This Fall, the International Association of Privacy Professionals (IAPP) is implementing several significant changes to its Certified Information Privacy Manager (CIPM) exam. Each year the IAPP implements some changes to the material covered on its exams. With the fast pace of change throughout the privacy and data protection industry, these changes are necessary for IAPP certification to remain current. While this year’s updates to the Certified Information Privacy Professional / U.S. (CIPP/US) and Certified Information Privacy Professional / Europe (CIPP/E) exams were relatively modest, the changes to the CIPM exam are more robust. In this article, we walk you through these changes.
When Do These Changes Go into Effect?
The changes discussed below go into effect on October 3, 2022.
Where Can I Find the Topics Tested on the CIPM Exam?
Like all exams administered by the IAPP, the topics tested on the CIPM are set forth in two separate documents: (1) the Body of Knowledge; and (2) the Exam Blueprint. Each of these documents is updated annually by the IAPP.
The Body of knowledge is effectively a high-level outline of all topics tested on the CIPM exam. It lists topics, subtopics, and additional details. The IAPP considers this the core document identifying its curriculum. Accordingly, “it is each candidate’s responsibility to be prepared for exams by being familiar with all elements of the Bod[y] of Knowledge.”
In developing a study plan, the other key piece of information that test takers should be aware of is how heavily weighted each topic is on the exam. That information is contained in the Exam Blueprint. This document identifies how many questions (out of 90 total) you should expect to see that cover each topic set forth in the Body of Knowledge.
As discussed below, the changes to the 2022 CIPM Body of Knowledge are relatively extensive. If you have already started studying, however, keep in mind that—according to the IAPP—new content will account for no more than 15% of the overall material on the actual exam.
What Changes Were Made to the CIPM Body of Knowledge?
The CIPM Body of Knowledge has six primary topic areas, which the IAPP refers to as “domains.” These include: (1) Developing a Privacy Program; (2) Privacy Program Framework; (3) Privacy Operational Life Cycle – Assessment; (4) Privacy Operational Life Cycle – Protect; (5) Privacy Operational Life Cycle – Sustain; and (6) Privacy Operational Life Cycle – Respond. This represents a significant restructuring that took place in 2000, prior to which the exam was broken down into only two primary “domains.”
The IAPP attempts to succinctly summarize the additions that it makes to each of its exams every year. This summary document highlights only four important changes to the 2022 CIPM Body of Knowledge:
- Updates on data sharing and use processes, including secondary usage, vendor limitations and objections to usage
- Updates on risk assessments, control and alignment
- Updates on notification, reporting and record keeping of privacy incidents
- Updates on internal and external policy processes and compliance
While these updates seem modest at first glance, due to the nature of the CIPM exam and the holistic approach one must take to managing a privacy program, these changes impact nearly all domains noted above.
Beyond these additions to the Body of Knowledge, the IAPP also removed a number of subtopics and consolidated certain subtopics. Those will also be identified below.
Developing a Privacy Program
In this domain, the IAPP removed several subtopics and consolidated several more.
The first modification to the 2022 CIPM Body of Knowledge is the removal of the very first subtopic identified in prior years—i.e., when creating a company vision “acquire knowledge of privacy approaches.” This does not represent a significant change, as understanding different approaches to privacy is inherent in all a privacy program manager is and does.
Next, from the topic of “develop a privacy strategy,” the IAPP removed the subtopic of “plan inquiry/complaint handling procedures (customers, regulators, etc.).” This was moved to the next domain under the “Develop the Privacy Program Framework: Define privacy program activities.” Inquiry and complaint handling also still remains heavily tested on the exam under the domain of Privacy Operational Life Cycle – Respond. Again, this is not a significant change.
In years past, the IAPP broke down the topic of establishing an organizational structure into two categories: those for large organizations and those for smaller organizations. This year, the IAPP has removed those distinctions and consolidated this topic into one subtopic. This modification recognizes the increased importance that privacy considerations play in all organization, whatever their size.
Under the “Communicate” topic in this domain, the IAPP implemented several cosmetic updates. It also replaced the subtopic “Identify, catalog and maintain documents requiring updates as privacy requirements change,” with the subtopic “Ensure employees have access to policies and procedures and updates relative to their role.” This amendment better aligns with the overarching topic of “communication.” Additionally, it recognizes that keeping adequate documentation of privacy practices is necessary but not sufficient; that documentation must be shared—i.e., communicated—in order to be effective.
