Introduction

The International Association of Privacy Professionals, i.e., the IAPP, offers multiple industry-recognised certifications. To stay up to date with the latest developments in the field of Privacy and related themes, the IAPP annually updates the syllabus and topics that need to be covered for being awarded its certifications.

These certifications are very highly admired in the industry due to the credibility of their issuing authority, i.e., the IAPP, and it aids professionals in requiring skills that elevate their status from their peers, highlighting them among their colleagues.

IAPP Certifications

The IAPP offers multiple certifications in the realm of Privacy. The certifications offered include but are not limited to the Certified information privacy professional, i.e., the CIPP, the Certified Information Privacy Technologist. i.e., the CIPT, the Certified Information Privacy Manager, i.e., the CIPM. IAPP offers multiple variants of the CIPP certification based on the legal jurisdiction, such as CIPP/E for Europe, CIPP/US for the United States etc.

The annual updates launched in 2023 have brought in new themes in the CIPP/E, CIPP/US, CIPM and CIPT certifications. The new forms of these exams are similar to their older forms, apart from content-related changes.

CIPP/US

The Certified Information Privacy Professional- US is one of the certifications offered by the IAPP. This caters to the skills required for navigating privacy compliance in the US private sector. The major additions brought in by this update are related to the major legal developments such as bills passed., policies, guidelines as well as major judicial decisions. These include:

Laws:

• California Age-Appropriate Design Code Act requires the estimation of child users’ age by companies subject to it.
• Illinois Biometric Information Privacy Act prohibits the storage of biometric data apart from listed exceptional circumstances.
• Connecticut and Utah, data privacy statutes provide consumers with the option to opt out of profiling and targeted ads.

Commissions: Guidance & Policies

• California Privacy Protection Agency (CPPA), established under CCPA, is US’ first privacy regulator agency.
• EU-US Data Privacy Framework, which was in highlight due to the EU’s motion for more Negotiations to create a data transfer mechanism compliant with EU privacy laws.
• FTC Health Breach Notification Rule requires vendors to notify clients in case of any data breach.
• Regulating Utilisation of Online Tracking Tech by Business Associates and entities covered under HIPAA.
• Facial recognition uses restrictions, some US states now regulate facial recognition, and some have enforced narrow bans.

Judgements:

• Post-Dobbs v. Jackson Women’s Health Organization, healthcare privacy ramifications. Navigating the conflict between producing data when forced by law and preventing illegal access to an individual’s protected health information.

CIPP/E

The Certified Information Privacy Professional- Europe caters to the skills required for navigating privacy compliance in Europe, i.e., the GDPR. The major additions brought in by this update are related to the major legal developments such as bills passed., policies, guidelines as well as major judicial decisions. These include:

Laws:

• EU Artificial Intelligence Act is a proposed act applicable to entities of three risk categories: Applications and systems that create uncontrollable risk and high-risk applications.
• GDPR’s relationship to other laws, such as the Data Governance Act, EU 2018 Regulations etc.
• NIS Directive / NIS 2 Directive raises overall cyber security level Europe-wide.
• Brexit with a focus on the post-Brexit regime of UK GDPR as the DPA of the UK has been amended to meet GDPR requirements.

Commissions: Guidance & Policies

• Emphasis on Article 9 of the GDPR which provides for special categories of personal data.
• EDPB Guidelines dated 01/22 on data subject rights and Right of access. It elaborates upon the limitations and conditions of the claim.
• EDPB Guidelines dated 9/2022 on articles 33 & 34 as well as risk assessment, focusing on personal data breach.
• EDPB Guidelines dated 01/2021 on examples regarding reasons for data breach such as ransomware, internal human risk, lost or stolen devices and data infiltration attacks.
• Transatlantic Data Privacy Framework: Upcoming framework for data transfer between EU and US.
• EDPB Guidelines dated 8/2022 key concepts and steps required to identify a processor or controller’s lead.
• Privacy by design and compliance requirements set per ISO 31700:2023. Sets up high standards w.r.t processing and handling of consumer data throughout the lifecycle of the product.
• Cookie Banner Transparency Standards: Require Cookie Banner on Website if visitors from EU or UK.
• Dark patterns in social media platforms: focus on the EU guidelines released in 2023.
• Convention 108+: Convention with regard to the processing of data in Europe.

Judgements:

• Schrems decisions: Here, the CJEU determined that data transfer based on Privacy shield was illegal and ordered stricter data control measures.

CIPM

The Certified Information Privacy Manager is one of the certifications offered by the IAPP. This caters to the skills required for the roles of privacy management. The major additions brought in by this update are related to the addition of new domains. These are:

• Earlier domains on developing a privacy program and privacy program framework have been combined to form one, i.e., Developing a Framework.
• A new domain has been added, i.e., Establishing Program Governance.

CIPT

The Certified Information Privacy Technologist is one of the certifications offered by the IAPP. This caters to the skills required for navigating emerging threats in digital space as well as more efficient solutions to existing problems. The major additions brought in by this update are related to the major legal developments such as revised definitions, new policies and guidelines, laws etc. These include:

• Basic Principals and Frameworks such as those issued by OECD and related key risk (KRI) & key performance indicators (KPI).
• Technology basics w.r.t Privacy such as Data security incidents vs privacy breaches, Intra-organisation privacy practices and security practices.
• Privacy Technologists general and technical responsibilities w.r.t organisation.
• Data ethics during data collection. Focus on issues such as discrimination.
• Absence of informed consent and jurisdictional consequences during data collection.
• Intrusion and interference, with emphasis on dark patterns.
• Software security: focus on potential violations by service providers and intrusion prevention policies.
• Technology consequences of Privacy Techniques & regulations (Processing/verification of Individual Rights requests (IRR), retention requirements.
• User experience and Privacy Interface: focus on the effect of design on the behaviour of the user, the complexity of UX design and privacy-related settings and consent management.
• Emerging Tech in the space of Privacy, such as biometrics, Corporate IT services, Advanced computing etc.

Conclusion:

These updates in the syllabus of the exam are necessary to cater to the latest demands of the industry. These recent developments in the realm of Privacy are going to be a core part of regulatory compliance for years to come, and thus, conceptual clarity on these topics becomes essential for potential hirers.

Stay updated with Tsaaro on the latest changes in the Exam certifications. Enrol in our training courses for complete guidance by privacy professionals to simplify your path to achieving these certifications. Contact us at info.academy@tsaaro.com.