14 min read

Complete Guide to Get Your CIPP/E

Learn how to get your CIPP/E with zero upfront knowledge using this start-to-finish guide.

Audience

This article is for any person interested in learning more about privacy and the Certified Information Privacy Professional Europe (CIPP/E) certification. If you want to learn about the General Data Protection Regulation (GDPR) and are pursuing the CIPP/E, this guide is for you.

This guide assumes you do not know about the CIPP/E, the certification process, the requirements to maintain your CIPP/E, or the knowledge required to pass the exam. Following this guide will provide you with a holistic overview and study guide to obtain your CIPP/E.

Disclaimer

Before getting started, please be aware there is a considerable amount of content here. I encourage you to bookmark this page and skip around to the particular sections which are relevant to you. Different sections may be applicable based on where you are at in your certification journey.

If you have feedback on the blog, wish there was a particular section or other advice you would like me to incorporate, then drop me a line. If this guide was useful to you I'd love to hear about it!

What is the CIPP/E?

The CIPP/E is one of the most prolific privacy certifications available today alongside the CIPP/US. Obtaining any of the CIPP certifications demonstrates a foundational understanding of the privacy laws, regulations, and enforcement in a given region. Specifically for the CIPP/E, you can expect to learn about the privacy landscape in Europe and the European Union.

The CIPP/E is offered by the International Association of Privacy Professionals (IAPP), a not-for-profit that helps define, promote, and improve the privacy profession globally. There are currently four active CIPP concentrations including one for Europe (CIPP/E), the United States (CIPP/US), Asia (CIPP/A), and Canada (CIPP/C).

What Will You Learn?

Before diving into how to prepare for the CIPP/E, we first introduce what you can expect to learn from it—that's the goal after all, right?

For an exhaustive list of the topics covered in the CIPP/E, you should refer to the CIPP/E Body of Knowledge. However, the high-level modules that are covered in the CIPP/E are:

  1. Introduction to European Data Protection
  2. European Data Protection Law and Regulation
  3. Compliance with European Data Protection Law and Regulation

Module 1: Introduction to European Data Protection provides essential insight into the history of data protection laws and regulations in Europe and the European Union. It introduces key European Union institutions like the European Parliament, the European Commission, and the Court of Justice of the European Union.

Module 2: European Data Protection Law and Regulation accounts for the vast majority of the testable content of the CIPP/E certification exam. This module serves as a deep dive into the GDPR and is effectively a cover-to-cover read of the regulation itself. While this module is the largest of the three modules, it's important not to neglect Module 1 and Module 3 in your studies.

Module 3: Compliance with European Data Protection Law and Regulation looks at several processing activities and how they interact with European law. These activities include topics like employee monitoring, bring your own device (BYOD), whistleblowers, digital marketing, surveillance, outsourcing, and more.

For a more in-depth look at each of these modules and their corresponding topics, skip ahead to Mapping the Official Textbook.

Study Tools

Studying for any certification can be daunting. The material may be new and unfamiliar or it may be difficult to grok what is relevant to the exam. The following sections break down how long you should study for, the resources available to you, and any other study recommendations.

How Long Should You Study For?

The IAPP recommends that you study for a minimum of 30 hoursbased on anecdata, this seems about right. For reference, I spent ~25 hours preparing for the CIPP/E across a few months.

Depending on your familiarity with certain topics like the GDPR, you may not have to invest this level of time and energy. While 30-40 hours of study time seems about right for most people you may need to invest more or less time based on your experience.

Official Study Tools

For any certification, there is often a plethora of study resources and the CIPP/E is no different. Like many certifications, there is a mix of official and unofficial study tools to help you prepare for the certification exam. The official IAPP resources you may consider include:

  1. Official Textbook (Paid)
  2. EDPB Guidelines and Recommendations (Free)
  3. Body of Knowledge (Free)
  4. Exam Blueprint (Free)
  5. Glossary of CIPP/E Terms (Free)
  6. Sample Exam Questions (Paid)
  7. Online and In-Person Training (Paid)

This is a substantial list so let's walk through each of these individually.

Official Textbook

The resource that will be paramount to your success is the official textbook: European Data Protection, Second Edition.

This book can be bought for $65 (IAPP Members) or $75 (Non-Members), or bought used from other marketplaces. The official textbook clearly outlines the information you'll need to pass the CIPP/E certification exam. This is a must-buy.

EDPB Guidelines and Recommendations

Alongside the official textbook, the IAPP has specified several guidelines and recommendations issued by the European Data Protection Board (EDPB).

The IAPP added these EDPB guidelines and recommendations to the Body of Knowledge (discussed below) in October 2022 and they should be regarded as required reading. For the most part, these EDPB resources reinforce content already discussed in the official textbook, albeit in more depth. Although some of the guidelines and recommendations can be quite long, I found them helpful for solidifying my understanding of key topics like controllers vs. processors, understanding the extraterritorial scope of the GDPR, and more.

