The Certified Information Privacy Manager (CIPM) exam is administered by the International Association of Privacy Professionals (IAPP). When studying for this exam, students should be guided by a document that the IAPP refers to as the Body of Knowledge (BoK). The BoK identifies the topics that will be tested on the CIPM exam. It is updated annually to keep pace with the constantly changing privacy governance landscape.
This year, the IAPP took an entirely new approach towards the CIPM BoK. These changes took many by surprise, as the IAPP walked away from its prior approach, which listed the exam topics in a neatly organized outline format. This is now the second time in recent years that the IAPP has significantly upended the CIPM BoK (the last time being in 2020). In this article, we aim to demystify this recent overhaul, including by mapping the new BoK to the topics listed in prior BoKs.
What is the New Approach?
Prior versions of the CIPM BoK were presented in a well-organized, nested outline format. Under the new approach adopted by the IAPP, however, the BoK now lists various “competencies,” along with “performance indicators” that match up to each competency. The IAPP describes competencies as “clusters of connected tasks and abilities that constitute a body of knowledge domain.” Performance indicators, on the other hand, “are the discrete tasks and abilities that constitute the broader competence group.” The exam itself aims to “assess a privacy professional’s proficiency on the performance indicators.”
Interestingly, the IAPP has not taken this same approach to all of its certification exams. The newly updated BoKs for the Certified Information Privacy Professional / U.S. (CIPP/US), Certified Information Privacy Professional / Europe (CIPP/E), and Certified Information Privacy Technologist (CIPT) designations all continue to adhere to the traditional outline format. The IAPP, however, recently announced the creation of a new certification—called the Artificial Intelligence Governance Professional (AIGP) certification—that has a BoK using the same approach as the new CIPM BoK. (The BoK for the AIGP certification can be found here).
What About the Exam Blueprint?
If you are familiar with how the IAPP has traditionally approached the CIPM BoK, you know that the BoK is paired with another document called the Exam Blueprint. The Exam Blueprint indicates the number of questions (given as a range) that students should expect to see on their exam with respect to each identified topic or concept. This year, the IAPP has combined the Exam Blueprint and the BoK into one document.
A High-Level Overview of What Changed
The obvious question for test-takers is: how does this affect what I need to study?
A good starting point for understanding the practical implications of this new BoK structure is to understand the potential magnitude of these annual changes. Several times in the past, the IAPP has stated that annual updates to its certification exams will include new content that will account for, at most, 10-15% of the exam. By mapping the old BoK to the new BoK, we find that this continues to be the case.
Next, let’s consider what the IAPP has to say about this new format. The IAPP has described the high-level changes to its BoK for the CIPM certification as follows:
-
“Domain I Developing a Privacy Program and Domain II The Privacy Program Framework were combined into a single domain; Domain I Developing a Framework”
-
“A new Domain II was added; Domain II: Establishing Program Governance”
Based on this description, one is led to believe that all information in old Domains I and II were combined into the new Domain I, and that new Domain II consists of entirely new content. That, however, is not the case as the mapping exercise below indicates.
After comparing the new BoK with the BoK from last year, it appears as though the IAPP is attempting to accomplish at least two different things in reorganizing certain aspects of the CIPM exam. First, the IAPP has taken the component parts of each topic/concept and more closely aligned each with the structure of the Privacy Operational Life Cycle. And second, the IAPP has attempted to align the BoK more closely with the text of the third edition of the book Privacy Program Management: Tools for Managing Privacy Within Your Organization.
Aligning the Content with the Privacy Operational Life Cycle
Previously, the IAPP tried to maintain a cohesive approach to high-level topics by keeping them together within the larger structure of the BoK. At times, this created an awkward fit for some subtopics, especially where the broader topic had components that might arise across all steps in the privacy operational life cycle. This is best illustrated by an example or two (of which there are many).
