Official IAPP
CIPT textbooks
5-hour
online sessions
Classroom
training
CIPT Exam
voucher
Exam
preparation
1st year
IAPP membership
The Certified Information Privacy Technologist (CIPT) is an operational-level qualification for IT and data professionals who require comprehensive knowledge about how to incorporate appropriate privacy controls into information and communications technology. Developed by the International Association of Privacy Professionals (IAPP) in 2014 and refreshed in 2020, the CIPT is the leading privacy-focused IT certification. In obtaining the CIPT, award holders demonstrate a greater understanding of the techniques necessary to ensure privacy measures in technology systems are aligned with compliance regulations such as the GDPR. By enhancing the privacy skills of your IT professionals, your organisation will be equipped with competent privacy technologists who are able to build and implement solutions that mitigate risk and increase productivity.
Official IAPP
CIPT textbooks
5-hour
online sessions
Classroom
training
CIPT Exam
voucher
Exam
preparation
1st year
IAPP membership
The inherent advantages of the technology we use every day are often in direct conflict with the right to privacy. While on the one hand, consumers actively entrust organisations with information about themselves, their demands for greater privacy, coupled with strong data protection laws such as the GDPR, mean that privacy is becoming an increasingly dominant issue for IT professionals.
As technology advances, so too does the need to collect, process, and transfer higher volumes of personal information. Unfortunately, weak systems with poor privacy controls inevitably lead to data assets being at risk of a breach, which leaves organisations vulnerable to significant fines and damage to their reputation.
Unlike most IT certifications, which only include minimal information about privacy technology policies and implementation, IAPP developed the Certified Information Privacy Technologist (CIPT) programme to provide in-depth knowledge about emerging tools and technologies for this rapidly expanding field.
Those attending the CIPT will develop a general understanding of the data lifecycle, privacy risk models and frameworks, the principles of Privacy by Design, along with the fundamentals of privacy-related technology and their role within the organisation. The CIPT also evaluates the threat landscape and the privacy-enhancing strategies, techniques and technologies that are used to mitigate risks.
CIPT award holders will acquire the necessary skills and knowledge to protect their organisation's personal data assets at every stage of the data lifecycle using the latest privacy engineering techniques.
The course is delivered online for convenience and for the significant environmental and sustainability benefits it offers. Delegates can gain a recognised operational-level workplace qualification at home or from their desk by attending three consecutive 5-hour live online sessions. This accredited IAPP course prepares participants for the 150-minute multiple-choice IAPP Exam.
IAPP Certified Information Privacy Technologists (CIPT) will learn:
Organisations that employ IT professionals who hold the CIPT are more able to implement the strategies, policies, processes, and techniques required to manage cybersecurity risks while enabling reasonable personal data use for business purposes.
For the second year running, Freevacy has been shortlisted in the Best Educator category at the PICCASO Privacy Awards. The awards were established to recognise the people making an outstanding contribution to this dynamic and fast-growing sector. The Best Educator award will go to a professor, lecturer, teacher, or training provider who leads by example to inspire and motivate the next generation of privacy professionals.
Who should attend the Certified Information Privacy Technologist?
The IAPP have mapped the skills and competencies gained on the CIPT programme to the above roles and more:
Due to its singular focus on privacy technology, the CIPT is complementary to other recognised industry IT qualifications, including those offered by, (ISC2), ISACA, Microsoft, Cisco, CompTIA, GIAC, EC-Council, ITIL IT Service Management, Prince II, Project Management Institute.
This accredited CIPT training course is delivered online over 3 consecutive morning sessions (or 2 full days when provided in-company).
The IAPP ensures the CIPT Body of Knowledge (BoK) is always relevant and up to date through consultation with its global community of information privacy practitioners and lawyers.
The CIPT is certified by the ANSI National Accreditation Board (ANAB) under ISO17024: 2012.
