CertPrepNow
ISACACDPSEUpdated 2026-06-07

CDPSE Study Guide

Everything you need to pass the ISACA Certified Data Privacy Solutions Engineer exam. Structured study plans, key services, common traps, and practice questions.

You Can Pass This Exam For Free

The CDPSE exam is passable with free resources alone if you study consistently for 6-12 weeks depending on your background:

  • ISACA CDPSE Exam Content Outline (free download from ISACA website)
  • GDPR full text (gdpr-info.eu) — focus on Articles 5, 6, 25, 30, 32, 35-36, 44-49
  • NIST Privacy Framework 1.0 and Profiles (free from NIST)
  • ISO 27701 overview documents and introductory guides (free summaries available)
  • CCPA/CPRA official text and California AG guidance (free)
  • Privacy by Design foundational principles by Ann Cavoukian (free PDF)
  • OWASP Top 10 Privacy Risks documentation (free)
  • 500+ free practice questions on this site

The CDPSE exam is heavily technical and focuses on implementing privacy solutions rather than just knowing regulations. Free resources covering GDPR, NIST Privacy Framework, and Privacy by Design principles form the core of your study. Supplement with technical documentation on encryption, anonymization, and access control technologies.

Choose Your Study Path

Limited experience with privacy regulations, data protection, or privacy engineering. You need to build foundational knowledge in privacy principles and technical controls before tackling implementation scenarios.

Week 1Learn privacy fundamentals: what constitutes personal data, PII vs. sensitive personal data, privacy principles (notice, choice, consent, collection limitation, data minimization, purpose limitation, use limitation). Understand Privacy by Design 7 foundational principles.
Week 2Study key privacy regulations: GDPR (key articles: 5, 6, 25, 30, 32, 35), CCPA/CPRA, LGPD, PIPEDA, HIPAA, APEC CBPR. Learn jurisdictional differences and cross-border data transfer mechanisms (SCCs, BCRs, adequacy decisions).
Week 3Learn Domain 1 — Privacy Governance: organizational privacy structures, privacy program development, DPO roles, privacy policies, privacy awareness training, and aligning privacy with business objectives.
Week 4Study Domain 2 — Privacy Risk Management and Compliance: privacy impact assessments (PIAs), data protection impact assessments (DPIAs), risk assessment methodologies, privacy audits, vendor risk management, and breach notification requirements.
Week 5Deep dive into Domain 3 — Data Life Cycle Management: data classification, data inventory and mapping, collection controls, storage and retention policies, data usage controls, data sharing agreements, and secure data disposal.
Week 6Continue Domain 3: data quality management, consent management platforms, data subject rights fulfillment (access, rectification, erasure, portability), and privacy-preserving data processing.
Week 7Begin Domain 4 — Privacy Engineering (39% of exam): infrastructure and platform technologies, legacy vs cloud computing, device and endpoint privacy, secure development lifecycle (SDLC) with privacy integration.
Week 8Continue Domain 4: identity and access management for privacy, encryption and hashing techniques, anonymization vs pseudonymization, privacy-enhancing technologies (PETs), differential privacy, secure multi-party computation.
Week 9Continue Domain 4: network security for privacy (protocols, architecture, segmentation), API security, monitoring and logging with privacy considerations, consent tagging, tracking technologies and cookie management.
Week 10Continue Domain 4: AI/ML privacy considerations, privacy in cloud environments, microservices privacy patterns, container security, and privacy testing methodologies.
Week 11Practice questions across all domains. Take a full mock exam. Focus on Domain 4 which is 39% of the exam and Domain 3 which is 23%.
Week 12Review all incorrect answers, re-study weak domains. Take another mock exam aiming for 65%+. Schedule your real exam when consistently scoring above 60%.

Exam Overview

Format

120 multiple-choice questions in 210 minutes (3 hours 30 minutes). All questions are scenario-based, testing your ability to apply privacy engineering concepts to real-world situations.

Scoring

Scaled score 200-800. Passing: 450. The scaled scoring accounts for question difficulty, so the exact number of correct answers needed varies. No penalty for wrong answers — always answer every question.

Domains & Weights

  • Privacy Governance20%
  • Privacy Risk Management and Compliance18%
  • Data Life Cycle Management23%
  • Privacy Engineering39%

Registration

$575 USD. Register through the ISACA website (isaca.org) and schedule at PSI testing centers or via remote proctoring. Exam fee is $575 USD for ISACA members or $760 USD for non-members. ISACA membership costs $145/year and includes significant exam discounts plus access to resources and CPE opportunities.