Example 1 - Under the prior BoK, the topic “Privacy Incident Response” was contained entirely in “Domain VI – Privacy Operational Life Cycle: Respond.” Subtopics under Privacy Incident Response included, for example, “Incident Response Planning.” Planning for a response, however, is not the same as the response itself; planning should proceed the response. Placing the planning aspects of this topic in the response step of the privacy operational life cycle never made complete sense, but it did help keep the entire topic of privacy incident response together as a cohesive unit. IAPP appears to have reconsidered this decision. Accordingly, IAPP has now moved the topic of planning for a response to a privacy incident into “Domain II -Privacy Program: Establishing Program Governance” under the competency of “Clarifying roles and responsibilities.”
Example 2 - The IAPP previously included the entire topic of privacy metrics under the domain covering privacy program frameworks. While the competency of “Defin[ing] privacy metrics for oversight” continues to be included in Domain II, the competency of “Us[ing] metrics to measure the performance of the privacy program” is now categorized in “Domain V – Privacy Program Operational Life Cycle: Sustaining Program Performance.” By breaking this broader topic up across several different domains, the IAPP has more closely aligned each aspect of utilizing privacy metrics with the privacy operational life cycle.
Aligning the Content with Authoritative Text
The IAPP suggests that the third edition of the book Privacy Program Management: Tools for Managing Privacy Within Your Organization is the most authoritative resource for those studying for the CIPM exam. At the same time, however, IAPP and the book itself have received a significant amount of criticism over the years because the structure of this book seems entirely detached from the historic structure of the CIPM BoK. Additionally, this book covers various topics that were not historically listed in the BoK. This made the text a somewhat difficult tool to use for studying purposes. The annual update this year takes a small step towards more closely aligning the BoK with this resource.
The below two examples help illustrate this point.
Example 1 - Privacy notices and consent to data processing were two topics always implicitly covered by the CIPM exam. This is true despite the fact that the terms “consent” and “privacy notice” are not included anywhere in prior years’ BoKs. Despite this, the third edition of Privacy Program Management includes a Chapter on responding to data subject rights, which contains sub-chapters covering “Privacy Notices and Policies,” “Choice, Consent, and Opt-Outs”, and “Obtaining Consents from Children.” The new BoK now includes, under the competency for “Respond to data subject access requests and privacy rights” the following two performance indicators: (1) “Ensure privacy notices and policies are transparent and clearly articulate data subject rights”; and (2) “Comply with [an] organization’s privacy policies around consent.”
Example 2 - Privacy Program Management contains a subchapter entitled “Terminology: Security incident versus breach.” The new BoK contains a new performance indicator stating: “Adopt privacy program vocabulary (e.g., incident vs breach).”
The above are just two examples of this trend. There are many other places in the newly restructured BoK where it appears that the IAPP is attempting to better align this document with the structure of the third edition of Privacy Program Management.
Are There Any New Topics or Concepts That I Should Be Studying?
Yes, there are several new topics included in this reorganized BoK that do not have a close counterpart on the previous year’s BoK. These new topics include:
-
Performance Indicator I.B.3 – Communicate organizational vision and mission statement: Adopt privacy program vocabulary (e.g., incident vs. breach).
-
Performance Indicator II.C.2 – Define privacy metrics for oversight and governance: Understand purposes, types and life cycles of audits in evaluating effectiveness of controls throughout organization’s operations, systems and processes.
-
Performance Indicator IV.C.4 – Apply organizational guidelines for data use and ensure technical controls are enforced: Collaborate with privacy technologists to enable technical controls for obfuscation, data minimization, security and other privacy enhancing technologies.
-
Performance Indicator V.C.4 – Manage continuous assessment of the privacy program: Ensure AI usage is ethical, unbiased, and meets data minimization and purpose limitation expectations and is in compliance with any regulations and/or privacy laws.
-
Performance Indicator VI.A.1 – Respond to data subject access requests and privacy rights: Ensure privacy notices and policies are transparent and clearly articulate data subject rights.
-
Performance Indicator VI.A.2 – Respond to data subject access requests and privacy rights: Comply with organization’s privacy policies around consent (e.g., withdrawals of consent, rectification requests, objections to processing, access to data and complaints).
