One question that we receive a lot from students and prospective students is this: What certification is right for me—CIPP or CIPM? The answer to that will largely depend on your unique experiences and professional goals; there is no one-size-fits-all advice. There are some guideposts, however, that are applicable across all circumstances. Below we attempt to distill our thoughts as plainly as possible on this subject.
IAPP Certification Briefly Explained
The International Association of Privacy Professionals (IAPP) is a professional organization that looks to advance the privacy and data protection industry globally. The IAPP offers three certifications for privacy professionals: Certified Information Privacy Professional (CIPP), Certified Information Privacy Manager (CIPM), and Certified Information Privacy Technologist (CIPT). Each of these certifications are designed to demonstrate expertise in privacy and data protection. There are, however, several key differences between these certifications, including the focus of the exams and the types of professionals who typically pursue each certification.
The CIPP certification—which focuses heavily on privacy laws and regulations—is further broken down based upon jurisdictional reach. The CIPP/US certification focuses on United States privacy laws, the CIPP/E certification focuses on European privacy laws, and so forth.
You can read more about what each individual certification in further detail at the following links:
- “What is the CIPP/US Certification?”
- “What is the CIPP/E Certification?”
- “What is the CIPM Certification?”
Different Subject Matter
While every certification offered by the IAPP covers the broad topic of privacy and data protection, anyone operating in this field knows that there is a significant number of subtopics. These range from building privacy protection into products to the development of organizational privacy notices. The first step, therefore, in determining whether the CIPP or CIPM exam is right for you is to look at the topic areas covered by the pertinent exam.
It is often said that the CIPP certification represents the “What” of privacy protection—i.e., it indicates that you are an expert in the laws and regulations covering the protection of personal data, including how those regulations are applied. It helps you answer questions like: What are the consequences of handling the personal data of minors? What are the implications of allowing a third party to process personal data on our behalf? What laws apply if we start handling personal data related to healthcare?
The high-level domains of knowledge covered by the CIPP/US exam, which are found in a document called the CIPP/US Body of Knowledge, include:
- 1. Introduction to U.S. Privacy Enforcement
- 2. Limits on Private-Sector Collection and Use of Data
- 3. Government and Court Access to Private-Sector Information
- 4. Workplace Privacy
- 5. State Privacy Laws
The domains covered by the CIPP/E exam, found here, include:
- 1. Introduction to European Data Protection
- 2. European Data Protection Law and Regulation
- 3. Compliance with European Data Protection Law and Regulation
The CIPM exam, in contrast, is generally thought of as the “How” of privacy protection. CIPM certification indicates that you are a skilled leader in privacy program management and administration. With the CIPM certification, you indicate that you know how to establish and maintain a privacy program throughout its entire life cycle. It answers questions such as: How do we best respond to a data subject access request? How do we address a data breach? How do we set up a privacy program within a larger organization? In other words, it is more focused on the practical, functional aspects of managing personal data.
The CIPM Body of Knowledge covers the following domains:
- 1. Developing a Privacy Program
- 2. Privacy Program Framework
- 3. Privacy Operational Life Cycle: Assess
- 4. Privacy Operational Life Cycle: Protect
- 5. Privacy Operational Life Cycle: Sustain
- 6. Privacy Operational Life Cycle: Respond
Even though there are many differences between the two certifications, there is some significant overlap as well. Both certifications, for example, require a general understanding of baseline privacy concepts, such as defining the "data controller" or knowing what Fair Information Practices are. The CIPM exam also requires a basic understanding of the GDPR, among other laws.
Who Typically Obtains Each Certification
Another key difference between the CIPP and CIPM certifications is the type of professional that often pursues each credential. Our students have come from a variety of backgrounds and have experience in the law, accounting, project management, consulting, software engineering, information technology, cyber security, human resources, and many other fields. At the same time, however, different professional backgrounds tend to gravitate towards specific certifications.
With its heavy focus on the law of privacy, it should come as little surprise that the CIPP/US and CIPP/E credentials are most commonly sought by legal professionals, such as lawyers and paralegals. Others pursuing the CIPP credential might include risk managers and compliance officers, who need to understand the legal and regulatory landscape in order to effectively manage compliance risks within their organization. Whether the CIPP/US or CIPP/E certification is right for you will largely depend on where you and those you are advising are located.
The CIPM certification, on the other hand, is more commonly sought by privacy professionals who have a broader role in managing privacy programs within their organizations. This may include privacy officers, data protection officers, or other executives or managers who are responsible for overseeing privacy initiatives within their companies. Some other examples might be accountants (especially audit professionals) and consultants.
Keep in mind that just because the CIPP certification is focused heavily on privacy laws and regulations, that does not mean only lawyers should pursue it. On the contrary, most professionals working in a privacy office will tell you that it would be difficult—if not impossible—to effectively do their job without a baseline knowledge of what the law requires with respect to the processing of personal data. And the inverse is also true; lawyers often find obtaining CIPM certification useful as it provides a practical and hands-on approach to managing data, allowing them to better advise their clients on handling privacy issues in the real world. Indeed, we have seen an increase in the number of individuals that ultimately choose to pursue both CIPP and CIPM certification, regardless of which certification they obtain first.
Why Choose?
The IAPP recognizes the significant cross-over between their certifications—it considers obtaining the CIPP/E and CIPM certifications as proving you are “GDPR Ready,” for example. At Privacy Bootcamp, we recognize that reality as well. For that reason, when students enroll in more than one of our courses at the same time, we provide a 10% combination discount off their purchase price. So, get studying the smart way with Privacy Bootcamp, regardless of which certification you choose to pursue first.