I recommend you study these resources alongside the relevant sections in the official textbook but they are provided here for reference:

  1. Guidelines 07/2020 on the concepts of controller and processor in the GDPR
  2. Guidelines 3/2018 on the territorial scope of the GDPR
  3. Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR
  4. Guideline 10/2020 on restrictions under Article 23 GDPR
  5. Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
  6. Guidelines 04/2021 on codes of conduct as tools for transfers
  7. Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679
  8. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data
  9. Guidelines 3/2019 on processing of personal data through video devices
  10. Guidelines 8/2020 on the targeting of social media users

Body of Knowledge & Exam Blueprint

To use the official textbook and EDPB guidelines and recommendations effectively, they should be paired with both the CIPP/E Body of Knowledge and the CIPP/E Exam Blueprint. The Body of Knowledge outlines all testable topics that may be covered on your CIPP/E certification exam and the Exam Blueprint defines how many exam questions to expect on each topic.

You can make the best use of your study time by combining the official textbook, EDPB resources, Body of Knowledge, and Exam Blueprint—this ensures you invest your study time on the most impactful topics. We combine these resources for you in Mapping the Official Textbook.

Glossary of CIPP/E Terms

To supplement your studying, I recommend utilizing the IAPP Glossary of CIPP/E Terms. While some terms provide a varying level of detail, it's useful to ensure you're familiar with the high-level concepts and definitions—of which there are many.

This can be useful as a spot-checking tool to ensure you've studied all relevant topics that may be covered in the CIPP/E certification exam.

Sample Exam Questions

In addition to the free study resources provided by the IAPP mentioned above, you may choose to purchase the CIPP/E Practice Exam. This practice exam contains 90 questions and provides a more realistic look at the types of questions, the format of the exam, etc. The CIPP/E Practice Exam currently costs $45 (IAPP Members) or $55 (Non-Members).

The IAPP previously offered a shorter practice exam comprised of 25 questions that cost $25 (IAPP Members) or $35 (Non-Members) but this is no longer available for purchase.

Although priced higher than the practice exams for other IAPP certifications, these sample questions may still be a worthwhile investment to meet your study goals.

Online and In-Person Training

Finally, the IAPP and various approved partners offer online and in-person training. The cost of this training is substantial ($1,195—$2,100). However, this may be a good fit for you if you have limited time to self-study or if a company is reimbursing the cost of attendance.

These trainings often include a copy of the official textbook, the IAPP sample exam questions, and sometimes a year of IAPP membership. However, the IAPP does not advertise these courses strictly as a "test prep" course. Additionally, anecdata suggests these trainings may be ineffective to prepare you for the exam on their own.

Unofficial Study Tools

In addition to the official study tools mentioned above, there are many third-party resources (free and paid) that you may consider leveraging. These may include textbook outlines, example exam questions, online training, flashcards, and more.

Because we have not verified the quality of particular resources, we will not be linking to any external resources in this article. However, these should be relatively easy to find using your preferred search engine and may be useful.

Mapping the Official Textbook

In this section, we combine four of the resources that are critical to succeeding on the CIPP/E certification—the official textbook, the EDPB guidelines and recommendations, the Body of Knowledge, and the Exam Blueprint.

Each of the following sections represents one of three major modules present in the Body of Knowledge and Exam Blueprint. As a reminder, the Body of Knowledge defines the testable topics for the CIPP/E and the Exam Blueprint specifies how many exam questions to expect for each topic.

Introduction to European Data Protection

As mentioned above, Module 1: Introduction to European Data Protection provides essential insight into the history of data protection laws and regulations in Europe and the European Union. It introduces key European Union institutions like the European Parliament, the European Commission, and the Court of Justice of the European Union.

While Module 1 is the smallest of the 3 modules, if you're less familiar with Europe and the European Union you'll want to spend some time reviewing this module. You can expect between 4 and 10 questions on the following topics:

Table 1: Topic breakdown by chapter for Module 1.
Topics Min Questions Max Questions Chapter(s)
Origins and Historical Context of Data Protection Law 0 1 1, 2
European Union Institutions 1 2 2
Legislative Framework 3 7 3, 5, 8, 16

European Data Protection Law and Regulation

In contrast to Module 1, which is the smallest module, Module 2: European Data Protection Law and Regulation is the largest. This module serves as a deep dive into the GDPR and is effectively a cover-to-cover read of the regulation itself.

This module begins by defining key data protection concepts like personal data and anonymous data, what constitutes processing, the roles and responsibilities of controllers and processors, and the extraterritorial nature of the GDPR.

