Hero Image

GDPR TRAINING

IAPP Certified Information
Privacy Manager (CIPM)

Become a leader in data protection operations management with this advanced
companion programme for law-based DP professional certifications from IAPP

Book Now

Course Features

Official IAPP CIPM textbooks

4-hour online sessions

Live, interactive Instructor-led training

Unlimited 1-2-1 coaching

Exam preparation

CIPM exam voucher

1st year IAPP membership

Course Overview

The Certified Information Privacy Manager (CIPM) is the first and only qualification in data protection operations management. Developed by the IAPP in 2013, the CIPM is the perfect companion to the IAPP Certified Information Privacy Professional Europe (CIPP/E) and the BCS Practitioner Certificate in Data Protection. Holders of the CIPM award develop an understanding of the capabilities required to implement, maintain and manage a compliant data protection programme through every stage of its lifecycle. 

In this context, the CIPM is an essential professional qualification for industry practitioners already trained in data protection law. Unlike legal-based data protection training courses, the CIPM covers the practical implementation and management of data protection operations, making it an ideal qualification for data protection officers (DPOs) and other senior compliance professionals tasked with developing an organisation-wide culture of privacy and UK or EU General Data Protection Regulation (GDPR) compliance.

The CIPM syllabus (body of knowledge) consists of six distinct domains and requires attendees to evaluate privacy management throughout the operational lifecycle: 

  • Domain 1 - Developing a privacy programme framework: Addresses how to implement a privacy framework that defines the programme's scope and aligns it with the organisation's objectives. Delegates will also learn how to communicate the organisation's vision to ensure that everyone involved works towards maintaining the highest standards of privacy and security.
  • Domain 2 - Establishing privacy programme governance: Focuses on the need to create clear policies and processes, define roles and responsibilities, conduct training and awareness campaigns, and set up privacy metrics in order to monitor progress and ensure accountability across multiple jurisdictions.
  • Domain 3 - Assessing Data: Deals with the operational lifecycle of data governance, including how to conduct data flow mapping and systems integrations. Delegates will learn about evaluating the risks associated with sharing or transferring data across borders with processors and third-party vendors, as well as how to assess physical, environmental and technical controls to ensure that data is handled in a secure and responsible manner.
  • Domain 4 - Protecting Personal Data: Addresses how to apply information security best practices, policies, controls and measures in order to mitigate risk. Attendees will also learn about integrating the principles of Privacy by Design and how to collaborate with technical teams around data minimisation and implementation of privacy-enhancing technologies (PETs).
  • Domain 5 - Sustaining Programme Performance: Examines the need for metrics to measure privacy programme performance, maturity and the reduction in privacy events compared with cultural awareness initiatives and other business indicators. Attendees will discover why and how to maintain ongoing compliance through regular audits and continuous assessments, including Data Protection Impact Assessments (DPIAs), Transfer Impact Assessments (TIAs), and Legitimate Interest Assessments (LIAs) in order to identify gaps or deficiencies in the privacy programme and take corrective measures to address them. 
  • Domain 6 - Responding to Requests and Incidents: Considers the importance of transparency and accountability in upholding information rights, along with the need to implement robust security incident response handling procedures.

To successfully implement and maintain a legally compliant GDPR programme, it is important to have the right skills. CIPM holders have the ability to interpret data protection laws and create policies and procedures that organisations can use to establish practical and effective practices. Furthermore, by obtaining the CIPM certification, practitioners can significantly improve their career prospects and lifetime earnings as award holders join an elite group of highly decorated, globally recognised data protection professionals.

This IAPP-accredited CIPM course is delivered online, although onsite and online in-company options are also available. Delegates can gain a recognised practitioner-level workplace qualification at home or from their desk by attending four consecutive 4-hour live online sessions across one week. This IAPP course prepares participants for the 150-minute multiple-choice IAPP Exam.

Course Costs

Attend the IAPP Certified Information Privacy Manager (CIPM) training course:

£1,495.00 + VAT

  • 10% discount for subscribing to our PrivacyNewsfeed & Training Announcement Newsletters
  • Book a second IAPP course and save up to £650.00 + VAT - contact for more information.
  • In-company options available for teams of 6 or more

IAPP training package includes:

  • 4 x 4-hour live online sessions across 4 days, or
  • 2 days for a traditional classroom setting
  • Authorised IAPP instructors
  • IAPP CIPM examination voucher
  • 1-2-1 coaching and support
  • 1st-year IAPP professional membership

Course materials:

Book Now

Intended Audience

The IAPP Certified Information Privacy Manager (CIPM) is suitable for those individuals with the following roles or responsibilities:

  • Data Protection Officers (DPOs)
  • Chief Privacy Officer (CPO)
  • Data protection practitioners
  • Information governance managers
  • Governance, Risk and Compliance (GRC) professionals
  • Information security, IT security and IT professionals
  • AI governance professionals
  • Data governance professionals
  • Solicitors advising on information law
  • Project management

Learning Outcomes

By obtaining the IAPP CIPM, individuals will learn how to:

