CIPP/E Advice

TightTeeShirt

LAWYER2 said:

I haven't taken the CIPP/E but have been preparing for the US, sitting next week. I've been playing close attention to the Exam Blueprint and trying NOT to devote to many mental resourcs on areas that won't carry much weight. To me, it's akin to extensively studying the 'Rule against Perpetutities' in property law for those who sat for the bar exam. Just not worth the effort to devote the extra mental resources to something unlikely to be tested heavily. 

This is exactly how you should be doing it too. I had a rough week of being sick so I didn't get that "final week of intense review" like i wanted. However, the section i spent the majority of my "relaxed passive study" on was Section 2 of the exam because according to the Exam BluePrint that is where the majority of the questions came from, and it saved my butt tremendously.

The one caveat I would add to that is that I noticed the exam was very much linear to the exam blueprint. That is to say, I was expecting a mixed bag of questions to come from any topic at any time but that was not the case. The questions seemed to come in order of the topics listed on the exam blueprint. Since i only passively studied for the first Secrtion (low weight), I started the exam off with a lot of uncertainty and that's a really shitty feeling. So I would offset that somehow by giving a tad more effort in the front end

PTnomad

Congrats @TightTeeShirt the best skin of teeth story I've heard!

ipiyali

advice needed on the portion relating to Member State Guidance and derogation...Did you all study those too...It is all relating to various in-state GDPR developements adopted individually...is it relevant for the CIPP/E exam

TightTeeShirt

TightTeeShirt said:

gdprstudent said:

How did you find the CIPT? I was thinking of doing this to get the hat trick but haven’t seen huge demand on the jobs boards for this certification (whereas CIPP/e and CIPM is mentioned quite often whenever roles are advertised).

From a privacy standpoint it will teach you nothing more than the CIPP/E exam (obviously)

From a tech standpoint, I found it profoundly rudimentary, and lacking any useful depth. I suppose it'd impress somebody though if it helps you achieve IAPP's "FIP" stamp *shoulder shrug*

So it appears IAPP is hawking this thread and completely revamped the CIPT (jk i only psedo believe they'd follow these forums)

Anyways, I received an email that the current exams and stuff would be in place through the end of the year but starting January 2020 they're adding 50% New Topic Content. This is pretty huge when you consider their update to the CIPP/E only added 10% new content, but to be completely honest the CIPT was in desperate need of this update because as a Cyber Security Professional with 7+ years experience, i found the existing CIPT information all but useless.

That said, the new sections definitely appear to have some genuine value that I will be interested in reading up on. From what I'm seeing on the new exam blueprint they're:

Privacy Threats and Violations

During Data Collection

During Use

During Dissemination

Intrusion, Decisional Interference and Self Representation

Software Security

Technical Measures and Privacy Enhancing Technologies
Data Oriented Strategies
Techniques
Process Oriented Strategies

TightTeeShirt

ipiyali said:

advice needed on the portion relating to Member State Guidance and derogation...Did you all study those too...It is all relating to various in-state GDPR developements adopted individually...is it relevant for the CIPP/E exam

I personally did not see any Member State specific laws on the exams. General "derogations" that apply to International Data Transfer laws yes. Derogations are mentioned in the Exam Blueprint, specific Member State laws are not.  My advice: If it is on the exam blueprint, study it as deeply as possible if it is not on the exam blueprint then I wouldn't bother.

arana

Hi, I’m so thankful for this thread! I’m giving the CIPP E this year, and was planning on just winging it by reading whatever I could, before I came across this thread and realise it’s apparently a tough exam lol. I’m giving it in September, but am concerned about updates to the course blueprint. Does anyone know when we will have more information, and if I should I wait for new version of the book, more clarity to come in, before I sit for the exam in September? So far people have relied on sources like WP29, the book but wont this be outdated with the new changes ? 

LAWYER2

I'm not entirely sure about the CIPP/E but I know they IAPP specifically states the exam will change after Sept 1 for the US version. I would just give them a call and inquire. They've been pretty helpful whenever I called. Emailing will take days to get a response though. I'm sitting for the US version next week and decided to do it before the end of the August for this very reason. 

TightTeeShirt

arana said:

Hi, I’m so thankful for this thread! I’m giving the CIPP E this year, and was planning on just winging it by reading whatever I could, before I came across this thread and realise it’s apparently a tough exam lol. 

I would love to get the pass/fail data on those who take the exam after one of those weekend bootcamps. 