As noted above, some of these topics were already implicitly covered on the CIPM exam, but with this annual update, the IAPP has now expressly included these topics in its BoK.
Mapping the New BoK to The Topics Listed in Last Year’s BoK
In moving to the new structure for the CIPM BoK, the IAPP has removed much of the detail about what topics are covered on the exam, replacing them broader concepts (i.e., what the IAPP now refers to as “performance indicators”). We have mapped each of these performance indicators with last year’s BoK in order to help students preserve some of this detail as they study.
NOTE: Some of the phrasing used by the IAPP has also changed. The below chart attempts to match previous topics with the new performance indicators based upon our subjective understanding. Additionally, some topics from the 2022 BoK are mapped to more than one performance indicator in the charts below.
Domain I – Privacy Program Framework: Developing a Framework
Competency I.A – Define program scope and develop a privacy strategy
2023 Performance Indicator | 2022 Body of Knowledge |
|---|---|
| Choose applicable governance model. | Module I.B.a – I.B.c B. Establish a Data Governance model a. Centralized b. Distributed c. Hybrid |
| Identify the source, types and uses of personal information (PI) within the organization. | Module I.C.a – I.C.b C. Define a privacy program a. Define program scope and charter b. Identify the source, types, and uses of personal information (PI) within the organization and the applicable laws |
| Structure the privacy team. | Module I.D.a – I.D.c D. Structure the privacy team a. Establish the organizational model, responsibilities and reporting structure appropriate to the size of the organization (eg Chief Privacy Officer, DPO, Privacy manager, Privacy analysts, Privacy champions, "First responders") b. Designate a point of contact for privacy issues c. Establish/endorse the measurement of professional competency |
| Identify stakeholders and internal partnerships. | Module I.C.c c. Develop a privacy strategy i. Business alignment 1. Finalize the business case for privacy 2. Identify stakeholders 3. Leverage key functions 4. Create a process for interfacing within organization 5. Align organizational culture and privacy/data protection objectives ii. Obtain funding/budget for privacy and the privacy team iii. Develop a data governance strategy for processing personal information (e.g. collect, use, access, share, transfer, destroy) iv. Ensure program flexibility in order to incorporate legislative/regulatory/market/business requirements |
Competency I.B – Communicate organizational vision and mission statement
2023 Performance Indicator | 2022 Body of Knowledge |
|---|---|
| Create awareness of the organization’s privacy program internally and externally. | Module I.E.a - I.E.b, II.B.a E. Communicate a. Create awareness of the organization's privacy program internally and externally (e.g. PR, Corporate Communication, HR) b. Develop internal and external communication plans to ingrain organizational accountability ... B. Im lement the Privac Pro ram Framework a. Communicate the framework to internal and external stakeholders |
| Ensure employees have access to policies and procedures and updates relative to their role(s). | Module I.E.c E. Communicate ... c. Ensure employees have access to policies and procedures and updates relative to their role |
| Adopt privacy program vocabulary (e.g., incident vs breach). | NEW |
Competency I.C – Indicate in-scope laws, regulations and standards applicable to the program
2023 Performance Indicator | 2022 Body of Knowledge |
|---|---|
| Understand territorial, sectoral and industry regulations and/or laws. | Module II.B.b.i - II.B.b.ii B. Im lement the Privac Pro ram Framework ... b. Ensure continuous alignment to applicable laws and regulations to support the development of an organizational privacy program framework i. Understand territorial regulations and/or laws (eg GDPR, CCPA, LGPD) ii. Understand sectoral and industry regulations and/or laws (eg HIPAA, GLBA) |
| Understand penalties for non-compliance. | Module II.B.b.iii B. Im lement the Privac Pro ram Framework ... b. Ensure continuous alignment to applicable laws and regulations to support the development of an organizational privacy program framework ... iii. Understand penalties for noncompliance with laws and regulations |