Topic Priority Table

Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.

Tier 1: Must KnowYou must understand these concepts deeply, know definitions, and be able to apply them in scenarios. These appear across multiple questions.
Tier 2: Should KnowUnderstand what these are and their key characteristics. May appear in 2-5 questions each.
Tier 3: Recognize OnlyKnow what these are at a high level. Rarely more than 1-2 questions each.
Domain 120% of exam

Privacy Governance

This domain covers organizational privacy governance structures, privacy program development, alignment with business objectives, and privacy awareness. You need to understand how to establish, maintain, and improve a privacy program, including the roles, policies, and frameworks that support it.

Key Topics

Privacy ProgramDPOPrivacy PoliciesPrivacy by DesignGovernance FrameworksPrivacy TrainingVendor/Supply Chain ManagementIncident Management

Must-Know Concepts

  • Privacy program components: strategy, policies, procedures, roles and responsibilities, training, monitoring, and continuous improvement
  • Data Protection Officer (DPO) role: when appointment is mandatory under GDPR, independence requirements, reporting structure, and responsibilities
  • Privacy by Design 7 foundational principles: proactive not reactive, privacy as default, privacy embedded into design, full functionality, end-to-end security, visibility and transparency, respect for user privacy
  • Privacy governance frameworks: ISO 27701, NIST Privacy Framework, APEC CBPR, and how they complement legal requirements
  • Privacy policies and notices: what must be included, how to communicate them to data subjects, and difference between internal policies and external privacy notices
  • Aligning privacy program with business objectives: demonstrating value, building privacy into business processes, and privacy as a competitive advantage
  • Privacy awareness and training: role-based training, frequency requirements, measuring effectiveness, and building a privacy-aware culture
  • Privacy governance committees: cross-functional representation, charter, decision-making authority, and escalation paths
  • Vendor and supply chain privacy management: due diligence, data processing agreements, sub-processor oversight, and audit rights (moved under Privacy Governance in the 2025 exam update)
  • Incident management: privacy incident response planning, containment, investigation, notification, and lessons learned processes

Common Exam Traps

The DPO must be INDEPENDENT and cannot be instructed on how to perform their tasks. They report to the highest management level but are not directed by management
Privacy by Design is PROACTIVE — it prevents privacy issues before they occur. It is NOT a remediation framework for fixing existing problems
A privacy policy (internal document governing employee behavior) is different from a privacy notice (external document informing data subjects about processing)
Privacy governance is not just a legal/compliance function. It requires cross-functional involvement from IT, security, HR, marketing, and business units
Quick Check: Privacy Governance

Question 1 of 3

An organization is developing a new customer-facing application. At which stage should privacy requirements be incorporated?

Domain 218% of exam

Privacy Risk Management and Compliance

This domain covers identifying, assessing, and mitigating privacy risks, as well as maintaining compliance with applicable regulations. Know how to conduct privacy impact assessments, manage vendor risks, handle breach notifications, and maintain ongoing compliance through audits and monitoring.

Key Topics

PIADPIARisk AssessmentVendor ManagementBreach NotificationPrivacy AuditsCompliance Monitoring

Must-Know Concepts

  • Privacy Impact Assessment (PIA) process: scope definition, data flow analysis, risk identification, risk evaluation, mitigation recommendations, and documentation
  • DPIA requirements under GDPR Article 35: when mandatory (high-risk processing, systematic monitoring, large-scale sensitive data), what it must contain, and when to consult the supervisory authority
  • Privacy risk assessment methodologies: qualitative vs quantitative, risk matrices, likelihood and impact scoring, and residual risk acceptance
  • Vendor and third-party risk management: due diligence questionnaires, data processing agreements (DPAs), sub-processor management, audit rights, and ongoing monitoring
  • Breach notification requirements across jurisdictions: GDPR 72-hour rule, CCPA requirements, HIPAA requirements, and what constitutes a notifiable breach
  • Privacy audit types: internal audits, external audits, regulatory audits, and continuous monitoring approaches
  • Records of Processing Activities (ROPA): what must be documented under GDPR Article 30, who must maintain them, and how to keep them current
  • Legal and regulatory monitoring: tracking new and updated privacy laws, assessing impact on existing programs, and implementing required changes

