CertPrepNow
ISACACDPSE4 domains

CDPSE Exam Notes

Last-minute traps, must-know facts, and scenario tips for the ISACA Certified Data Privacy Solutions Engineer exam.

General Exam Tips

  • 1.Read ALL four answer choices before selecting — ISACA almost always includes one plausible-sounding distractor that uses correct vocabulary in the wrong context.
  • 2.When a question asks 'FIRST' or 'MOST important', think process order: identify/assess before acting, and legal/regulatory foundation before technical implementation.
  • 3.The 'ISACA way' for governance scenarios: assess the full scope of a problem before taking any corrective action. Never terminate, escalate, or fix before you understand the situation.
  • 4.Domain 4 (Privacy Engineering) is 39% of the exam — roughly 47 questions. If you are weak there, you will not pass regardless of how well you know the other three domains.
  • 5.120 questions in 210 minutes gives you 1 minute 45 seconds per question. Flag uncertain questions and return — don't spend more than 2 minutes on any one question.
  • 6.There is no penalty for wrong answers. Never leave a question blank — your last resort guess should always be the option you can least eliminate.
  • 7.ISACA exam questions are scenario-based. Ignore the 'noise' in the scenario and identify: what is the exact problem being solved, and what stage of the process are we in.
  • 8.When two answers both look correct, ask: which answer is more comprehensive or foundational? ISACA favors the answer that enables or underpins the other.
  • 9.Organizational standards do NOT supersede local regulations. When a global policy conflicts with local law in a scenario, local law wins.
  • 10.The exam reflects real practitioner judgment, not academic definitions. Pick the answer that a prudent, experienced privacy engineer would do in practice.
Domain 120% of exam

Privacy Governance

Must-Know Facts

  • DPO mandatory under GDPR for: public authorities, organizations conducting large-scale systematic monitoring, and organizations processing special category data at large scale — not every organization needs one.
  • DPO must have functional independence — cannot receive instructions about how to perform tasks, and cannot be dismissed or penalized for performing duties.
  • Privacy by Design has 7 principles: (1) proactive not reactive, (2) privacy as default, (3) embedded into design, (4) full functionality (positive-sum, not zero-sum), (5) end-to-end security, (6) visibility and transparency, (7) respect for user privacy.
  • Privacy notice (external, for data subjects) is distinct from privacy policy (internal, governs employee/operational behavior).
  • Vendor management moved under Privacy Governance in the 2025 CDPSE exam restructure. Data Processing Agreements (DPAs) are a governance control, not just a legal contract.
  • Records of Processing Activities (ROPA) under GDPR Article 30: the 250-employee exemption is extremely narrow — applies only if processing is occasional, low-risk, AND does not involve special category data. In practice, almost all organizations must maintain ROPA.
  • Privacy program components: strategy, policies and procedures, roles and responsibilities, awareness and training, monitoring and auditing, incident response, vendor management, and continuous improvement. On the exam, when asked what is MISSING from an incomplete program description, check for continuous improvement and monitoring — these are the most commonly omitted components in distractor answer choices.
  • Privacy governance is cross-functional — IT, security, legal, HR, marketing, and business units all have roles. A privacy committee provides cross-functional oversight.

Common Traps

TrapThe DPO approves processing activities and is personally liable for GDPR violations
RealityThe DPO advises and monitors — the organization (controller) bears legal accountability, not the DPO. The DPO cannot instruct organizations to halt processing; they can only advise. The DPO is also not a decision-maker for what gets processed.
TrapPrivacy by Design is a framework for responding to privacy incidents and fixing existing systems
RealityPbD is explicitly proactive — it prevents privacy problems before they arise. It must be embedded from the very beginning of design, not applied as a remediation measure after problems occur.
TrapA privacy policy satisfies the obligation to inform data subjects about data processing
RealityA privacy policy governs internal conduct. A privacy notice (or privacy statement) is the external-facing document that informs data subjects. Failing to provide a privacy notice violates GDPR transparency requirements regardless of whether you have an internal policy.
TrapWhen a vendor processes data beyond the scope of a DPA, the first step is to terminate the contract or notify the supervisory authority
RealityThe ISACA governance approach: assess scope and impact first, then decide appropriate action. Terminating a contract or notifying an authority without understanding the full picture is reactive and may worsen the situation.
TrapPrivacy governance is primarily a legal and compliance function
RealityPrivacy governance requires technical, operational, and business involvement. The DPO and legal team cannot implement privacy alone — engineers, IT, HR, and business units all own components of the privacy program.