| Understand scope and authority of oversight agencies. | Module II.B.b.iv B. Im lement the Privac Pro ram Framework ... b. Ensure continuous alignment to applicable laws and regulations to support the development of an organizational privacy program framework ... iv. Understand the scope and authority of oversight agencies (e.g., Data Protection Authorities, Privacy Commissioners, Federal Trade Commission, etc.) |
| Understand privacy implications of doing business or basing operations in countries with inadequate privacy laws. | Module II.B.b.v B. Im lement the Privac Pro ram Framework ... b. Ensure continuous alignment to applicable laws and regulations to support the development of an organizational privacy program framework ... v. Understand privacy implications of doing business with or basing operations in countries with inadequate, or without, privacy laws |
Domain II – Privacy Program: Establishing Program Governance
Competency II.A –Create policies and processes to be followed across all stages of the privacy program life cycle
2023 Performance Indicator | 2022 Body of Knowledge |
|---|---|
| Establish the organizational model, responsibilities, and reporting structure appropriate to size of organization. | Module I.D.a D. Structure the privacy team a. Establish the organizational model, responsibilities and reporting structure appropriate to the size of the organization (eg Chief Privacy Officer, DPO, Privacy manager, Privacy analysts, Privacy champions, "First responders") |
| Define well-designed policies related to the processing of the organization’s data holdings, data sharing, taking into account both legal and ethical requirements. | Module II.A.a, II.B.c A. Develop the Privacy Program Framework a. Develop organizational privacy policies, procedures, standards, and/or guidelines ... B. Im lement the Privac Pro ram Framework ... c. Understanding data sharing agreements i. International data sharing agreements ii. Vendor agreement iii. Affiliate and subsidiary agreements |
| Identify collection points considering transparency and integrity limitations of collection of data. | Module II.C.d C. Develop Appropriate Metrics ... d. Identify systems/application collection points |
| Create a plan for breach management. | Module II.A.b.vi, VI.B.b A. Develop the Privacy Program Framework ... b. Define privacy program activities ... iv. Data inventories, data flows, and classifications designed to identify what personal data your organization processes B. Privacy incident response ... b. Incident response planning i. Understand key roles and responsibilities 1. Identify key business stakeholders a) Information security b) Legal c) Head of compliance d) Audit e) Human resources f) Marketing g) Business development h) Communications and public relations i) External parties 2. Establish incident oversight teams 3. Develop a privacy incident response plan 4. Identify elements of the privacy incident response plan 5. Integrate privacy incident response into business continuity planning |
| Create a plan for complaint handling procedures. | Module II.A.b.ix A. Develop the Privacy Program Framework ... b. Define privacy program activities ... ix. Plan inquiry/complaint handling procedures (customers, regulators, etc.) |
Competency II.B – Clarifying roles and responsibilities
2023 Performance Indicator | 2022 Body of Knowledge |
|---|---|
| Define the roles and responsibilities for managing the sharing and disclosure of data for internal and external use. | Module IV.D.d D. Technical and Organizational measures ... d. Define roles and responsibilities for managing the sharing and disclosure of data for internal and external use |
| Define roles and responsibilities for breach response by function, including stakeholders and their accountability to regulators, coordinating detection teams (e.g., IT, physical security, HR, investigation teams, vendors) and establishing oversight teams. | Module VI.B.b.i B. Privacy incident response ... b. Incident response planning i. Understand key roles and responsibilities 1. Identify key business stakeholders a) Information security b) Legal c) Head of compliance d) Audit e) Human resources f) Marketing g) Business development h) Communications and public relations i) External parties |
Competency II.C –Define privacy metrics for oversight and governance
2023 Performance Indicator | 2022 Body of Knowledge |
|---|---|
| Create metrics per audience and/or identify intended audience for metrics with clear processes describing purpose, value and reporting of metrics. | Module II.C.a, II.C.b C. Develop Appropriate Metrics a. Identify intended audience for metrics b. Define reporting resources |