My assumption is that they would be great for IT Managers that have no idea about GDPR and want to get a thorough briefing and run down of what is in scope, what to implement, and what to ignore. However, based on the amount of studying i put in to barely pass I don't think there's anyway in hell one could pass off an IAPP conference bootcamp alone.

gdprstudent

Great news that CIPT is being revised. Maybe CIPM will go through a similar revision too? On another note I have to say that even though I have both CIPP/e and CIPM (as well as CISMP and prince2), it is really tough to find work in the field of data protection/privacy/information security. IAPP claim that the arrival of the GDPR will create the need for 75k DPO’s and encourage people to take their courses but I’m starting to have doubts... anyone else with similar experience?

LAWYER2

gdprstudent said:

Great news that CIPT is being revised. Maybe CIPM will go through a similar revision too? On another note I have to say that even though I have both CIPP/e and CIPM (as well as CISMP and prince2), it is really tough to find work in the field of data protection/privacy/information security. IAPP claim that the arrival of the GDPR will create the need for 75k DPO’s and encourage people to take their courses but I’m starting to have doubts... anyone else with similar experience?

Are you in the US? Seems like DP jobs are burgeoning, or it could be that I mostly focus on DP Atty gigs. 

gdprstudent

I’m in the UK. Apparently GDPR roles are more suited to lawyers rather than those who have the IAPP qualifications and a little experience in actual data protection.

LAWYER2

Aw I see. Have you looked at business/data analyst roles? I work for a large bank who's data privacy intitiates consists of many, many analyst. Oftentimes, these DP jobs aren't really titled as data privacy professinals. 

gdprstudent

Yes where there have been relevant vacancies I’ve applied and I always follow up to speak to the recruiter - when they actually pick up the phone(!). Usually recruiters don’t reply back or they come out with the usual “lack experience compared to others we’ve seen.” One even said that they’d found someone with 5yrs GDPR experience for a role advertised last year.

LAWYER2

I feel you. I know it can be frustrating. I was in a similar boat trying to "break into" the industry until I began holding myself out there as a "subject matter expert" on LinkedIn. Since then, I've had recruiters reach out to me. If you aren't already, I'd highly reccomend utilizing LI as much as possible. There are recruiters specifically dedicated to data privacy. Look up www.lawrenceharvey.com I recently connected with a couple didfferent DP recruiters based in the UK

vjvj

I couldn't make it 75/65/58. Couldn't give time for scenario  based questions on thorough understanding. In my view one should complete straight forward questions first  within 30 mins and flag scenario based questions do it later. My preparation was 10days reading of cipp e book . Only one question on article number so may be remembering article numbers is not imp. Don't spend much to me on dates of history. One question on ICO . Plan to retake.

AlwaysStudying

gdprstudent said:

Yes where there have been relevant vacancies I’ve applied and I always follow up to speak to the recruiter - when they actually pick up the phone(!). Usually recruiters don’t reply back or they come out with the usual “lack experience compared to others we’ve seen.” One even said that they’d found someone with 5yrs GDPR experience for a role advertised last year.

Interesting.....UK perspective
I spoke to a recruiter, I lost out on a contract because recruiter said chap client picked had 5 years GDPR experience..  
I got another very good paying contract at a bank, implementing the GDPR, I think Lawyers\legal department definetly have a place, i.e. drawing up and challenging vendor contracts, legal basis per processing tasks, however, how many lawyers can (and want to) do data inventory, mapping, design DSAR logs, etc.
I've been looking for my next GDPR\DPA2018 contract since February, agents tell me on average they recieve 200-300 applications per role, whose going look through all of those?
What is required over here is more fines by the ICO and clarity over the Brexit nonsense.
Oh....and recruiters returning calls or answering the phone...

LAWYER2

AlwaysStudying said:

gdprstudent said:

Yes where there have been relevant vacancies I’ve applied and I always follow up to speak to the recruiter - when they actually pick up the phone(!). Usually recruiters don’t reply back or they come out with the usual “lack experience compared to others we’ve seen.” One even said that they’d found someone with 5yrs GDPR experience for a role advertised last year.

Interesting.....UK perspective
I spoke to a recruiter, I lost out on a contract because recruiter said chap client picked had 5 years GDPR experience..  
I got another very good paying contract at a bank, implementing the GDPR, I think Lawyers\legal department definetly have a place, i.e. drawing up and challenging vendor contracts, legal basis per processing tasks, however, how many lawyers can (and want to) do data inventory, mapping, design DSAR logs, etc.
I've been looking for my next GDPR\DPA2018 contract since February, agents tell me on average they recieve 200-300 applications per role, whose going look through all of those?
What is required over here is more fines by the ICO and clarity over the Brexit nonsense.
Oh....and recruiters returning calls or answering the phone...