Confusing Pairs

Privacy PolicyPrivacy Notice

Privacy Policy = internal document governing how employees and systems handle personal data. Privacy Notice = external document informing data subjects about what data is collected, why, and their rights. Both are required, and they serve entirely different audiences.

Data ControllerData Processor

Controller = determines purposes and means of processing. Processor = processes on behalf of the controller following instructions. Controller retains ultimate accountability even when processing is outsourced. Processor has its own obligations (security, breach notification to controller) but cannot independently change processing purposes.

DPO RolePrivacy Manager Role

DPO = a specific, legally defined role under GDPR with statutory independence requirements. Cannot be penalized for performing duties. Reports to highest management level but is not directed by them. Privacy Manager = an organizational role without statutory protections — may be directed by management and does not have DPO's independence.

Scenario Tips

If the question asks about:

An organization is expanding globally and needs to align its privacy program with multiple jurisdictions

Answer:

Identify all applicable local regulations first, then design the program to the highest common standard. Organizational policies must accommodate local law — global policies do not supersede local regulations.

Distractor to avoid:

Applying one global standard uniformly is wrong because a country with stricter requirements than the global policy would result in non-compliance.

If the question asks about:

A question asks what to do FIRST when starting a privacy program from scratch

Answer:

Identify applicable laws, regulations, and privacy requirements relevant to the organization's operations and data processing activities. You cannot build a governance program without knowing what you are required to comply with.

Distractor to avoid:

Developing policies, hiring a DPO, or implementing technical controls are all subsequent steps. They cannot be done correctly without first identifying the regulatory landscape.

If the question asks about:

When a question involves vendor/third-party risk, what is the MOST important ongoing control?

Answer:

Ongoing monitoring, periodic re-assessment, and contractual audit rights — not just the initial due diligence. The controller remains responsible for third-party processing throughout the relationship.

Distractor to avoid:

Performing a one-time due diligence assessment and executing a DPA is the beginning, not the end, of vendor privacy management.

Last-Minute Facts

1GDPR Article 30: ROPA required for organizations with 250+ employees, OR those whose processing is not occasional, OR poses risk, OR involves special category/criminal data.
2DPO appointment mandatory under GDPR Articles 37-39 for public authorities, large-scale systematic monitoring, and large-scale special category processing.
3Privacy by Design: 7 principles — memorize all 7. 'Full functionality' means positive-sum (both privacy AND functionality), not privacy at the expense of function.
4Breach notification to supervisory authority: 72 hours under GDPR. To data subjects: 'without undue delay' if high risk — no fixed deadline but promptly.
5ISACA exam: always assess scope/impact BEFORE taking any enforcement or corrective action in a governance scenario.
Domain 218% of exam

Privacy Risk Management and Compliance

Must-Know Facts

  • DPIA is mandatory BEFORE high-risk processing begins, not after. High-risk triggers under GDPR Article 35: systematic large-scale monitoring, large-scale processing of special categories, and automated decision-making with legal effects.
  • When a DPIA reveals unmitigatable high residual risk, GDPR Article 36 requires prior consultation with the supervisory authority before processing can begin — you cannot simply accept the risk and proceed.
  • PIA vs DPIA: PIA is a broader organizational best practice for any project. DPIA is a specific GDPR legal requirement triggered by high-risk processing. They overlap but are not interchangeable.
  • Breach notification under GDPR: notify supervisory authority within 72 hours of becoming aware. Individual notification is only required when breach is likely to result in HIGH RISK to rights and freedoms — encrypted data breach may not require individual notification.
  • ROPA (Records of Processing Activities) under Article 30 must contain: controller identity, processing purposes, categories of data and data subjects, recipients, cross-border transfers, retention periods, and security measures. The exam trap: processors must ALSO maintain their own (narrower) ROPA — not just controllers. Many candidates assume only the controller has this obligation.
  • Privacy audit types: internal audits (first-party), external/third-party audits, and regulatory audits. Continuous monitoring complements periodic audits to provide ongoing assurance.
  • Vendor risk management is ongoing — initial due diligence plus periodic re-assessment plus contractual audit rights. The controller remains responsible even when processing is outsourced.
  • Privacy risk assessment must consider risks to DATA SUBJECTS (harm, discrimination, financial loss) not just organizational risks (fines, reputation). These are different risk categories.