| Understand purposes, types and life cycles of audits in evaluating effectiveness of controls throughout organization’s operations, systems and processes. | NEW |
| Establish monitoring and enforcement systems to track multiple jurisdictions for changes in privacy law to ensure continuous alignment. | Module II.B.b.vi-II.B.b.vii B. Implement the Privac Program Framework ... b. Ensure continuous alignment to applicable laws and regulations to support the development of an organizational privacy program framework ... vi. Maintain the ability to manage a global privacy function vii. Maintain the ability to track multiple jurisdictions for changes in privacy law |
Competency II.D –Establish training and awareness activities
2023 Performance Indicator | 2022 Body of Knowledge |
|---|---|
| Develop targeted employee, management, and contractor trainings at all stages of the privacy life cycle. | Module V.B.e B. Audit e. Targeted employee, management and contractor training i. Privacy policies ii. Operational privacy practices (e.g., standard operating instructions),such as 1. Data creation/usage/retention/disposal 2. Access control 3. Reporting incidents 4. Key contacts |
| Create continuous privacy program activities (e.g., education and awareness, monitoring internal compliance, program assurance, including audits, complaint handling procedures). | Module II.A.b A. Develop the Privacy Program Framework ... b. Define privacy program activities i. Education and awareness ii. Monitoring and responding to the regulatory environment iii. Monitoring internal privacy policy compliance iv. Data inventories, data flows, and classifications designed to identify what personal data your organization processes v. Risk assessment (Privacy Impact Assessments [PIAs]) (e,g., DPIAs, etc.) vi. Incident response and process, including jurisdictional requirements vii. Remediation oversight viii. Program assurance, including audits ix. Plan inquiry/complaint handling procedures (customers, regulators, etc.) |
Domain III – Privacy Program Operational Life Cycle: Assessing Data
Competency III.A – Document data governance systems
2023 Performance Indicator | 2022 Body of Knowledge |
|---|---|
| Map data inventories, map data flows, map data life cycle and system integrations. | Module III.A.d A. Document current baseline of your privacy program ... d. Data, systems and process assessment i. Map data inventories, flows, lifecycle and system integrations |
| Measure policy compliance against internal and external requirements. | Module III.A.c A. Document current baseline of your privacy program ... c. Assess policy compliance against internal and external requirements |
| Determine desired state and perform gap analysis against an accepted standard or law. | Module III.A.g A. Document current baseline of your privacy program ... g. Determine desired state and perform gap analysis against an accepted standard or law (including GDPR) |
Competency III.B –Evaluate processors and third-party vendors
2023 Performance Indicator | 2022 Body of Knowledge |
|---|---|
| Identify risks of insourcing and outsourcing data, including contractual requirements and rules of international data transfers. | Module III.B.a B. Processors and third-party vendor assessment a. Evaluate processors and third-party vendors, insourcing and outsourcing privacy risks, including rules of international data transfer i. Privacy and information security policies ii. Access controls iii. Where personal information is being held iv. Review and set limits on vendor internal use of personal information |
| Carry out assessments at the most appropriate functional level within the organization (e.g., procurement, internal audit, information security, physical security, data protection authority). | Module III.B.b B. Processors and third-party vendor assessment ... b. Understand and leverage the different types of relationships i. Internal audit ii. Information security iii. Physical security iv. Data protection authority |
Competency III.C – Evaluate physical and environmental controls
2023 Performance Indicator | 2022 Body of Knowledge |
|---|---|
| Identify operational risks of physical locations (e.g., data centers and offices) and physical controls (e.g., document retention and destruction, media sanitization and disposal, device forensics and device security). | Module III.C C. Physical assessments a. Identify operational risk i. Data centers and offices ii. Physical access controls iii. Document retention and destruction iv. Media sanitization and disposal (e.g., hard drives, USB/thumb drives, etc.) v. Device forensics vi. Device security (e.g., mobile devices, Internet of Things (IoT), geotracking, imaging/copier hard drive security controls) |