The module then shifts toward data processing principles and lawful processing criteria which outline fundamental principles that must be adhered to and the legal bases that constitute the lawful processing of data.

To close things out, Module 2 focuses on data subjects' rights, accountability of controllers and processors, requirements for international data transfers, and the supervision, enforcement, and fines associated with the GDPR.

Module 2 is responsible for between 42 and 69 questions on the CIPP/E certification exam and covers the following topics:

Table 2: Topic breakdown by chapter for Module 2.
Topics Min Questions Max Questions Chapter(s)
Data Protection Concepts 3 6 4
Territorial and Material Scope of the General Data Protection Regulation 2 4 5
Data Processing Principles 4 5 6
Lawful Processing Criteria 3 5 7
Information Provision Obligations 5 8 8, 9
Data Subjects' Rights 8 11 9
Security of Personal Data 5 9 10
Accountability Requirements 4 7 11, 13
International Data Transfers 4 6 11, 12
Supervision and Enforcement 2 4 13
Consequences for GDPR Violations 2 4 13

In addition to the mapping provided above in Table 2, the majority of the EDPB Guidelines and Recommendations specified in the Body of Knowledge are covered in Module 2:

  1. Guidelines 07/2020 on the concepts of controller and processor in the GDPR
  2. Guidelines 3/2018 on the territorial scope of the GDPR
  3. Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR
  4. Guideline 10/2020 on restrictions under Article 23 GDPR
  5. Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
  6. Guidelines 04/2021 on codes of conduct as tools for transfers
  7. Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679
  8. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data

Compliance with European Data Protection Law and Regulation

While Module 2 focuses more broadly on the GDPR, Module 3: Compliance with European Data Protection Law and Regulation hones in on compliance with specific processing activities and various European laws.

Module 3 starts by considering requirements around processing employee data, workplace monitoring and data loss prevention, works councils, as well as whistleblower and bring your own device policies and programs.

Next, Module 3 digs into video and communications surveillance, as well as the use of biometric and location data. I would recommend reviewing the EDPB guideline on processing personal data through video devices as a good supplement for these chapters.

From here, Module 3 shifts its focus toward data protection and direct marketing. This covers everything from postal, telephone, and fax marketing to email, text, and online behavioral advertising. Module 3 closes out with a focus on outsourcing, cloud computing, international data transfers, cookies, search engines, social networks, and more.

Module 3 is the second largest module and you can expect to see between 9 and 18 total questions on the following topics:

Table 3: Topic breakdown by chapter for Module 3.
Topics Min Questions Max Questions Chapter(s)
Employment Relationship 3 5 14
Surveillance Activities 1 4 15
Direct Marketing 3 5 16
Internet Technology and Communications 2 4 17

While there are substantially fewer EDPB guidelines and recommendations relevant to Module 3, they are nonetheless important. These EDPB resources include:

  1. Guidelines 3/2019 on processing of personal data through video devices
  2. Guidelines 8/2020 on the targeting of social media users

Exam Details

Now that you're equipped with a high-level idea of the knowledge required, we can talk about the certification exam itself. If you've taken other certification exams, the CIPP/E follows a familiar format.

General Information

The CIPP/E certification exam is a 2.5-hour exam with 90 multiple-choice questions, of which 75 are scored. In other words, there are 15 questions present on the CIPP/E certification exam that does not contribute to your overall score.

Each question has one correct answer and three distractors. Some questions are scenario-based, where you are asked to apply your knowledge to a hypothetical situation.

There is no publicly available information related to the exact score required to pass the CIPP/E exam. However, "passing scores range between about 65 and 80 percent correct."

Registering for the Exam

To register for the CIPP/E certification exam you must purchase it from IAPP. For first-time takers, the cost comes in at $550. However, if you maintain another IAPP certification or attempt the CIPP/E for the second time the cost is reduced to $375.

In addition to the exam cost, you must pay a Certification Maintenance Fee or become an IAPP Member after passing the exam. If you become an IAPP Member the Certification Maintenance Fee is waived, and you get access to various IAPP resources. I recommend referencing the options below to determine the option best fit for your situation:

Table 4: Options for recurring costs of maintaining your CIPP/E.
Description Cost Period
Certification Maintenance Fee $250 2 Years
IAPP Membership (Professional) $275 1 Year
IAPP Membership (Higher Education) $100 1 Year
IAPP Membership (Not-For-Profit) $100 1 Year
IAPP Membership (Government) $100 1 Year
IAPP Membership (Retired) $100 1 Year
IAPP Membership (Student) $50 1 Year

Studying for the Exam

Now that you have an idea of the study tools and materials available to you, we can move on to studying for the CIPP/E Certification Exam. Before we jump in, it's worthwhile to note that the CIPP/E covers a significant breadth and depth of knowledge—keep this in mind while studying.