Common Exam Traps

A DPIA must be conducted BEFORE processing begins, not after. If processing has already started, the DPIA is too late to serve its preventive purpose
Not every data breach requires notification to data subjects. Under GDPR, notification to individuals is only required when the breach is likely to result in HIGH RISK to their rights and freedoms
Vendor risk does not end after the initial assessment. Ongoing monitoring, periodic re-assessment, and audit rights are essential components of third-party risk management
The GDPR Article 30 ROPA exemption for organizations with fewer than 250 employees is extremely narrow — it only applies if processing is occasional, poses no risk to data subjects, AND does not involve sensitive data. In practice, nearly ALL organizations must maintain ROPA
Quick Check: Privacy Risk Management and Compliance

Question 1 of 3

An organization experiences a data breach involving encrypted customer email addresses. Under GDPR, what determines whether data subjects must be notified?

Domain 323% of exam

Data Life Cycle Management

This domain covers managing personal data throughout its entire lifecycle — from collection through storage, use, sharing, and disposal. You need to understand data classification, inventory, consent management, data subject rights fulfillment, and secure data disposal. This is the second-largest domain at 23%.

Key Topics

Data ClassificationData InventoryConsent ManagementData Subject RightsRetention PoliciesData SharingSecure Disposal

Must-Know Concepts

  • Data lifecycle stages: collection, storage, use/processing, sharing/disclosure, archival, and destruction/disposal — know privacy controls at each stage
  • Data classification schemes: personal data, sensitive personal data (special categories under GDPR), PII, PHI, financial data — know how classification drives control requirements
  • Data inventory and mapping: documenting all personal data assets, data flows, processing activities, storage locations, and third-party data sharing
  • Consent management: collection mechanisms, preference centers, withdrawal processes, consent receipts, and age verification for children's data
  • Data subject rights implementation: technical architecture for access requests, rectification, erasure, restriction, portability, and objection handling
  • Data retention policies: defining retention periods based on legal requirements, business need, and data type. Implementing automated retention enforcement
  • Data sharing controls: data sharing agreements, data use agreements, privacy-preserving data sharing techniques, and regulatory requirements for sharing
  • Secure data disposal: methods (overwriting, degaussing, cryptographic erasure, physical destruction), verification requirements, and documentation
  • Data quality management: accuracy, completeness, timeliness, and consistency of personal data throughout its lifecycle

Common Exam Traps

Deleting a record from a database does not guarantee it is deleted from backups, replicas, caches, and logs. True erasure requires addressing ALL copies
Consent for one purpose does not authorize processing for a different purpose. Each new purpose requires its own lawful basis
Data retention policies must account for legal hold requirements. Data scheduled for deletion must be preserved if subject to litigation or regulatory investigation
Data portability under GDPR requires providing data in a structured, commonly used, machine-readable format — not just a PDF printout
Quick Check: Data Life Cycle Management

Question 1 of 3

A user exercises their right to erasure under GDPR. The organization deletes the user's profile from the production database. What additional step is MOST important?

Domain 439% of exam

Privacy Engineering

The largest domain at 39% — expect roughly 47 questions on this topic. Covers technical implementation of privacy controls including infrastructure, encryption, access management, secure development, APIs, monitoring, anonymization techniques, PETs, AI/ML privacy, and cloud privacy architecture. Master this domain or you will not pass.

Key Topics

EncryptionIAMPETsSDLCAPI SecurityCloud PrivacyMonitoringAnonymizationNetwork SecurityAI/ML Privacy

Must-Know Concepts

  • Infrastructure and platform privacy: legacy systems vs cloud computing, shared responsibility model, data residency requirements, multi-tenancy privacy risks
  • Encryption types and use cases: symmetric (AES), asymmetric (RSA, ECC), at rest, in transit (TLS), in use (homomorphic, secure enclaves). Key management and rotation
  • Identity and access management: RBAC, ABAC, just-in-time access, privileged access management, single sign-on, multi-factor authentication — all applied to privacy use cases
  • Anonymization techniques: k-anonymity, l-diversity, t-closeness, data masking, tokenization, generalization, suppression, and noise addition
  • Pseudonymization implementation: tokenization systems, key management for re-identification, and separation of pseudonymization keys from data
  • Privacy-enhancing technologies: differential privacy, homomorphic encryption, secure multi-party computation, federated learning, trusted execution environments, synthetic data
  • Secure development lifecycle with privacy: threat modeling for privacy, privacy requirements in design, privacy testing, privacy code reviews, and privacy-aware CI/CD
  • API security for privacy: authentication, authorization, rate limiting, input validation, output filtering, and API gateway privacy controls
  • Network security for privacy: network segmentation, VPN, TLS configuration, DNS privacy, traffic analysis protection, and network monitoring with privacy preservation
  • Monitoring and logging with privacy: privacy-preserving logging (minimizing PII in logs), audit trails, log retention, access logging, and anomaly detection
  • Consent tagging and tracking technologies: technical implementation of consent preferences, cookie management systems, tracking pixel controls, and browser privacy features
  • AI/ML privacy considerations: training data privacy, model privacy (preventing model inversion), inference privacy, federated learning, and responsible AI principles
  • Cloud privacy architecture: data residency controls, cloud encryption (BYOK, HYOK), cloud access security brokers (CASB), and cloud DLP