Competency III.D – Evaluate technical controls
2023 Performance Indicator | 2022 Body of Knowledge |
|---|---|
| Identify operational risks of digital processing (e.g., servers, storage, infrastructure and cloud). | Module III.B.c.iii-iv, vii B. Processors and third-party vendor assessment ... c. Risk assessment ... iii. Technologies and processing methods deployed (eg Cloud Computing) iv. Legal compliance ... vii. Determine minimum standards for safeguarding information |
| Review and set limits on use of personal data (e.g. role-based access). | Module IV.A.a A. Information security practices a. Access controls for physical and virtual systems i. Least privileged access (eg need to know) ii. Account management (e.g., provision process) |
| Review and set limits on records retention. | Module III.B.c.v, IV.D.b - IV.D.c B. Processors and third-party vendor assessment ... c. Risk assessment ... v. Records retention ... D. Technical and Organizational measures ... b. Manage data retention with respect to the organization's policies c. Define the methods for physical and electronic data destruction |
| Determine the location of data, including cross-border data flows. | Module III.B.c.ii-iii, III.B.c.vii B. Processors and third-party vendor assessment ... c. Risk assessment ... ii. Location of data iii. Technologies and processing methods deployed (eg Cloud Computing) ... vii. Determine minimum standards for safeguarding information |
Competency III.E – Evaluate risks associated with shared data in mergers, acquisitions, and divestitures
2023 Performance Indicator | 2022 Body of Knowledge |
|---|---|
| Complete due diligence procedures. | Module III.D.a D. Mergers. acquisitions and divestitures a. Due diligence procedures |
| Evaluate contractual and data sharing obligations, including laws, regulations and standards. | Module III.D.b-III.D.c D. Mergers. acquisitions and divestitures ... b. Review contractual and data sharing obligations c. Risk assessment |
| Conduct risk and control alignment. | Module III.D.d D. Mergers. acquisitions and divestitures ... d. Risk and control alignment |
Domain IV – Privacy Program Operational Life Cycle: Protecting Personal Data
Competency IV.A – Apply information security practices and policies
2023 Performance Indicator | 2022 Body of Knowledge |
|---|---|
| Classify data to the applicable classification scheme (e.g., public, confidential, restricted). | Module II.A.b.iv A. Develop the Privacy Program Framework ... b. Define privacy program activities ... iv. Data inventories, data flows, and classifications designed to identify what personal data your organization processes |
| Understand purposes and limitations of different controls. | Module IV.A.b A. Information security practices ... b. Technical security controls (including relevant policies and procedures) |
| Identify risks and implement applicable access controls. | Module IV.A.a A. Information security practices a. Access controls for physical and virtual systems i. Least privileged access (eg need to know) ii. Account management (e.g., provision process) 111. Privilege management |
| Use appropriate organizational measures to mitigate any residual risk. | Module IV.D.f-g D. Technical and Organizational measures ... f. Define policies related to the processing (including collection, use, retention, disclosure and disposal) of organization's data holdings, taking into account both legal and ethical requirements g. Implement appropriate administrative safeguards, such as policies, procedures, and contracts |
Competency IV.B – Integrate the main principles of Privacy by Designed (PbD)
2023 Performance Indicator | 2022 Body of Knowledge |
|---|---|
| Integrate privacy through the System Development Life Cycle (SDLC). | Module IV.B.a-b B. Privacy by Design (PbD) a. Integrate privacy throughout the system development life cycle (SDLC) b. Establish privacy gates as part of the system development framework |
| Integrate privacy through business process. | Module IV.B.c-d B. Privacy by Design (PbD) ... c. Integrate privacy through business processes d. Communicate with stakeholders the importance of PIAs and PbD |
Competency IV.C – Apply organizational guidelines for data use and ensure technical controls are enforced
2023 Performance Indicator | 2022 Body of Knowledge |
|---|---|