Common Traps

TrapEvery personal data breach requires notification to data subjects
RealityUnder GDPR, individual notification is required only when the breach is 'likely to result in a high risk' to data subjects' rights and freedoms. Encrypted data that was breached may pose no high risk and therefore not require individual notification — though the supervisory authority notification (72 hours) still applies if the breach is notifiable.
TrapA DPIA can be conducted after processing starts if there are concerns
RealityA DPIA must be completed BEFORE processing begins for high-risk activities. Conducting it after processing has started violates the preventive purpose of the DPIA under Article 35.
TrapOrganizations with fewer than 250 employees are exempt from maintaining ROPA
RealityThe exemption is extremely narrow: processing must be occasional, must pose no risk to data subjects, AND must not involve special category or criminal data. Nearly all organizations processing personal data must maintain ROPA because at least one of these conditions typically fails.
TrapWhen a DPIA shows high residual risk, the organization should accept the risk and proceed with compensating controls
RealityUnder GDPR Article 36, unmitigatable high residual risk requires prior consultation with the supervisory authority. The authority may then prohibit, require modifications, or provide guidance. Risk acceptance without consultation is not a valid option.
TrapA single annual privacy audit provides sufficient ongoing compliance assurance
RealityPoint-in-time audits leave gaps. Best practice combines periodic audits with continuous automated monitoring of key privacy controls and metrics. ISACA exam questions favor comprehensive, multi-layered monitoring approaches.

Confusing Pairs

Privacy Impact Assessment (PIA)Data Protection Impact Assessment (DPIA)

PIA = broad organizational best practice assessing privacy impact of any project or initiative. No legal mandate. DPIA = GDPR Article 35 legal requirement specifically for high-risk processing activities. More structured, must be completed BEFORE processing, and may require supervisory authority consultation if risk cannot be mitigated. Both may be conducted on the same project, but only DPIA is legally required.

Supervisory Authority NotificationIndividual (Data Subject) Notification

SA notification = required within 72 hours of becoming aware of any notifiable breach (threshold: breach poses risk to individuals). Individual notification = required 'without undue delay' only when breach is likely to result in HIGH RISK. Different thresholds — more breaches require SA notification than individual notification.

Risk to OrganizationRisk to Data Subjects

Privacy risk assessments must evaluate BOTH. Organizational risk = fines, reputational damage, legal liability. Data subject risk = harm, discrimination, financial loss, identity theft, stigmatization. GDPR focuses primarily on risks to data subjects. The exam distinguishes these — always consider data subject harm, not just organizational impact.

Scenario Tips

If the question asks about:

A DPIA reveals that residual risk cannot be reduced to an acceptable level with available controls

Answer:

Consult the supervisory authority under GDPR Article 36 before starting processing. This is a mandatory step, not optional.

Distractor to avoid:

Accepting the risk with compensating controls or canceling the project entirely are wrong — the required step is supervisory authority consultation, not unilateral decision-making.

If the question asks about:

An organization suffers a breach of encrypted personal data. What must they do regarding notification?

Answer:

Assess whether the breach is likely to result in high risk to data subjects (considering the encryption strength and key management). Notify the supervisory authority within 72 hours if the breach meets the notification threshold. Individual notification may not be required if the data was effectively encrypted.

Distractor to avoid:

Automatically notifying all data subjects is wrong — the threshold for individual notification is 'likely high risk,' not simply that a breach occurred.

If the question asks about:

Which approach provides the MOST comprehensive privacy compliance assurance?

Answer:

Combining periodic audits with continuous automated monitoring of key privacy controls. This provides both point-in-time verification and real-time visibility.

Distractor to avoid:

Annual audits alone, employee self-certification, or policy review without control testing are all insufficient — they have coverage gaps or lack independence.