I definitely agree. The Data inventorying, mapping, definitions etc tasks,I see the other analyst workig on, I have no desire, nor clue how to do what they're doing. The DP space is definitely multi-disciplined.

Campbell

arana said:

Hi, I’m so thankful for this thread! I’m giving the CIPP E this year, and was planning on just winging it by reading whatever I could, before I came across this thread and realise it’s apparently a tough exam lol. I’m giving it in September, but am concerned about updates to the course blueprint. Does anyone know when we will have more information, and if I should I wait for new version of the book, more clarity to come in, before I sit for the exam in September? So far people have relied on sources like WP29, the book but wont this be outdated with the new changes ? 

Maybe this is useful: cipptraining.com/cipp-e-and-cipp-us-annual-update-september-1-2019/

humaiz

Hi, I have been reading all the comments here, and it has been very useful to gauge on what i could expect from the exam.

I am a young infosec consultant. I'm from Sri Lanka so GDPR isn't much impacting here except for some of the companies. However, in another 2 years SL also will be publishing a Data Protection Act which is going to be a major turnover for all the companies. So to prepare I was thinking of doing a CIPP certification.

If anyone could help me out on how much the whole thing would cost, could greatly help with my plans. As far as i know, the book costs $75 (would electronic or physical be better?) and the exam $500. I would like to know is any other cost, like should iapp membership mandatory to be taken before - and how much, is there any yearly payment to be paid etc.

arana

can anyone pls tell me if it’s necessary to read and be familiar with the Directives - of April 27 for processing of new personal data for crimes , and PNR? On the website they precede the GDPR directive. 

arana

Sorry about the multiple posts, and I've started preparing and noted that in addition to the GDPR, there are various directives / conventions mentioned in the course material. While I plan to read the book after the GDPR text, can anyone guide me on where I can access all the additional legislative material required to prepare for this exam? Is there some place where all of it is listed, as its a nightmare to collect them individually, and I'm conscious of whether I've missed any. 

Some of them seem to be repealed - so is it enough to rely on the book or should I go through all this additional material as well? I'm finding it challenging to collate the relevant material, hence any leads on best sources where collated links are available would be most helpful. I'm already a lawyer working in this space, so do have background info, but the level of prep done my others has made me rethink my studying strategy so being extra careful. 

Matthaios55555

Canyon said:

Passed CIPP/E last week. Didn't take the training course. Bought the book and the sample exam questions online. I feel the exam is difficult and the sample exam questions are not representative of the questions in the actual exam.

My advice for what it is worth:

1. Prepare a flow chart or diagram that outlines the GDPR decision making process. The flow chart needs to be something that you can sketch out, in a few minutes, from memory, on the scrap paper they give you in the exam. This flow chart is going to be the basis for at least 50% of the questions and will help you think through the steps clearly when faced with the long, and deliberately confusing, fact patterns.

(Having some typed notes on each article of the regulation is like having an engine in a million parts, whereas a flowchart is a working engine. I had the misfortune of trying to put the engine together in the middle of the exam - which made the exam much more difficult than it needed to be.)

2. Learn the GDPR article numbers (1-50). Many questions reference the article number only and then ask a question such as "in light of what it states in article X" pick the best answer below. 

3. Read the questions very carefully - especially the short ones where it is just one sentence. I caught myself picking the wrong answer a few times as I had misread a word. 

4. Focus in greater depth on the subject areas that have the most questions - as detailed on the exam blueprint. Some subject areas have 13 questions whereas others have 3. Don't give each subject area equal study time. 

5. The UK ICO is a great source of information on GDPR and has good examples of how the Regulation applies to real life fact patterns.

What kind of Flow Chart regarding the decision making process? Please explain. Is there a specific procedure before making any decisions? 

Matthaios55555

Thank you everybody for the helpful pieces of advice and for devoting some of your time in giving us valuable guidelines. I have some further questions to ask regarding the reading material and the exam itself. I would really appreciate your feedback: 

1. Legislative Framework (Domain 1): do we need to learn by hard the old legislation provisions and what they have introduced in detail? Or generally their impact and their implementation purpose? 