| Verify that guidelines for secondary uses of data are followed. | Module IV.D.e D. Technical and Organizational measures ... e. Determine and implement guidelines for secondary uses (ex: research, etc.) |
| Verify that administrative safeguards such as vendor and HR policies, procedures and contracts are applied. | Module IV.D.g D. Technical and Organizational measures ... g. Implement appropriate administrative safeguards, such as policies, procedures, and contracts |
| Ensure applicable employee access controls and data classifications are activated. | Module IV.A.a A. Information security practices a. Access controls for physical and virtual systems i. Least privileged access (eg need to know) ii. Account management (e.g., provision process) 111. Privilege management |
| Collaborate with privacy technologists to enable technical controls for obfuscation, data minimization, security and other privacy enhancing technologies. | NEW |
Domain V – Privacy Program Operational Life Cycle: Sustaining Program Performance
Competency V.A – Use metrics to measure the performance of the privacy program
2023 Performance Indicator | 2022 Body of Knowledge |
|---|---|
| Determine appropriate metrics for different objectives and analyze data collected through metrics (e.g., trending, ROI, business resiliency, PMM). | Module II.C.c C. Develo riate Metrics ... c. Define privacy metrics for oversight and governance per audience i. Compliance metrics (examples, will vary by organization) 1. Collection (notice) 2. Responses to data subject inquiries 3. Retention 4. Disclosure to third parties 5. Incidents (breaches, complaints, inquiries) 6. Employees trained 7. PIA/DPIA metrics 8. Privacy risk indicators 9. Percent of company functions represented by governance mechanisms ii. Trend Analysis iii. Privacy program return on investment (ROI) iv. Business resiliency metrics v. Privacy program maturity level vi. Resource utilization |
| Collect metrics to link training and awareness activities to reductions in privacy events and continuously improve the privacy program based on the metrics collected. | Module V.A A. Monitor a. Environment (e.g., systems, applications) monitoring b. Monitor compliance with established privacy policies c. Monitor regulatory and legislative changes d. Compliance monitoring (e.g. collection, use and retention) i. Internal audit ii. Self-regulation iii. Retention strategy iv. Exit strategy |
Competency V.B – Audit the privacy program
2023 Performance Indicator | 2022 Body of Knowledge |
|---|---|
| Understand the types, purposes, and life cycles of audits in evaluating effectiveness of controls throughout organization’s operations, systems and processes. | Module V.B.a B. Audit a. Align privacy operations to an internal and external compliance audit program i. Knowledge of audit processes and maintenance of an "audit trail" ii. Assess against industry standards iii. Utilize and report on regulator compliance assessment tools |
| Select applicable forms of monitoring based upon program goals (e.g., audits, controls, sub-contractors) and complete compliance monitoring through auditing of privacy policies, controls, and standards, including against industry standards, regulatory and/or legislative changes. | Module V.B.b-V.B.d B. Audit ... b. Audit compliance with privacy policies and standards c. Audit data integrity and quality and communicate audit findings with stakeholders d. Audit information access, modification and disclosure accounting |
Competency V.C – Manage continuous assessment of the privacy program
2023 Performance Indicator | 2022 Body of Knowledge |
|---|---|
| Conduct risk assessments on systems, applications, processes, and activities. | Module III.E.b.ii E. Privacy Assessments and Documentation ... b. Define a process for conducting privacy assessments (e.g., PIA, DPIA, TIA, LIA) ... ii. Incorporate privacy assessments into system, process, data life cycles |
| Understand the purpose and life cycle for each assessment type (e.g., PIA, DPIA, TIA, LIA, PTA). | Module III.E.a - III.E.b.i E. Privacy Assessments and Documentation a. Privacy Threshold Analysis (PTAs) on systems, applications and processes b. Define a process for conducting privacy assessments (e.g., PIA, DPIA, TIA, LIA) i. Understand the life cycle of each assessment type |
| Implement risk mitigation and communications with internal and external stakeholders after mergers, acquisitions, and divestitures. | Module III.D.e D. Mergers. acquisitions and divestitures ... e. Post integration planning and risk mitigation |
