements (privacy requirements), design (threat modeling, PbD), implementation (privacy controls), testing (privacy testing), deployment, and maintenance.
Privacy Threat Modeling
Identifying privacy threats in system design. Frameworks: LINDDUN (Linkability, Identifiability, Non-repudiation, Detectability, Disclosure, Unawareness, Non-compliance). Applied during design phase.
API Privacy Controls
Authentication (OAuth 2.0, API keys), authorization (scopes, permissions), rate limiting, input validation, output filtering (PII redaction), encryption (TLS), and API gateway privacy policies.
Privacy Testing
Testing for privacy compliance: data leakage testing, consent enforcement testing, access control testing, data retention testing, and DSAR process testing. Part of QA pipeline.
Cookie & Tracking Management
Technical implementation: consent management platform (CMP), cookie categories (necessary, functional, analytics, marketing), consent banners, server-side tracking, and privacy-preserving analytics.
Consent Tagging
Attaching consent metadata to data records: what consent was given, when, for what purpose, and by whom. Enables purpose-based access control and consent withdrawal enforcement.

Network & Infrastructure Privacy

Network Segmentation
Isolating networks containing personal data from general networks. VLANs, firewalls, and microsegmentation limit lateral movement and restrict access to privacy-sensitive systems.
TLS Configuration
TLS 1.2 minimum (TLS 1.3 preferred) for all data in transit. Strong cipher suites, certificate management, HSTS headers, and certificate pinning for mobile apps.
VPN & Secure Tunnels
Encrypted tunnels for remote access to privacy-sensitive systems. Site-to-site VPN for inter-office data transfers. Split tunneling risks: personal traffic may bypass corporate privacy controls.
DNS Privacy
DNS over HTTPS (DoH) or DNS over TLS (DoT) to prevent DNS query snooping. DNS queries can reveal browsing patterns and user behavior. Privacy concern for tracking.
Cloud Privacy Architecture
Shared responsibility model: cloud provider secures infrastructure, customer secures data and access. Data residency controls, BYOK encryption, cloud access security brokers (CASB), and cloud DLP.
Data Residency & Sovereignty
Legal requirement that data is stored and processed within specific geographic boundaries. Critical for cross-border compliance. Cloud region selection must align with regulatory requirements.

Monitoring, Logging & Incident Response

Privacy-Preserving Logging
Minimize PII in logs. Mask or hash identifiers in log entries. Define log retention periods. Restrict log access. Balance security monitoring needs with data minimization.
Access Logging & Auditing
Log all access to personal data: who, what, when, why, and from where. Supports compliance audits, breach investigations, and DSAR fulfillment. Tamper-evident log storage.
Data Loss Prevention (DLP)
Technical controls preventing unauthorized transmission of personal data. Network DLP (email, web), endpoint DLP (USB, print), and cloud DLP (SaaS, IaaS). Policy-based content inspection.
Privacy Breach Response
Incident response tailored for privacy: containment, assessment (scope of personal data affected), notification (regulatory timelines), remediation, and post-incident review. Must have pre-defined playbook.
Privacy Monitoring Dashboards
Real-time visibility into privacy metrics: DSAR volumes, consent rates, data inventory coverage, policy compliance, vendor risk scores, and breach incident tracking.

Cross-Border Data Transfers

Adequacy Decisions
European Commission determination that a non-EU country provides adequate data protection. Enables free data transfers without additional safeguards. Examples: Japan, South Korea, Canada (commercial), UK. UK adequacy was renewed December 2025 and runs through December 2031 — EU-to-UK transfers remain free without additional safeguards.
Standard Contractual Clauses (SCCs)
Pre-approved contract templates from the European Commission for international data transfers. Four modules: C2C, C2P, P2P, P2C. Must be supplemented with Transfer Impact Assessment.
Binding Corporate Rules (BCRs)
Internal privacy policies approved by EU supervisory authorities for intra-group international transfers. Expensive and time-consuming to establish. Requires consistency mechanism approval.
Derogations (Art. 49)
Exceptions allowing transfers without adequacy or safeguards: explicit consent, contract performance, important public interest, legal claims, vital interests. Must be used restrictively.
Data Transfer Mechanisms Hierarchy
Order of preference: 1) Adequacy decision, 2) Appropriate safeguards (SCCs, BCRs), 3) Derogations. Always use the strongest available mechanism. Derogations are last resort.

AI/ML Privacy Considerations

Training Data Privacy
AI models trained on personal data must comply with privacy regulations. Requires lawful basis for processing, data minimization in training sets, and documentation of data sources and processing activities.
Model Privacy Risks
Models can memorize and leak training data. Risks: model inversion (extracting training data), membership inference (determining if data was in training set), and unintended memorization of PII.
AI Inference Privacy Risks
Even without accessing training data, inference attacks (model inversion, membership inference) can reconstruct sensitive information from model outputs. Mitigation: differential privacy, output perturbation, query rate limits.
AI Transparency & Explainability
Privacy regulations require transparency about AI use in processing personal data. Data subjects have the right to meaningful information about the logic involved in automated decisions (GDPR Art. 22).
Federated Learning for Privacy
Train AI models across decentralized data without centralizing personal data. Model updates shared instead of raw data. Reduces privacy risk but gradient leakage remains a concern.

Ready to test yourself?

Start a timed CDPSE mock exam or review practice questions by domain.