Common Exam Traps

k-anonymity alone is vulnerable to homogeneity and background knowledge attacks. l-diversity and t-closeness address these weaknesses — know the progression
Homomorphic encryption allows computation on encrypted data but has significant performance overhead. It is not suitable for all use cases
TLS protects data in transit but does NOT protect data at rest or in use. The exam tests whether you know which encryption type protects which state
Cloud shared responsibility means the cloud provider secures the infrastructure, but the CUSTOMER is responsible for data privacy, access controls, and encryption key management
Pseudonymization keys must be stored SEPARATELY from the pseudonymized data. Storing them together defeats the purpose of pseudonymization
API rate limiting protects against data scraping but does not replace proper authentication and authorization. The exam may present scenarios where rate limiting alone is insufficient
Quick Check: Privacy Engineering

Question 1 of 3

A healthcare organization needs to share patient data with researchers while preventing individual re-identification. The dataset contains age, zip code, and diagnosis. Which technique should be applied FIRST?

Concepts You Must Not Confuse

These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.

Anonymization vs Pseudonymization

Use Anonymization when…

Irreversibly removing all identifying information from data so it can never be re-identified. Used when data must be permanently de-identified for analytics, research, or sharing.

Use Pseudonymization when…

Replacing direct identifiers with tokens or pseudonyms while maintaining a separate key for re-identification. Used when data needs privacy protection but must remain linkable for legitimate purposes.

Exam trap

Anonymized data is NOT personal data under GDPR — it falls outside regulatory scope entirely. Pseudonymized data IS still personal data and remains subject to all GDPR requirements. This distinction drives which controls and legal obligations apply.

Data Controller vs Data Processor

Use Data Controller when…

The entity that determines the purposes and means of processing personal data. Makes decisions about what data to collect, why, and how it will be used.

Use Data Processor when…

The entity that processes personal data on behalf of the controller. Follows the controller's instructions and has no independent authority over the data.

Exam trap

The controller bears PRIMARY responsibility for data protection compliance. The processor has obligations too (security, breach notification), but the controller cannot delegate accountability by outsourcing processing.

Privacy Impact Assessment (PIA) vs Data Protection Impact Assessment (DPIA)

Use Privacy Impact Assessment (PIA) when…

A broad assessment evaluating the overall privacy impact of a project, initiative, or system. Covers organizational and operational privacy considerations beyond just data processing.

Use Data Protection Impact Assessment (DPIA) when…

A GDPR-specific assessment (Article 35) required when data processing is likely to result in high risk to data subjects' rights and freedoms. Focuses specifically on processing activities.

Exam trap

A PIA is a broader organizational tool. A DPIA is legally mandated under GDPR for specific high-risk processing. The exam tests whether you know when a DPIA is legally required vs. when a PIA is best practice.

Encryption vs Hashing

Use Encryption when…

Two-way transformation of data using keys. Data can be encrypted and later decrypted with the correct key. Used for protecting data in transit, at rest, and in use.

Use Hashing when…

One-way transformation producing a fixed-length digest. Cannot be reversed to recover original data. Used for data integrity verification, password storage, and pseudonymization.

Exam trap

Encryption is REVERSIBLE with the key. Hashing is IRREVERSIBLE. If you need to recover the original data, use encryption. If you need to verify data without exposing it, use hashing.

Consent vs Legitimate Interest

Use Consent when…

Data subject freely gives specific, informed, and unambiguous agreement to data processing. Can be withdrawn at any time. Must be as easy to withdraw as to give.

Use Legitimate Interest when…

Controller has a legitimate business reason for processing that does not override the data subject's rights and interests. Requires a balancing test. Cannot be used for all processing.