  • Implement a data protection operations programme
  • Structure data protection teams and operations
  • Evaluate and implement privacy frameworks
  • Establish governance processes, policies, roles, and responsibilities
  • Identify and assess risks throughout the data operational lifecycle
  • Mitigate data sharing and international data transfer risks with processors and third-party vendors
  • Apply information security best practices, policies, controls and measures
  • Implement the principles of Privacy by Design
  • Conduct data protection training and cultural awareness campaigns
  • Measure and benchmark data protection operations maturity
  • Maintain compliance through regular audits and continuous assessments, including DPIAs, TIAs, and LIAs
  • Communicate organisational vision with stakeholders
  • Understand the importance of transparency and accountability
IAPP CIPM Body of Knowledge

This accredited CIPM training course is delivered online over 4 consecutive morning sessions (or 2 full days when provided in-company). 

The IAPP developed its CIPM Body of Knowledge (BoK) around the skills practitioners will be assessed on during the certification exam. The latest BoK presents the content as a series of competencies and performance indicators. The IAPP ensures its CIPM BoK is always relevant and up to date through consultation with its global community of information privacy practitioners and lawyers.

CIPM is accredited by the ANSI National Accreditation Board (ANAB) under ISO17024: 2012.

The following is extracted from the CIPM BoK Version 4.0: 

Domain
Competencies
Performance Indicators
Domain 1:
Developing a privacy programme framework
Define programme scope & develop a privacy strategy:
Choose an applicable governance model.
Identify the source, types and uses of personal information within the organisation.
Structure the privacy team.
Identify stakeholders and internal partnerships.
Communicate organisational vision and mission statement:
Create awareness of the organisation’s privacy programme internally and externally.
Ensure employees have access to policies and procedures and updates relative to their role(s).
Adopt privacy programme vocabulary (e.g., incident vs breach).
Domain 2:
Establishing privacy programme governance
Create policies and processes to be followed across all stages of the privacy programme life cycle:
Establish the organisational model, responsibilities, and reporting structure appropriate to the size of the organisation.
Define well-designed policies related to the processing of the organisation’s data holdings, including data sharing, and taking into account both legal and ethical requirements.
Identify collection points considering transparency and integrity limitations of collection of data.
Create a plan for breach management.
Create a plan for complaint handling procedures.
Clarify roles and responsibilities:
Define the roles and responsibilities for managing the sharing and disclosure of data for internal and external use.
Define roles and responsibilities for breach response by function, including stakeholders and their accountability to regulators, coordinating detection teams (e.g., IT, physical security, HR, investigation teams, vendors) and establishing oversight teams.
Define privacy metrics for oversight and governance:
Create metrics per audience and/or identify the intended audience for metrics with clear processes describing the purpose, value and reporting of metrics.
Understand the purposes, types and life cycles of audits in evaluating the effectiveness of controls throughout the organisation’s operations, systems and processes.
Establish monitoring and enforcement systems to track multiple jurisdictions for changes in privacy law to ensure continuous alignment.