Privacy Program Framework
As noted above, “plan inquiry/complaint handling procedures (customers, regulators, etc.)” was moved from the first domain to the Privacy Program Framework domain. It is now included as part of defining a privacy program’s activities. Other non-substantive, cosmetic changes were made to the other subtopics related to defining privacy program activities.
Under the topic of “Implement[ing] the Privacy Program Framework,” the IAPP reorganized how it approaches understanding applicable laws across jurisdictions. The 2021 Body of Knowledge took an approach that divided laws according to whether they were national laws or local laws. The updated 2022 Body of Knowledge now divides laws according to whether they apply across certain geographic regions or whether they apply across various market segments. The new subtopics are “Understand territorial regulation and/or laws (e.g., GDPR, CCPA, LGPD)” and “Understand sectoral and industry regulations and/or laws (e.g., HIPAA, GLBA).”
“Understanding data sharing agreements” was also broken out into its own subtopic this year. This continues to recognize that organizations have legal obligations related to privacy under contractual agreements, but these obligations are not found directly under applicable law. Additionally, the IAPP also categorized several types of agreements, including (1) “international data sharing agreements”; (2) “vendor agreements”; and (3) “affiliate and subsidiary agreements” that test-takers must be aware of.
Privacy Operational Life Cycle – Assessment
Under the topic of documenting the current baseline of your organization’s privacy program, the IAPP consolidated several subtopics. These changes are non-substantive; they represent only cosmetic changes designed for readability.
One new area subject to testing that was added under the topic of processor and third-party vendor risk assessments is “Cross-border transfers.” This is intended to cover the need for organizations to undertake transfer impact assessments, especially in light of the Court of Justice of the European Union’s (CJEU) decision in Schrems II.
Additional subtopics were also added to the “Mergers, acquisitions and divestitures” topic in this domain. These new subtopics include: (1) “Risk assessment”; (2) “Risk and control alignment”; and (3) “Post integration planning and risk mitigation.”
Privacy Operational Life Cycle – Protect
The Privacy Operational Life Cycle – Protect domain covers the topic of Privacy by Design (PbD). Under this topic, the IAPP added two new subtopics: (1) “Integrate privacy through business processes”; and (2) “Communicate with stakeholders the importance of [Privacy Impact Assessments] and PdD.”
Somewhat related to the above change, the next topic in this domain is how to integrate privacy requirements and representation into functional areas across the organization. In prior years, there were separate subtopics for various departments within an organization (e.g., human resources, finance, etc.). The new Body of Knowledge consolidates these subtopics.
The final topic in this domain has been completely overhauled. What was previously listed as “Other organizational measures” is now defined as “Technical and organizational measures.” Three new subtopics were added:
- Determine and implement guidelines for secondary use (ex: research, etc.)
- Define policies related to the processing (including collection, use, retention, disclosure and disposal) of organization’s data holdings, taking into account both legal and ethical requirements
- Implement appropriate administrative safeguards, such as policies, procedures, and contracts
Privacy Operational Life Cycle – Sustain
Under this domain, the IAPP added two new subtopics that test-takers should be aware of, both of which fall under the privacy audit topic. These subtopics are “maintenance of an audit trail” and “utilize and report on regulator compliance assessment tools.”
Privacy Operational Life Cycle – Respond
Data subject requests and privacy rights was modified under the “Respond” domain to cover objections to data processing and data subject complaints.
Privacy incident response now covers several new topics, including (1) mandatory reporting obligations; (2) identification of external stakeholders; and (3) maintenance of an incident register and associated records.
In addition to these topics, the IAPP also updated its incident handling category to now include four additional steps:
- Performing containment activities
- Identifying and implementing remediation measures
- Developing a communications plan to notify executive management
- Notifying regulators, impacted individuals and the responsible data controller
These were always important steps in handling a privacy incident, but it is good to see that IAPP has now specifically listed them as important areas that students should know prior to sitting for an exam.
What Changes Were Made to the CIPM Exam Blueprint?
Despite the significant updates to the Body of Knowledge discussed above, this year the IAPP enacted no changes to the CIPM Exam Blueprint. While the CIPM Exam Blueprint incorporates all of the above changes, the relative weight given to each section of the exam has remained unchanged.
Is Privacy Bootcamp’s CIPM Course Up to Date?
Yes, all of our courses are up to date. At Privacy Bootcamp, we comprehensively update our courses once a year to correspond to the updated Body of Knowledge and Exam Blueprint. In addition, we provide smaller updates throughout the year in response to important events and student feedback. Our updates involve editing our text-based study modules, creating new flashcards, adding to our bank of exam questions, and other changes designed to make sure our students are always prepared on test day.