| Ensure AI usage is ethical, unbiased, meets data minimization and purpose limitation expectations and is in compliance with any regulations and/or privacy laws. | NEW |
Domain VI – Privacy Program Operational Life Cycle: Responding to Requests and Incidents
Competency VI.A – Respond to data subject access requests and privacy rights
2023 Performance Indicator | 2022 Body of Knowledge |
|---|---|
| Ensure privacy notices and policies are transparent and clearly articulate data subject rights. | NEW |
| Comply with organization’s privacy policies around consent (e.g., withdrawals of consent, rectification requests, objections to processing, access to data and complaints). | NEW |
| Understand and comply with established international, federal, and state legislations around data subject’s rights of control over their personal information (e.g., GDPR, HIPAA, CAN-SPAM, FOIA, CCPA/CPRA). | Module VI.A A. Data-subject information requests and privacy rights a. Access b. Redress c. Correction d. Managing data integrity e. Right of Erasure f. Right to be informed g. Control over use of data, including objection to processing h. Complaints including file reviews |
Competency VI.B – Follow organizational incident handling and response procedures
2023 Performance Indicator | 2022 Body of Knowledge |
|---|---|
| Conduct a risk assessment about the incident. | Module VI.B.d.ii B. Privacy incident response ... d. Incident handling ... ii. Conduct risk assessment |
| Perform containment activities. | Module VI.B.d.iii B. Privacy incident response ... d. Incident handling ... iii. Perform containment activities |
| Identify and implement remediation measures. | Module VI.B.d.iv B. Privacy incident response ... d. Incident handling ... iv. Identify and implement remediation measures |
| Communicate to stakeholders in compliance with jurisdictional, global and business requirements. | Module VI.B.d.v, VI.B.d.vi, VI.B.e B. Privacy incident response ... d. Incident handling ... v. Develop a communications plan to notify executive management ... e. Follow incident response process to ensure meeting jurisdictional, global and business requirements |
| Engage privacy team to review facts, determine actions and execute plans. | Module VI.B.e.i-VI.B.e.v B. Privacy incident response ... e. Follow incident response process to ensure meeting jurisdictional, global and business requirements i. Engage privacy team ii. Review the facts iii. Conduct analysis iv. Determine actions (contain, communicate, etc.) v. Execute |
| Maintain an incident register and associated records of the incident. | Module VI.B.e.vi B. Privacy incident response ... e. Follow incident response process to ensure meeting jurisdictional, global and business requirements ... vi. Maintain an incident register and associated records of the incident management |
Competency VI.C – Evaluate and modify current incident response plan
2023 Performance Indicator | 2022 Body of Knowledge |
|---|---|
| Carry out post-incident reviews to improve the effectiveness of the plan. | Module VI.B.e.vii-viii, VI.B.f B. Privacy incident response ... e. Follow incident response process to ensure meeting jurisdictional, global and business requirements ... vii. Monitor viii. Review and apply lessons learned f. Identify incident reduction techniques |
| Implement changes to reduce the chance of further breaches. | Module VI.B.e.vii B. Privacy incident response ... e. Follow incident response process to ensure meeting jurisdictional, global and business requirements ... viii. Review and apply lessons learned |
When Do These Changes Go into Effect?
The changes discussed throughout this article go into effect on October 2, 2023.
Is Privacy Bootcamp’s CIPM Course Up to Date?
Yes, all of our courses are up to date. At Privacy Bootcamp, we comprehensively update our courses once a year to correspond to the updated Body of Knowledge and Exam Blueprint. In addition, we provide smaller updates throughout the year in response to important events and student feedback. Our updates involve editing our text-based study modules, creating new flashcards, adding to our bank of exam questions, and other changes designed to make sure our students are always prepared on test day.
In developing our courses, we always strive to structure the content as closely to the BoK as possible. At the same time, however, we deviate from that structure where we believe doing so will help better explain a topic or concept.
You can see how we’ve organized our CIPM course by visiting the Preview Page or the CIPM Preview Page and clicking on “Table of Contents” button on either page.