Last-Minute Facts

1GDPR Article 35 DPIA triggers: systematic large-scale monitoring, large-scale special category data, automated decisions with legal/significant effects.
2GDPR Article 36: prior consultation required when DPIA shows unmitigatable high residual risk.
372-hour breach notification clock starts when the controller 'becomes aware' — not when the breach occurred.
4GDPR Article 30 ROPA: controllers AND processors must maintain records. The processor's ROPA is narrower but still required.
5Transfer Impact Assessment (TIA) required alongside SCCs — must assess destination country's surveillance laws and government access powers.
Domain 323% of exam

Data Life Cycle Management

Must-Know Facts

  • Data lifecycle stages: collection, storage, use/processing, sharing/disclosure, archival, destruction — privacy controls apply at EVERY stage, not just collection.
  • Purpose limitation: data collected for one purpose cannot be reused for an incompatible purpose without either a compatibility assessment (Article 6(4)) or a new lawful basis. Marketing use of data collected for order fulfillment requires separate legal basis.
  • True erasure under the right to be forgotten requires removing data from ALL locations: production databases, backups, replicas, caches, logs, and data held by third-party processors. Deleting from production is insufficient.
  • Data portability (Article 20) requires providing data in a structured, commonly used, MACHINE-READABLE format — a PDF is not sufficient. Applies only to data the subject actively provided and where processing is based on consent or contract.
  • Data retention schedules must account for legal hold requirements. Scheduled-for-deletion data must be preserved if subject to litigation or regulatory investigation — deletion during legal hold is spoliation.
  • Data classification drives control requirements: personal data, sensitive personal data (special categories under GDPR), PII, PHI, financial data each require different protection levels.
  • Consent management platforms must support: granular consent collection, withdrawal, preference changes, audit trails, and age verification for children's data. Pre-ticked boxes and bundled consent are invalid under GDPR.
  • Data quality management: personal data must be accurate, complete, and kept up to date. Organizations must correct or delete inaccurate data when notified by data subjects.

Common Traps

TrapDeleting a user's profile from the production database satisfies the right to erasure
RealityErasure must be comprehensive — production database, backups, replicas, caches, application logs, analytics stores, and all third-party processors must delete the data. Partial deletion does not satisfy the right to erasure.
TrapData collected with consent for one purpose can freely be used for other purposes within the same organization
RealityPurpose limitation (GDPR Article 5(1)(b)) binds each purpose to its lawful basis. Using data collected for order confirmation to send marketing emails violates purpose limitation and requires a separate lawful basis (typically explicit consent for marketing).
TrapA data retention policy only needs to specify the maximum retention period
RealityRetention policies must specify the basis for the retention period (legal requirement, business need), the trigger for the retention clock (date of collection, end of relationship, last activity), exceptions for legal holds, and the method and verification of destruction.
TrapData minimization only applies to what is collected — retaining excess data is not a violation
RealityData minimization (GDPR Article 5(1)(c)) applies to collection, processing, AND retention. Collecting minimal data but retaining it indefinitely violates both data minimization and storage limitation principles.
TrapConsent for data processing is the strongest and most preferred lawful basis under GDPR
RealityConsent is often the WEAKEST lawful basis because it can be withdrawn at any time, requiring cessation of processing. For contractual necessity, legal obligation, and vital interests, consent is not required and cannot be withdrawn. ISACA exam questions test whether you select the most APPROPRIATE basis, not defaulting to consent for everything.

Confusing Pairs

Data MinimizationPurpose Limitation

Data Minimization = controls HOW MUCH data is collected and retained (volume and scope). Purpose Limitation = controls WHAT YOU DO with the data (use restrictions). Both are GDPR Article 5 principles. Minimization says 'collect only what you need.' Purpose limitation says 'use it only for what you said you would.'

Right to Erasure (Art. 17)Right to Restriction (Art. 18)

Erasure = data is deleted completely. Restriction = data is retained but processing is suspended (stored but not used). Restriction is appropriate when accuracy is contested, processing is unlawful but erasure is opposed, or data is needed for legal claims. Erasure is permanent; restriction is temporary.

Consent WithdrawalRight to Object

Consent Withdrawal = when processing is based on consent, withdrawing consent requires processing to stop. Right to Object = applies to processing based on legitimate interest or public task — data subject can object, and the controller must stop unless it can demonstrate compelling legitimate grounds. Different legal basis, different mechanism.

Scenario Tips

If the question asks about:

An organization wants to use customer email addresses (collected for transactional emails) for a new marketing campaign

Answer:

This requires either a compatibility assessment under Article 6(4) or a new lawful basis (typically explicit consent for marketing purposes). The existing consent/contractual basis for transactional emails does not extend to marketing.

Distractor to avoid:

'The data was already lawfully collected' is a trap — lawful collection does not authorize all subsequent uses. Purpose limitation is a separate requirement.

If the question asks about:

A user invokes their right to data portability — what format must you provide?

