It is that time of year again when the International Association of Privacy Professionals (IAPP) implements it annual updates to the Certified Information Privacy Professional / Europe (CIPP/E) Body of Knowledge and Exam Blueprint. In the article that follows, we explain those updates and what all test takers must be aware of as they approach preparation for their exam.
When Do These Changes Go into Effect?
The changes discussed below go into effect on October 3, 2022.
What are the CIPP/E Body of Knowledge and Exam Blueprint?
If you only recently started considering becoming a certified data protection and privacy expert, you might be wondering what, exactly, is the Body of Knowledge? And what is the Exam Blueprint?
The Body of Knowledge is the document released by the IAPP that sets forth all of the concepts and topics that candidates will need to know to obtain their CIPP/E certification. It is the core document setting forth its CIPP/E curriculum.
The Body of Knowledge is supplemented by the Exam Blueprint, which is a document that sets forth how much weight each topic identified in the Body of Knowledge is given on the exam. Put differently, the Exam Blueprint gives the approximate number of questions (out of the 90 total) that each student can expect to see related to specific topics.
Each of these documents is updated annually by the IAPP. This ensures that the IAPP’s exams are current and that they are not “overexposed.” Along with these core documents, the IAPP also typically releases a list of new topics added to the exam. This list, however, only presents a high-level overview. A side-by-side comparison with last year’s Body of Knowledge and Exam Blueprint is necessary to parse out the finer details about how the exam is being changed. Year over year, new content added to any of the exams by IAPP through this annual update will account for no more than 15% of the overall material.
What Changes Were Made to the CIPP/E Body of Knowledge?
The CIPP/E Body of Knowledge has three primary topic areas: (1) Introduction to European Data Protection; (2) European Data Protection Law and Regulation; and (3) Compliance with European Data Protection Law and Regulation.
As set forth in its summary document, there are four important changes to the 2022 CIPP/E Body of Knowledge:
- Transparency requirements with regard to data protection notices
- Important aspects of the 2021 Standard Contract Clauses (SCCs), such as scope, approach, new obligations, etc.
- Consequences of the Schrems II judgment on Safe Harbor, Privacy Shield, SCCs, and other transfer mechanisms
- EDPB guidelines on significant data protection topics
At first glance, this list appears relatively modest. As noted above, however, significant details emerge in comparing last year’s outline with the 2022 amendments.
Introduction to European Data Protection
The first subtopic covered in the Body of Knowledge is the historical context of data protection across Europe. Early laws and regulations have always been covered by the exam. This year’s Body of Knowledge, however, for the first time specifically lists (i) the OECD Guidelines and the Council of Europe and (ii) Convention 108. Because these topics were already essentially covered by the prior Body of Knowledge, this change should largely be thought of as stylistic – it provides more detail, but not new content.
Interestingly, besides the reference noted above, the IAPP removed the Council of Europe—not to be confused with the European Council—from the topics listed in this year’s Body of Knowledge. Because a foundational understanding of European governance is necessary to effectively prepare for the CIPP/E exam, we believe students should still have a basic knowledge of the Council of Europe, and especially how it is distinct from the governing bodies of the European Union.
European Data Protection Law and Regulation
In its summary of changes that it is implementing this year, the IAPP noted that it seeks to highlight specific guidelines and recommendations published by the European Data Protection Board (EDPB). It should be noted that these guidelines were already implicitly covered in most cases, as they address broader topics identified in years past. By way of example, the IAPP has now identified “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.” But knowing how the EDPB approaches the definition of “controller” and “processor” was already required knowledge to properly prepare for the CIPP/E exam.
In our view, we believe that the specific EDPB guidelines newly added to the CIPP/E Body of Knowledge should not be thought of as “new” material. Rather, many of these should be thought of as specific areas that IAPP is likely to heavily test, including the specific EDPB approach to the concept or topic addressed. The caveat to this is that certain of these guidelines have only been published in the past year, so of course those guidelines represent new material that students should be aware of.
The EDPB guidelines newly identified this year include the following:
- Guidelines 07/2020 on the concepts of controller and processor in the GDPR [LINK]
- Guidelines 03/2018 on the territorial scope of the GDPR [LINK]
- Guidelines 05/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR [LINK]
- Guidelines 10/2020 on restrictions under Article 23 of the GDPR [LINK]
- Guidelines 05/2021 on the interplay between the application of Article 3 and the provisions of international transfers as per Chapter V of the GDPR [LINK]
- Guidelines 04/2021 on the codes of conduct as tools for transfers [LINK]
- Guidelines 02/2018 on derogations of Article 49 under Regulation 2016/679 [LINK]
- Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data [LINK]
Each of these guidelines or recommendations is listed as a subcategory to a broader concept, further highlighting the point made above that these are not “new” topics. Instead, these documents represent additional refinements or detail on the broader concept to which they relate.
Beyond the addition of these new guidelines and recommendations, there are no other substantive changes to this portion of the Body of Knowledge.
Compliance with European Data Protection Law and Regulation
Like the previous domain, the only changes to the “compliance” section of the CIPP/E Body of Knowledge are the addition of some new EDPB guidelines. These include the following two documents:
- Guidelines 3/2019 on processing of personal data through video devices [LINK]
- Guidelines 8/2020 on the targeting of social media users [LINK]
Both video surveillance and online behavioral targeting, including in the context of social media, were already topics covered by the exam.
What Changes Were Made to the CIPP/E Exam Blueprint?
This year, the IAPP did not make any noticeable changes to its CIPP/E Exam Blueprint. The Exam Blueprint, of course, incorporates any changes to the Body of Knowledge. But, the approximate number of questions for each topic has remained the same compared to the year prior.
Is Privacy Bootcamp’s CIPP/E Course Up to Date?
Yes, all of our courses are up to date. At Privacy Bootcamp, we comprehensively update our courses once a year to correspond to the updated Body of Knowledge and Exam Blueprint. In addition, we provide smaller updates throughout the year in response to important events and student feedback. Our updates involve editing our text-based study modules, creating new flashcards, adding to our bank of exam questions, and other changes designed to make sure our students are always prepared on test day.