Exam trap

Consent gives the data subject full control (can withdraw anytime). Legitimate interest does not require consent but requires a documented Legitimate Interest Assessment (LIA) proving the balance favors the controller. Using the wrong lawful basis is a compliance violation.

Data Minimization vs Purpose Limitation

Use Data Minimization when…

Collect and process only the minimum amount of personal data necessary for the specified purpose. Applies to the VOLUME and SCOPE of data.

Use Purpose Limitation when…

Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Applies to the USE of data.

Exam trap

Data minimization controls HOW MUCH data you collect. Purpose limitation controls WHAT YOU DO with it. Both are GDPR Article 5 principles, but they address different aspects of data processing.

GDPR vs CCPA/CPRA

Use GDPR when…

EU regulation requiring opt-in consent for most processing, applying to any organization processing EU residents' data. Focuses on lawful basis for processing and comprehensive data subject rights.

Use CCPA/CPRA when…

California law giving consumers rights over personal information. Uses an opt-out model for sale/sharing of data. Applies to businesses meeting revenue, data volume, or revenue-from-data thresholds.

Exam trap

GDPR is opt-in (consent by default). CCPA is opt-out (processing allowed unless consumer objects). GDPR has broader scope (any processing). CCPA focuses on sale and sharing. The exam tests cross-jurisdictional compliance scenarios.

Standard Contractual Clauses (SCCs) vs Binding Corporate Rules (BCRs)

Use Standard Contractual Clauses (SCCs) when…

Pre-approved contractual templates from the European Commission for transferring personal data outside the EU. Used between independent organizations (controller-to-controller or controller-to-processor).

Use Binding Corporate Rules (BCRs) when…

Internal privacy policies approved by EU supervisory authorities that allow multinational corporate groups to transfer personal data within their organization across borders.

Exam trap

SCCs are for transfers BETWEEN organizations. BCRs are for transfers WITHIN a corporate group. BCRs require supervisory authority approval and are more expensive and time-consuming to establish than SCCs.

Top Mistakes to Avoid

Confusing anonymization (irreversible, data is no longer personal data) with pseudonymization (reversible with key, data is still personal data under GDPR)
Thinking encryption and hashing are interchangeable — encryption is reversible with a key, hashing is one-way and irreversible
Mixing up data controller (determines purposes and means) with data processor (processes on behalf of controller) — the controller retains accountability
Confusing PIA (broad project-level assessment) with DPIA (GDPR-mandated for high-risk processing activities)
Assuming consent is always the best lawful basis — legitimate interest, contractual necessity, and legal obligation are often more appropriate
Treating GDPR (opt-in) and CCPA (opt-out) as having the same consent model — they have fundamentally different approaches
Forgetting that data minimization applies to retention as well as collection — keeping data forever violates the principle even if you collected the minimum
Thinking that deleting a database record is sufficient for erasure — backups, replicas, caches, and third-party copies must also be addressed
Confusing SCCs (for transfers between organizations) with BCRs (for transfers within a corporate group)
Assuming k-anonymity alone is sufficient for de-identification — it is vulnerable to attacks that l-diversity and t-closeness address

Exam-Ready Checklist

Can explain all 4 exam domains and their relative weights (20%, 18%, 23%, 39%)
Know Privacy by Design's 7 foundational principles and can apply them to scenarios
Can distinguish between anonymization and pseudonymization and their GDPR implications
Understand GDPR key articles: 5 (principles), 6 (lawful bases), 25 (DPbD), 30 (ROPA), 32 (security), 35 (DPIA)
Know data subject rights under GDPR and how to technically implement each one
Can explain cross-border data transfer mechanisms: adequacy decisions, SCCs, BCRs, derogations
Understand the complete data lifecycle and privacy controls at each stage
Know encryption types (symmetric, asymmetric, at rest, in transit, in use) and when to use each
Can distinguish between data controller and data processor responsibilities
Understand PETs: differential privacy, homomorphic encryption, secure MPC, federated learning
Know anonymization techniques: k-anonymity, l-diversity, t-closeness and their relationships
Can explain breach notification requirements across jurisdictions (GDPR, CCPA, HIPAA)
Understand IAM for privacy: RBAC, ABAC, purpose-based access, and least privilege
Scored 60%+ on at least two full mock exams (450/800 passing score)
Reviewed all incorrect answers — Domain 4 is 39% of the exam, so weak performance there is fatal

Recommended Resources

Free & Official Resources

Paid Courses & Practice Exams

These are recommended if you prefer a structured learning path. They can save time but are not required to pass.

Frequently Asked Questions