Answer:

Structured, commonly used, machine-readable format (e.g., CSV, JSON, XML). The right to portability is designed to allow data to be imported into another service — a PDF cannot be machine-processed.

Distractor to avoid:

Any readable format is not sufficient. A human-readable PDF printout does not satisfy the portability requirement even though it is technically a document containing the data.

If the question asks about:

Disposing of a decommissioned physical hard drive containing personal data — which method provides MOST reliable assurance?

Answer:

Physical destruction or degaussing with documented verification. For physical media, this is the gold standard because it eliminates any possibility of data recovery regardless of encryption history.

Distractor to avoid:

Reformatting or deleting files is insufficient — forensic tools can recover data. Cryptographic erasure is valid but depends on the encryption having been properly applied throughout the drive's lifecycle, making physical destruction more reliable for legacy/uncertain cases.

Last-Minute Facts

1GDPR Article 20 (portability): applies only to data provided by the subject, only where processing is based on consent or contract, and only for automated processing.
2Right to erasure exceptions: legal obligation, public interest, scientific/historical/statistical research, establishment/exercise/defense of legal claims, freedom of expression.
3NIST SP 800-88 media sanitization levels: Clear (logical overwrite, suitable for reuse within the organization), Purge (cryptographic erase or degaussing, suitable for reuse outside the organization), Destroy (physical destruction, permanent — no reuse). Exam tip: the question decides which level by asking about the media's next use, not just sensitivity. A drive going to a recycler needs Purge at minimum, not just Clear.
4Cryptographic erasure: destroy encryption keys to render encrypted data permanently unrecoverable. Only effective if data was encrypted throughout its lifecycle with strong key management.
5Legal hold supersedes retention schedules — data scheduled for deletion must be preserved when litigation or regulatory investigation is reasonably anticipated.
Domain 439% of exam

Privacy Engineering

Must-Know Facts

  • Privacy Engineering is 39% of the exam — approximately 47 of 120 questions. This is the make-or-break domain.
  • Anonymization = irreversible, data is NO LONGER personal data under GDPR. Pseudonymization = reversible with key, data IS STILL personal data and subject to all GDPR obligations.
  • k-anonymity ensures each record is indistinguishable from k-1 others on quasi-identifiers. Vulnerable to homogeneity attack (all k records share same sensitive value) and background knowledge attack.
  • l-diversity extends k-anonymity by requiring at least l well-represented values for sensitive attributes in each equivalence class — fixes the homogeneity attack.
  • t-closeness extends l-diversity by requiring the distribution of sensitive attributes within each group to be close to the overall distribution — fixes the skewness attack.
  • Encryption states: at rest (symmetric AES-256, stored data), in transit (TLS 1.2/1.3, data moving across networks), in use (homomorphic encryption or secure enclaves, data being processed). Each state requires a different control.
  • Hashing is ONE-WAY and irreversible. Encryption is TWO-WAY and reversible with the key. Never use hashing where you need to recover the original value.
  • Cloud shared responsibility: cloud provider secures infrastructure. CUSTOMER is responsible for data privacy, access controls, encryption key management, and configuration.
  • BYOK (Bring Your Own Key) in cloud: customer manages encryption keys, not the cloud provider. Prevents cloud provider from accessing customer data even in privileged contexts.
  • Pseudonymization keys must be stored SEPARATELY from the pseudonymized data. Storing the key in the same database or adjacent system defeats the purpose.
  • ABAC (Attribute-Based Access Control) enforces more granular privacy rules than RBAC alone — can implement purpose-based access (time-limited, context-specific, purpose-declared).
  • Differential privacy: adds calibrated mathematical noise to query results. Protects individuals in aggregate queries. Does NOT encrypt or anonymize individual records.
  • Homomorphic encryption: enables computation on encrypted data without decrypting. High performance overhead — not suitable for all use cases.
  • Federated learning: keeps raw data local, only shares model updates (gradients). Reduces privacy risk but gradient leakage can still expose some training data information.
  • LINDDUN is the privacy-specific threat modeling framework: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance.