My recommend path to success for the CIPP/E is:

  1. Take the sample exam
  2. Read the book and EDPB Guidelines and Recommendations
  3. Create an outline
  4. Study the glossary terms
  5. Review knowledge gaps

Take the Sample Exam

Before diving into the European Data Protection, Second Edition, I recommend you review the IAPP Sample Exam Questions. No worries if you decided not to purchase them, you can skip this step and proceed to the next step: Read the Book.

Reviewing these sample exam questions is useful for framing your first read of the official textbook. It helps you understand the type of question, as well as the type of information you should keep an eye out for.

If you have experience with European data protection law, you may want to actually take the practice exam. This should provide you a baseline of which topics you may be more or less familiar with and help guide your studying as well.

Read the Book and EDPB Guidelines and Recommendations

If you purchased the IAPP Sample Exam Questions and have not reviewed them, go back to Take the Sample Exam. If you have reviewed them (or you did not purchase them), great! Let's move on.

The next step in studying is to read the book. If you only rely on one resource to study for the CIPP/E Certification Exam it should be the official textbook. The topics in the text map nearly verbatim to those in the Body of Knowledge and the Exam Blueprint. If you're looking for a high-level overview of where you may want to focus your attention, refer to Mapping the Official Textbook.

You will need to know the content from every single chapter in the textbook. You should plan to read every chapter at least once and may find yourself reviewing them multiple times. When reading, keep an eye out for details that look relevant, based on your experience with the sample exam questions.

The IAPP Privacy Certification Candidate Handbook states that questions on the exam may be related to scenarios. These are hypothetical situations where you may be asked to decipher whether a particular law may apply. As you're reading, try to think about how you may encounter particular concepts in your day-to-day life e.g., is a company a controller, processor, or joint controller—why?

It may be worthwhile breezing through the book once, before stopping to take copious notes. This will allow you to get a bigger picture understanding of the type of material that you'll be expected to learn for the CIPP/E certification exam. On your second pass, you may want to create an outline.

Create an Outline

The CIPP/E certification exam lends itself particularly well to creating an outline. If you come from a legal background this process may be second nature to you. However, for others, the concept of an outline may be unfamiliar.

Usually, a good outline starts with a syllabus. The "syllabus" for the CIPP/E is the Body of Knowledge—I'd start here.

While outlines may not come naturally to you, this may be an invaluable study resource that you create. While you can find CIPP/E outlines online, oftentimes some of the best ones are written by yourself. These outlines help prevent you from reading the entire textbook multiple times and instead allow you to focus on the exact content that matters.

Study the Glossary Terms

To supplement Reading the Book and Creating an Outline, I recommend reviewing the IAPP Glossary of CIPP/E Terms. This should help solidify your understanding of key terms, as well as augment your outline with reliable definitions.

However, it's important to note that just because the IAPP provides this glossary, it does not mean the terms have perfect or complete definitions. I encourage you to double-check these terms and build your understanding of them while using the glossary as a guide and reference point.

Review Knowledge Gaps

Do a final double-check that you are aware of and have a solid understanding of the topics in the Body of Knowledge. For example, if you're unsure of a particular institution and its responsibilities e.g., European Commission vs. European Parliament, spend a bit more time here. If you're still flipping controllers and processors or don't understand the obligations of each, it's probably worth revisiting.

You Passed, Now What?

After you pass the CIPP/Exam your next step should be to celebrate—Congratulations! After congratulating yourself and adding your shiny new certification to LinkedIn, you should consider what's next.

Continuing Privacy Education

In addition to becoming an IAPP Member or paying your Certification Maintenance Fee, you also must submit Continuing Privacy Education (CPE) credits. To maintain your CIPP/E, you must submit a total of 20 CPEs every 2 years per certification. So what are CPEs?

CPEs are IAPP's mechanism to ensure certification holders remain up-to-date with the latest in privacy. You can select any resources which apply to the content covered by the CIPP/E. For a complete guide to CPEs refer to IAPP's CPE Policy. Generally, CPEs can be obtained through:

  1. Books & Whitepapers
  2. Events
  3. News
  4. Tools & Resources
  5. Training
  6. Videos
  7. Web Conferences

IAPP provides an invaluable resource for managing CPEs—CPE Central. Please note, you must be signed in to IAPP to see this resource. CPE Central provides access to a curated list of resources guaranteed to satisfy the CPE requirements for the CIPP/E. You can filter based on the categories above, free vs. paid resources, the number of credits, and the given certification type e.g., CIPP/E, CIPM, CIPT.

Wrapping Up

I sincerely hope this guide was accessible, useful, and practical for you. If you have any feedback or would like to share your successes (or failures) with me, please let me know. Cheers.