The following is extracted from the CIPT BoK version 3.2.0:
|
Module 1:
Foundational Principles
|
General Understanding of Privacy Risk Models and Frameworks and their Roles in Laws and Guidance: • Fair Information Practice Principles (FIPPs) and OECD Principles
• Privacy frameworks (e.g., NIST/NICE, ISO/IEC 27701 and BS100112 Privacy Information Management System (PIMS)) • Nissenbaum’s Contextual Integrity • Calo’s Harms Dimensions • FAIR (Factor Analysis in Information Risk) |
|
General Understanding of Privacy by Design Principles:
• Full Life Cycle Protection
• Embedded into Design • Full Functionality
• Visibility and Transparency • Proactive not Reactive
• Privacy by Default • Respect for Users
|
|
|
General Understanding of Privacy-related Technology Fundamentals:
• Risk concepts (e.g., threats, vulnerability)
• Data/security incidents vs. personal data/privacy breaches • Privacy and security practices within an organisation
• Understanding how technology supports information governance in an organisation • External Data Protection and Privacy notices
• Internal Data Protection and Privacy guidelines, policies and procedures • Third-party contracts and agreements
• Data inventories, classification and records of processing • Enterprise architecture and data flows, including cross-border transfers
• Data Protection and Privacy impact assessments (DPIA/PIAs) • Privacy-related Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs)
|
|
|
General Understanding of the Data Life Cycle:
• Collection • Use
• Disclosure • Transfer
• Retention • Destruction |
|
|
Module 2:
Privacy technologist’s role in the organisation
|
General responsibilities:
• Understanding various roles within the privacy team (e.g., DPO, CPO, legal compliance, security • Implementing industry Privacy Standards and Frameworks
• Translating legal and regulatory requirements into practical technical and/or operational solutions • Consulting on internal privacy notices and external privacy policies
• Consulting on contractual and regulatory requirements
|
| Technical Responsibilities:
• Advising on technology elements of privacy and security practices • Advising on the privacy implications of new and emerging technologies
• Implementing privacy and security technical measures • Implementing and developing privacy-enhancing technologies and tools
• Advising on the effective selection and implementation during the acquisition of privacy-impacting products • Advising on privacy by design and data protection impact assessments in systems development
• Handling individuals’ rights requests (e.g., access, deletion) • Supporting records of processing activities (RoPA), automation of inventory and data flow mapping
• Reviewing security incidents/investigations and advising on breach notification • Performing and supporting IT privacy oversights and audits, including 3rd party assessment
• Developing, compiling and reporting Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs)
|
|
|
Part 3:
Privacy Risks, Threats and Violations
|
Data Ethics:
• Legal versus Ethical (e.g., when working with countries that lack privacy laws) • Moral issues (e.g., accessing personal information through illegal means and using it for personal advantage)
• Societal issues (e.g., manipulating societal conversations and attitudes on controversial topics) • Bias/discrimination (e.g., incorporating personal preference into data decisions)
|
| During Data Collection:
• Asking individuals to reveal personal information • Tracking and surveillance (e.g., geo-tagging, geo-social patterns) • Lack of informed consent • Automatic collection • Inaccuracies • Extracting from publicly available sources • Jurisdictional implications (e.g., localisation, government access) |
|
| During Data Use:
• Insecurity • Identification and re-identification
• Aggregation
• Secondary Use • Exclusion
• Profiling |
|
| During Data Dissemination:
• Disclosure • Distortion
• Exposure • Breach of Confidentiality (personal data breaches)
• Increased accessibility • Blackmail • Appropriation
|
|
| Intrusion, Decisional Interference and Self-Representation:
• Behavioral advertising • Cyberbullying
• Social engineering • Blackmail
• Dark patterns |
|
| Software Security:
• Vulnerability management • Intrusion detection and prevention
• Change management (e.g., patches, upgrades) • Open-source vs Closed-source
• Possible violations by service providers |
|
|
Part 4:
Privacy-Enhancing Strategies, Techniques and Technologies
|
Data-Oriented Strategies:
• Separate • Minimise
• Abstract • Hide
|
| Process-Oriented Strategies:
• Informing the Individual • User Control
• Policy and Process Enforcement • Demonstrate Compliance
|
|
| Techniques:
• Aggregation • De-identification
• Anonymisation • Pseudonymisation
• Encryption • Identity and access management • Authentication
• Technology implications of Privacy Regulations and Techniques needed for: - Processing/verification of Individual Rights Request (IRR)
- Ability for record processing activities related to customer data
- Notice and Consent; obligations management
- Retention Requirements
- Privacy Incident Reporting
|
|
|
Part 5:
Privacy Engineering
|
The Privacy Engineering role in the organisation:
• Effective Implementation • Technological Controls