Common Traps

Trapk-anonymity is sufficient for de-identification of a dataset for research sharing
Realityk-anonymity alone is vulnerable to two well-known attacks: (1) homogeneity attack when all k records share the same sensitive value, and (2) background knowledge attack when an attacker has prior information. Apply l-diversity (and potentially t-closeness) on top of k-anonymity for stronger de-identification guarantees.
TrapHashing personal data is a form of encryption that satisfies data protection requirements
RealityHashing is one-way and cannot be reversed — it produces a digest, not encrypted data. Hash values can be brute-forced for low-entropy inputs like email addresses or SSNs. Hashing alone does not qualify as pseudonymization in the GDPR sense (which requires a key-based approach). Use salted hashing for password storage; use tokenization or key-based pseudonymization for personal data.
TrapTLS protects data comprehensively — if TLS is in place, the data is protected
RealityTLS only protects data IN TRANSIT. Data at rest and data in use require separate controls. A system can use TLS perfectly and still store data in unencrypted databases (at rest) or process it in unprotected memory (in use).
TrapIn cloud environments, the cloud provider is responsible for protecting customer data
RealityThe shared responsibility model places data protection, access management, and encryption key management on the CUSTOMER. The cloud provider secures the underlying infrastructure. Misconfigured S3 buckets, over-privileged IAM roles, and unencrypted databases are customer responsibilities, not provider failures.
TrapDifferential privacy prevents individual records from being identified in a dataset
RealityDifferential privacy adds noise to AGGREGATE QUERY RESULTS — it does not de-identify individual records. It makes statistical inferences about individuals from queries harder, but does not anonymize or encrypt the underlying records themselves.
TrapRate limiting on an API prevents unauthorized access to personal data
RealityRate limiting prevents high-volume scraping and abuse, but it does not replace authentication and authorization. A properly authenticated but over-privileged user can still access excessive personal data even with rate limiting in place.
TrapRemoving names and direct identifiers from a dataset constitutes anonymization
RealityTrue anonymization requires that re-identification is IMPOSSIBLE. Removing names while leaving age, zip code, employer, and other quasi-identifiers leaves the data re-identifiable through data linkage (the classic Latanya Sweeney 87% re-identification result). Only irreversible transformation with no reasonably available re-identification path qualifies as anonymization.

Confusing Pairs

AnonymizationPseudonymization

Anonymization = irreversible de-identification; data no longer qualifies as personal data under GDPR. No key exists to reverse it. Pseudonymization = reversible de-identification using a key or mapping table; data IS still personal data under GDPR. The legal implications are enormous: anonymized data is out of scope for GDPR, pseudonymized data is still subject to all GDPR requirements.

k-Anonymityl-Diversityt-Closeness

k-anonymity: each record matches k-1 others on quasi-identifiers (prevents singling out). l-diversity: extends k-anonymity to require l distinct sensitive values per group (prevents homogeneity attack). t-closeness: extends l-diversity to require the distribution of sensitive values matches the global distribution within threshold t (prevents skewness attack). They are a progression — each addresses weaknesses of the prior.

Encryption at RestEncryption in TransitEncryption in Use

At rest = stored data (databases, files, backups). Control: AES-256 disk/database encryption. In transit = data moving across networks. Control: TLS 1.2+, VPN. In use = data being actively processed in memory. Control: homomorphic encryption, secure enclaves (Intel SGX). Each state requires a different control — TLS does nothing for stored data, disk encryption does nothing for data being transmitted.

Differential PrivacyHomomorphic Encryption

Differential privacy = adds noise to aggregate query outputs; protects inference about individuals from statistical results; data remains unencrypted in the database. Homomorphic encryption = encrypts data and allows computation on ciphertext; result when decrypted equals the result of operations on plaintext; protects data during processing. Different problems: DP protects what you can learn from outputs, HE protects data while it's being computed on.

RBAC (Role-Based Access Control)ABAC (Attribute-Based Access Control)

RBAC = access based on predefined roles (e.g., 'doctor' role can see all patient records). Simple but coarse — a role either has access or doesn't. ABAC = access based on attributes of the user, resource, environment, and purpose (e.g., 'doctor can access patient records for patients they are treating, during their shift, for the purpose of treatment'). ABAC can implement purpose limitation and data minimization technically; RBAC alone typically cannot.

Federated LearningSecure Multi-Party Computation (SMPC)

Federated Learning = ML model trained across decentralized devices without centralizing raw data; model updates (gradients) are aggregated centrally; best for scenarios where training data must stay local (e.g., mobile devices, healthcare). SMPC = multiple parties compute a joint function over their private inputs without any party revealing their data to others; best for collaborative analytics, private set intersection, joint fraud detection. FL is ML-specific; SMPC is general-purpose computation.