Establish training and awareness activities:
Develop targeted employee, management, and contractor training programmes at all stages of the privacy life cycle.
Create continuous privacy programme activities (e.g., education and awareness, monitoring internal compliance, programme assurance, including audits and complaint handling procedures).
Domain 3:
Privacy Programme Operational Life Cycle - Assessing Data
Document data governance systems:
Map data inventories, map data flows, map data life cycle and system integrations.
Measure policy compliance against internal and external requirements.
Determine the desired state and perform a gap analysis against an accepted standard or law.
Evaluate processors and third-party vendors:
Identify risks of insourcing and outsourcing data, including contractual requirements and rules of international data transfers.
Carry out assessments at the most appropriate functional level within the organisation (e.g., procurement, internal audit, information security, physical security, data protection authority).
Evaluate physical and environmental controls:
Identify operational risks of physical locations (e.g., data centres and offices) and physical controls (e.g., document retention and destruction, media sanitisation and disposal, device forensics and device security).
Evaluate technical controls:
Identify operational risks of digital processing (e.g., servers, storage, infrastructure and cloud).
Review and set limits on the use of personal data (e.g. role-based access).
Review and set limits on records retention.
Determine the location of data, including cross-border data flows.
Evaluate risks associated with shared data in mergers, acquisitions, and divestitures:
Complete due diligence procedures.
Evaluate contractual and data-sharing obligations, including laws, regulations and standards.
Conduct risk and control alignment.
Domain 4:
Privacy Programme Operational Life Cycle - Protecting Personal Data
Apply information security practices and policies:
Classify data to the applicable classification scheme (e.g., public, confidential, restricted).
Understand purposes and limitations of different controls.
Identify risks and implement applicable access controls.
Use appropriate organisational measures to mitigate any residual risk.
Integrate the main principles of Privacy by Design (PbD):
Integrate privacy through the System Development Life Cycle (SDLC).
Integrate privacy through business processes.
Apply organizational guidelines for data use and ensure technical controls are enforced:
Verify that guidelines for secondary uses of data are followed.
Verify that administrative safeguards such as vendor and HR policies, procedures and contracts are applied.
Ensure applicable employee access controls and data classifications are activated.
Collaborate with privacy technologists to enable technical controls for obfuscation, data minimisation, security and other privacy-enhancing technologies (PETs).
Domain 5:
Privacy Programme Operational Life Cycle - Sustaining Programme Performance
Use metrics to measure the performance of the privacy programme:
Determine appropriate metrics for different objectives and analyse data collected through metrics (e.g., trending, ROI, business resiliency, PMM).
Collect metrics to link training and awareness activities to reductions in privacy events and continuously improve the privacy programme based on the metrics collected.
Audit the privacy programme:
Understand the types, purposes, and life cycles of audits in evaluating the effectiveness of controls throughout the organisation’s operations, systems and processes.
Select applicable forms of monitoring based on programme goals (e.g., audits, controls, sub-contractors) and complete compliance monitoring through auditing of privacy policies, controls, and standards, including against industry standards and regulatory or legislative changes.
Manage continuous assessment of the privacy programme:
Conduct risk assessments on systems, applications, processes, and activities.
Understand the purpose and life cycle for each assessment type (e.g., PIA, DPIA, TIA, LIA, PTA).
Implement risk mitigation and communications with internal and external stakeholders after mergers, acquisitions, and divestitures.
Ensure AI usage is ethical, unbiased, meets data minimisation and purpose limitation expectations and is in compliance with any regulations and/or privacy laws.
Domain 6:
Privacy Programme Operational Life Cycle - Responding to Requests and Incidents
Respond to data subject access requests and privacy rights:
Ensure privacy notices and policies are transparent and clearly articulate data subject rights.
Comply with the organization’s privacy policies around consent (e.g., withdrawals of consent, rectification requests, objections to processing, access to data and complaints).
Understand and comply with established international legislations around data subjects’ rights of control over their personal information (e.g., EU/UK GDPR, PECR, DPA18).
Follow organisational incident handling and response procedures:
Conduct a risk assessment about the incident.
Perform containment activities.
Identify and implement remediation measures.
Communicate to stakeholders in compliance with jurisdictional, global and business requirements.
Engage the privacy team to review facts, determine actions and execute plans.
Maintain an incident register and associated records of the incident.
Evaluate and modify the current incident response plan:
Carry out post-incident reviews to improve the effectiveness of the plan.
Implement changes to reduce the chance of further breaches.


Exam Preparation Day

The topics covered in this CIPM exam preparation session include:

  • Exam technique
  • Timing
  • IAPP examination format
  • How to set up the exam space for online exams or what to expect if they are going to a test centre
  • How to read and answer IAPP exam questions properly
  • Group discussion covering any topics delegates want to revisit, along with any queries that have come up during revision.
  • Availability of the IAPP Practice exams paper and where to find it on the IAPP website and cost.

Following the examination prep day, the instructor will offer guidance for further study areas.

IAPP CIPM Examination

IAPP Certified Information Privacy Manager Exam information

IAPP exams have gained a reputation for being difficult to pass. Both Freevacy and the IAPP strongly recommend careful preparation, even for experienced professionals.

The following information about the CIPM examination is an extract from documentation provided to delegates by the IAPP. For the full details please review the IAPP Privacy Certification Candidate Handbook 2023 and the CIPM Examination Blueprint.

Exam Information

IAPP certification programmes are designed to differentiate between candidates who do and who do not possess the knowledge required to be considered minimally qualified privacy professionals. All questions are multiple choice with some relating to scenarios. Each question has only one correct answer. Each item (question) consists of a clearly written question (stem), a correct or best response (key) that should be apparent to minimally qualified candidates and three incorrect responses (distractors) that will be plausible to not-minimally qualified candidates. Note that it is each candidate’s responsibility to be prepared for exams by being familiar with all elements of the Bodies of Knowledge.

Candidates are encouraged to read each question carefully. The stem may be in the form of an actual question or an incomplete statement. An exam question may require the candidate to choose the most appropriate answer based on a qualifier, such as MOST likely or BEST.

Total number of questions90
Scored questions70
Exam duration2 hours 30 minutes
Passing score300 out of 500

Examination Blueprint

The examination blueprint indicates the minimum and maximum number of items that are included on the CIPP/E examination from the major areas of the Body of Knowledge. Questions may be asked from any of the listed topics under each area.

Scoring

On all IAPP certification exams, each item has equal value and is scored as correct or incorrect. Unanswered items are considered incorrect, and there is no additional penalty for incorrect answers.

Special Accommodations

It is the policy of the IAPP to provide testing accommodations to candidates with qualifying disabilities to ensure each candidate a comparable opportunity for success on exams. We require 30 days notice in order to arrange special accommodations. Please do not schedule an exam until the IAPP approves your request. After exam purchase, submit your request and supporting documentation using the forms provided on the IAPP website.

Exam Languages

All IAPP examinations are administered in English.

Book Now

Our clients