• Protecting Privacy during the Development Lifecycle
|
| Privacy Engineering Objectives:
• Predictability • Manageability
• Disassociability
|
|
| Privacy Design Patterns
• Design patterns to emulate • Dark patterns to avoid
|
|
| Privacy Risks in Software
• Controls and countermeasures |
|
|
Part 6:
Privacy by Design Methodology
|
The Privacy by Design Process:
• Goal Setting • Documenting Requirements
• Understanding quality attributes • Identify information needs
• Privacy risk assessment and analysis • High-level design • Low-level design and implementation • Impose controls - Architect - Secure - Supervise - Balance • Testing and validation |
| Privacy Interfaces and User Experience:
• Design Effects on User Behaviour • UX Design and Usability of privacy-related functions
• Privacy Notices, Setting and Consent Management • Usability Testing
|
|
| Value Sensitive Design:
• How Design Affects Users • Strategies for Skillful Practice
|
|
| Ongoing Vigilance:
• Privacy audits and IT control reviews • Code reviews
• Code audits • Runtime behavior monitoring
• Software evolution • Data cleansing in production and non-production environments
|
|
|
Part 7:
Evolving or Emerging Technologies in Privacy
|
Robotics and the Internet of Things (IoT):
• Mobile phones • Wearable devices
• Edge Computing • Smart homes and cities (e.g., CCTV and tracking/surveillance)
• Robots • Drones |
| Internet/eCommerce:
• Adtech • Cookies and other web-tracking technologies
• Alerts and notifications • Location tracking
• Chatbots • Online/mobile payments |
|
| Biometrics:
• Facial recognition • Speech recognition
• Fingerprint ID • Behavioral profiling
|
|
| Corporate IT Services:
• Shared Data centers • Cloud-based infrastructure • Third-party vendor IT solutions • Remote working • Video calls and conferencing |
|
| Advanced Computing:
• Data Management and Analytics • Artificial Intelligence • Quantum computing • Blockchain • Cryptocurrencies • Non-fungible tokens (NFTs) • Machine and Deep Learning |
|
| Social Networks:
• Social media • Messaging and video calling • Virtual/Augmented reality |
Once the training aspect of your CIPT course is complete, our trainers make themselves available throughout the self-study period leading up to the exam. We achieve this through email exchanges, one-to-one coaching sessions, and group online exam preparation days.
The topics covered in this CIPT exam preparation session include:
Following the examination prep day, the instructor will offer guidance for further study areas.
IAPP exams have gained a reputation for being difficult to pass. Both Freevacy and the IAPP strongly recommend careful preparation, even for experienced professionals.
The following information about the CIPT examination is an extract from documentation provided to delegates by the IAPP. For the full details please review the IAPP Privacy Certification Candidate Handbook 2023 and the CIPT Examination Blueprint.
IAPP certification programs are designed to differentiate between candidates who do and who do not possess the knowledge required to be considered minimally qualified privacy professionals. All questions are multiple choice with some relating to scenarios. Each question has only one correct answer. Each item (question) consists of a clearly written question (stem), a correct or best response (key) that should be apparent to minimally qualified candidates and three incorrect responses (distractors) that will be plausible to not-minimally qualified candidates. Note that it is each candidate’s responsibility to be prepared for exams by being familiar with all elements of the Bodies of Knowledge.
Candidates are advised to read each question carefully. The stem may be in the form of a question or an incomplete statement. An exam question may require the candidate to choose the most appropriate answer based on a qualifier, such as MOST likely or BEST.
| Total number of questions | 90 |
| Scored questions | 75 |
| Exam duration | 2 hours 30 minutes |
| Passing score | 300 out of 500 |
On all IAPP certification exams, each item has equal value and is scored as correct or incorrect. Unanswered items are considered incorrect, and there is no additional penalty for incorrect answers.
It is the policy of the IAPP to provide testing accommodations to candidates with qualifying disabilities to ensure each candidate a comparable opportunity for success on exams. We require 30 days notice in order to arrange special accommodations. Please do not schedule an exam until the IAPP approves your request. After exam purchase, submit your request and supporting documentation using the forms provided on the IAPP website.
All IAPP examinations are administered in English.
Get this IAPP Certified Information Privacy Technologist (CIPT) training course:
£1,750+VAT
10% OFF
Sign-up for our Privacy Newsfeed weekly newsletter to get your discount code. Receive additional offers by selecting training announcements option. Please choose your desired subscription option and then enter your details to subscribe.
Freevacy has been shortlisted in the Best Educator category. The PICCASO Privacy Awards recognise the people making an outstanding contribution to this dynamic and fast-growing sector.