Scenario Tips

If the question asks about:

A healthcare organization wants to share patient data with researchers while preventing re-identification. The dataset contains age, zip code, and diagnosis

Answer:

Apply k-anonymity by generalizing quasi-identifiers (age ranges, zip code generalization) to ensure each combination of quasi-identifiers matches at least k individuals. Then consider l-diversity to ensure diverse diagnosis values within each group to prevent homogeneity attacks.

Distractor to avoid:

Encrypting the dataset (AES) prevents researchers from using the data at all. Hashing patient IDs does not address quasi-identifier re-identification. RBAC restricts who sees it but does not de-identify it.

If the question asks about:

An organization needs privacy-preserving aggregate analytics — queries over personal data to generate statistics without exposing individual records

Answer:

Differential privacy. It adds calibrated noise to query results so individual records cannot be inferred from the statistical output while preserving aggregate accuracy.

Distractor to avoid:

Tokenization replaces individual identifiers but does not protect aggregate queries. Homomorphic encryption protects data during computation but is about the computation environment, not about the output leaking individual information.

If the question asks about:

A development team is implementing cookie consent for a GDPR-regulated EU application

Answer:

Block all non-essential cookies until the user provides affirmative, granular consent through a consent banner. Only strictly necessary cookies may be set without consent. Consent must be as easy to withdraw as to give.

Distractor to avoid:

Setting cookies by default with an opt-out link violates GDPR's opt-in requirement. Auto-dismissing banners that assume consent from continued browsing do not constitute valid consent. Pre-ticked boxes are explicitly invalid.

If the question asks about:

An organization is building an AI model trained on personal data. What must be addressed FIRST?

Answer:

Establish the appropriate legal basis for processing the personal data used for training. Documentation of the lawful basis and processing purpose must precede technical implementation.

Distractor to avoid:

Implementing encryption or differential privacy are technical controls that come after legal basis is established. Collecting more data to improve model performance violates data minimization without first having lawful basis.

If the question asks about:

A system processes highly sensitive personal data in a cloud environment. What control addresses the risk that the cloud provider could access the data?

Answer:

Bring Your Own Key (BYOK) encryption, where the customer manages encryption keys outside the cloud provider's control. The provider can access encrypted storage but cannot decrypt without the customer's keys.

Distractor to avoid:

Standard cloud provider encryption (provider-managed keys) means the provider CAN access data. Network-level controls like VPC isolation protect against external attackers but not provider administrative access.

If the question asks about:

A system needs to enforce that a nurse can only access a patient's records for the specific purpose of treatment, not for administrative review

Answer:

Attribute-Based Access Control (ABAC) with purpose as an attribute. RBAC alone cannot enforce this because the nurse role would have access regardless of the purpose of the access request.

Distractor to avoid:

RBAC is insufficient for purpose-based restrictions. Just-in-time access helps reduce standing access but does not itself enforce purpose limitation without an ABAC policy layer.

Last-Minute Facts

1Anonymization threshold: re-identification must be IMPOSSIBLE or require disproportionate effort. The EU Article 29 WP/EDPB test considers the 'reasonably likely' means available to re-identify.
2k-anonymity minimum k value: the larger the k, the stronger the privacy guarantee, but the more data utility is lost. No universal minimum — depends on context and sensitivity.
3TLS versions: TLS 1.0 and 1.1 are deprecated. TLS 1.2 is the current minimum acceptable standard. TLS 1.3 is preferred for new implementations.
4Homomorphic encryption types: Partially (PHE) — limited operations. Somewhat (SHE) — limited depth. Fully (FHE) — any operations, but very high computational overhead.
5Secure enclave technologies: Intel SGX (Software Guard Extensions), AMD SEV (Secure Encrypted Virtualization), ARM TrustZone. Protect code and data from the OS and hypervisor.
6LINDDUN: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance — the privacy threat taxonomy for threat modeling.
7Synthetic data generation: artificial data statistically similar to real data. Contains no actual personal information. Validated synthetic data can be used for testing, development, and analytics without privacy risk.
8Zero-knowledge proof: proves knowledge of a fact without revealing the fact. Example: prove you are over 18 without revealing your birth date.
9Data residency: data must be stored and processed within specified geographic boundaries. Cloud region selection must align with data residency requirements — not all cloud regions are compliant for all jurisdictions.

Feeling confident?

Put your knowledge to the test with a timed CDPSE mock exam.