So, you’ve decided that you want to become a Certified Information Privacy Professional / Europe (CIPP/E). Or, at least you’re interested in obtaining this certification, which is administered by the International Association of Privacy Professionals (IAPP). The best place to start is by reviewing a document that the IAPP refers to as the Body of Knowledge (BoK). The CIPP/E Body of Knowledge is a high-level document that sets forth the topics and concepts that will be included on the CIPP/E exam.
The IAPP revisits the CIPP/E BoK each year, publishing a new version that may be organized differently from the year prior or contain new topics and concepts. The IAPP does this so that the CIPP/E certification exam remains up to date with the changing data protection landscape and to ensure that its exams do not become “overexposed.” Generally, these updates are released in the late Spring or Early Summer.
We previously covered what changes were made to the CIPP/E BoK in 2023 and 2022, which you can read about here:
But we get it, you want to know what is new this year. Below we break down everything you need to know about relevant changes so that you are ready on exam day.
When Do These Changes Go into Effect?
The IAPP does not want to surprise its test takers. To that end, the IAPP releases the updated CIPP/E Body of Knowledge months ahead of when it becomes effective. The IAPP provides a minimum of 90 days. In other words, all the new content contained in the updated BoK will not start appearing on actual exams for some time.
The changes to the 2024-2025 Body of Knowledge for the CIPP/E exam go into effect on September 2, 2024.
What is the Format for the New CIPP/E Body of Knowledge?
Last year, the IAPP started the process of moving the Bodies of Knowledge for some of its exams that it administers to a new format and structure. Historically, the IAPP utilized a nested outline format. Beginning with the 2023-2024 Certified Information Privacy Manager (CIPM) Body of Knowledge, the IAPP started using format that included a list of high-level “competencies,” which are matched with a set of “performance indicators.”
The IAPP adopted this format for updated BoKs for the Certified Information Privacy Technologist (CIPT), Certified Information Privacy Professional / Canada (CIPP/C), and the new Artificial Intelligence Governance Professional (AIGP) certifications. Notably, however, the IAPP maintained its historic nested outline format for both the CIPP/E BoK and the CIPP/US BoK.
Considering the clear movement towards a different format, it is surprising that this year the CIPP/E BoK adheres to the old structure. That means, another document called the “Exam Blueprint” has been maintained as a separate document as well. The CIPP/E Exam Blueprint sets forth the number of questions (given as a range) that students should expect to see on each topic set forth in the BoK.
Changes to the New CIPP/E Body of Knowledge
Okay, so the format is the same, but what about the content? Before answering that question, you should know this. Yearly updates to the BoK contain no more than 10-15% new content, at least according to the IAPP. If you have already put a lot of effort into studying, don’t fret. There might be some new content that you will need to learn if you take the exam after the effective date, but in the bigger picture (and as we explain below), the new content is relatively minimal.
Did the Domains Change?
Last year’s CIPP/E Body of Knowledge contained three high-level “domains.” The good news is that those domains have not changed. They are:
- Domain I – Introduction to the European Data Protection
- Domain II – European Data Protection Law and Regulation
- Domain III – Compliance with European Data Protection Laws and Regulations
Are There Any New Topics or Concepts, and Was Anything Removed?
Much like the domains, the higher-level bullet points in the outline format did not see any changes this year either.
Domain I continues to include the following three topics:
- I.A - Origins and Historical Context of Data Protection Law
- I.B - European Institutions
- I.C - Legislative Framework
Domain II still has eleven primary topics:
- II.A – Data Protection Contents
- II.B – Territorial and Material Scope of the General Data Protection Regulation
- II.C – Data Processing Principles
- II.D – Lawful Processing Criteria
- II.E – Information Provision Obligations
- II.F – Data Subjects’ Rights
- II.G – Security of Personal Data
- II.H – Accountability Requirements
- II.I – International Data Transfers
- II.J – Supervision and Enforcement
And finally, Domain III contains the following four primary topics:
- III.A – Employment Relationship
- III.B – Surveillance Activities
- III.C – Direct Marketing
- III.D – Internet Technology and Communication
What did change are some minor sub-points. Nothing has been removed, and only four new sub-topics were added. These new sub-topics are:
- Section I.C.6.a – The EU Data Act and its relationship to the GDPR has been added to the list of legislation in this bullet point
- Section III.A.7 – Risks involved in employee data (e.g., via social media and AI systems)
- Section III.B.5.a – Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement
- Section III.D.4.a.i – Guidelines 3/2022 on dark patterns in social media platform interfaces
In addition to the above additions, there is one clerical change worth noting. The IAPP now refers to the Trans-Atlantic Privacy Framework by its more commonly accepted name, the “EU-US Data Privacy Framework.”
Elsewhere, the IAPP attempts to summarize the updated content that can be expected on new exams. There are two categories listed in this summary that do not expressly appear on the updated CIPP/E Body of Knowledge. This is likely because they are subsumed under a broad topic that is listed. These two new subtopics that students must know include:
- GDPR relationships with other global legislations (U.S., U.K., Switzerland, Germany)
- Ransomware breach notification procedure
All-in-all, these changes are minimal.
Did the Number of Questions Asked on Each Topic Change?
One big area of change is in the number of questions students will see on each topic, as laid out in the Exam Blueprint.
Domain I (Introduction to European Data Protection) previously consisted of 4-10 questions on the exam. That number has been increased; students can now expect to see 7-13 questions. Domain I will be more emphasized at the expense of both other domains.
Specific topics that will be deemphasized include data processing principles, information provision obligations, supervision and enforcement, consequences of GDPR violations, and direct marketing.
Areas that will receive greater emphasis are the origins and historical context of data protection laws in Europe, the legislative framework of European data protection laws, data subject rights, and security of personal data.
Is Privacy Bootcamp’s CIPP/E Course Up to Date?
Yes, all Privacy Bootcamp courses are up to date.
At Privacy Bootcamp, we comprehensively update our courses once a year to correspond to any changes made to the CIPP/E Body of Knowledge and Exam Blueprint. Our work begins, however, months ahead of when those updates are first released publicly. We have a general understanding of what changes can be expected based upon important events and changes in the data protection industry, as well as student feedback. We will release updated CIPP/E course content in the coming days, weeks, and months – significantly ahead of the September 2, 2024 effective date for the changes discussed above. With Privacy Bootcamp, you can always rest assured that you will be prepared come test day, no matter what changes IAPP throws your way.