2. European Union Institutions: What kind of questions are for this section? Regarding their powers? their role? and composition? Do we need to get technical and know by hard for example the three procedures may apply to the legislative process of the Parliament? (ordinary, consultation and consent?) I assume not, since there is only 1 question, therefore only basic info will be requested. 

3. I do not know where to give emphasis and how much time should I dedicate on parts that have 1-3 questions only. Do the questions of such parts tend to get into detail? For example only two questions will be asked about Legislative Framework (Domain 1). Do I have to go deep and learn for example wath is mere conduit or hosting or caching under Directive 200/31/EC? Or just know what they mean as an idea? 

4. Domain 2: European Data Protection Law and Regulation: Point G: Security of Personal Data -> data sharing. I cannot find any material regarding this. Also they declare that there will be 8 whole questions in the exam. It seems too much for this section. What kind of questions? Maybe about breach and notifications? 

5. Are controllers accountable for their processors, and if yes, to what extent? Does the same applies to the relationship between processors and sub-processors? I have read that controllers are the only ones to be careful about processing lawful bases and principles. Other than that? 

6. In the Book I cannot find any info regarding the European Data Protection Supervisor except from the fact that it is one of the components of the EDPB. 

7. The same applies for data subject compensation. 

Thanks! 

TightTeeShirt

1. Matthaios55555 said:

1. I do not know where to give emphasis and how much time should I dedicate on parts that have 1-3 questions only. Do the questions of such parts tend to get into detail? For example only two questions will be asked about Legislative Framework (Domain 1). Do I have to go deep and learn for example wath is mere conduit or hosting or caching under Directive 200/31/EC? Or just know what they mean as an idea? 

2. Are controllers accountable for their processors, and if yes, to what extent? Does the same applies to the relationship between processors and sub-processors? I have read that controllers are the only ones to be careful about processing lawful bases and principles. Other than that? 

Thanks! 

Not intending to flame you my friend, but I would focus on knowing the material. "I do not know on how much time i should dedicate with 1 to 3 questions only". Just because there are few questions for a topic doesn't mean the question is any easier than the others. It just means there's less of them

"Are controllers accountable for processors, if yes, to what extent". This question was a bit triggering. This information is given not only in the IAPP course videos, but also the book, and then yet again in the WP guidelines for this question.

I encourage you to review the Exam Blueprint (https://iapp.org/media/pdf/certification/CIPP_E_EBP_2.1.0.pdf) look at all the individual topics identified there and get as absolutely familiar with them as you can. If you don't fully understand the concepts the Scenarios are going to be your undoing. I just don't want you to fall victim to being one of those guys that spends all his time "studying how to study" and then never actually studies the material.

Lastly I think as of September 1st IAPP is changing 10% of the CIPP/E exam so i would check on that first. Cheers

Matthaios55555

TightTeeShirt said:

1. Matthaios55555 said:

1. I do not know where to give emphasis and how much time should I dedicate on parts that have 1-3 questions only. Do the questions of such parts tend to get into detail? For example only two questions will be asked about Legislative Framework (Domain 1). Do I have to go deep and learn for example wath is mere conduit or hosting or caching under Directive 200/31/EC? Or just know what they mean as an idea? 

2. Are controllers accountable for their processors, and if yes, to what extent? Does the same applies to the relationship between processors and sub-processors? I have read that controllers are the only ones to be careful about processing lawful bases and principles. Other than that? 

Thanks! 

Not intending to flame you my friend, but I would focus on knowing the material. "I do not know on how much time i should dedicate with 1 to 3 questions only". Just because there are few questions for a topic doesn't mean the question is any easier than the others. It just means there's less of them

"Are controllers accountable for processors, if yes, to what extent". This question was a bit triggering. This information is given not only in the IAPP course videos, but also the book, and then yet again in the WP guidelines for this question.

I encourage you to review the Exam Blueprint  look at all the individual topics identified there and get as absolutely familiar with them as you can. If you don't fully understand the concepts the Scenarios are going to be your undoing. I just don't want you to fall victim to being one of those guys that spends all his time "studying how to study" and then never actually studies the material.

Lastly I think as of September 1st IAPP is changing 10% of the CIPP/E exam so i would check on that first. Cheers

thank you for your comments, which are duly noted

I have read the book multiple times, consulted the outlines posted in this blog and made my own summary notes. Do not worry I am not one of those guys. :-) The reason I was asking is that I don't know what to learn by hard and what to know as a general conception. Knowing in detail the three Parliament processes is a little far-fetched for me, given the high volume of the reading material. That's why I was asking. I have already passed the EXIN exams on GDPR partitioning and details like these were not requested. 

Thank you for the link, I have already studied the blueprint and based my notes on it. I have also been informed about the new 10% material and I have studied the recommended articles. 

What other pieces of advice can you give me from your experience. I have read your post and how your exam day was. 67/67/67 - thats precise hehe 

DPO_London

Hey Team - 

I passed the CIPP/E today with a 400 (89/83/83) and could not have done it without this thread. 

Here's what I did (they are all A MUST): 

1. Read the textbook once but took notes. 
Trying to link the notes (says I haven't been around long enough to post links): drive dot google dot com/file/d/1V75vFax4zBpzdu2zGEBHIeu42wlN0_yJ/view
Credit to soltiske for these!! I started reading with their notes and edited (heavily). 
2. Read the GDPR - Needs to be almost memorised by the end of the study time. Every exception to every right. Every length of time mentioned. Exact definitions. Even into articles 83+.  
3. Read the WP29 opinions (no notes) on Consent, Profiling, Legitimate Interest, Transparency, and Breach Notification (should be listed as required reading as they are literally referenced in the test)
4. Three quizlets: quizlet dot com/305337775/cippe-flash-cards/; quizlet dot com/418215096/cippe-iapp-practice-questions-flash-cards/; quizlet dot com/416186258/cipp-e-flash-cards/ 
5. Answered the practice questions/test from IAPP and read their explanations. Not as useless as some claim; but yes not as hard as the real test. I got 2 wrong when I did that. One of the quizlets has those questions built in but no explanations. 
6. Had to watch this playlist and several others to understand the terribly-named EU institutions: youtube dot com/playlist?list=PLqNq8AGWK_cmguZHPRMxrO-leUD5H-Dsr

Test impressions -
As others said - slightly poorly written with subjective questions or requests for minute details.  Several questions about who can sue, how they can sue, what damages they could receive. Don't recall that in the book. Questions about the OECD (barely mentioned in book). Yes, scenarios have a ton of extraneous info. Reading the questions beforehand helps slightly. Reviewing all questions again helped as sometimes later questions enlightened previous answer choices. Spent 2 hours on the test and then ~25 min reviewing answers. 

OK that's all I can think of for now. Good luck, friends.

arana

Thanks so much for this DPO and congrats on passing !! Your tips are super helpful as they give much needed clarity on exactly what needs to be studied - could you pls let me know in terms of actual legislation, other than the GDPR, which other law / directive / guidelines should be read for this test? There are so many of them, and I’m confused if memorising GDPR as mentioned by you and many other posters is sufficient ? My question is specific to legislation only. Would be v helpful for me to know 

privacyconsultant

Hi All, I am taking the CIPP/E this week, was just wondering how difficult are questions based on the scenarios? 

I ve gone through the online course, the book, the DPO handbook, GDPR and WP Art 29. Hope these will be enough to pass it! 

newatthis

Best advice I can give, having taken the exam twice, is to know the book, GDPR, WP29, and look for the opinions. I wrote a post on this in about April/May outlining the sources I used to finally pass, including where I found these opinions. The opinions do a great job of bringing the regulations to life and bits of wisdom I found there were very big help for the exam questions. There is some luck of the draw in terms of which questions you get as they have many questions in the question bank with varying degrees of quality. Some of them don't make any sense, but I didn't see those ones in my second attempt (and if I had gotten one of them right I wouldn't have needed a second attempt!).

The only needed legislation was GDPR (in terms of going and finding it and reading it), but absolutely anything in the book is fair game for the exam, including prior legislation. Take that literally. The smallest bit that doesn't seem significant in the book could very well be part of a question.

DPO_London

arana said:

Thanks so much for this DPO and congrats on passing !! Your tips are super helpful as they give much needed clarity on exactly what needs to be studied - could you pls let me know in terms of actual legislation, other than the GDPR, which other law / directive / guidelines should be read for this test? There are so many of them, and I’m confused if memorising GDPR as mentioned by you and many other posters is sufficient ? My question is specific to legislation only. Would be v helpful for me to know 

No need to actually read the text of other legislation. Info from the textbook will be enough usually to pass, I think. However, my test had two questions referencing the OECD guidelines and there wasn't enough of that in the book so.. Possibly the fringe subjects like LEPD and OECD guidelines could be good to get more info about.. Still don't think you have to read the legislation text though.