Introduction

Privacy issues have become increasingly important for organizations in recent years. While events such as Edward Snowden’s NSA revelations in 2013 began a conversation around privacy concerns, the more recent Facebook/Cambridge Analytica privacy debacle as well as the implementation of the EU’s General Data Protection Regulation (GDPR) have once again pushed that conversation back into the public consciousness.

The International Association of Privacy Professionals (IAPP) is a not-for-profit organization dedicated to education in the area of data privacy. It offers a variety of privacy certifications, including the popular CIPP/US certification. The IAPP is the most revered of privacy organizations and has had some prestigious board members over the years, including Kalinda Raina, head of global privacy for LinkedIn, and Peter Lefkowitz, the current chairman of IAPP and chief privacy and digital risk officer for Citrix.

What is the CIPP/US certification?

The Certified Information Privacy Professional/United States (CIPP/US) is a highly respected certification that shows the world you are a high-caliber privacy professional. CIPP/US certification is viewed as the global standard in privacy qualifications. The certification itself has been accredited by the American National Standards Institute (ANSI) under the International Organization for Standardization (ISO) standard 17024:2012, which indicates that the certification is of high quality.

Holding a CIPP/US certification demonstrates that you have a broad understanding of U.S. privacy laws and regulations and how, when and why they should be applied. This includes U.S. workforce privacy, marketing privacy laws and U.S. federal laws on data protection. The CIPP/US certification also demonstrates that you have an understanding of jurisdictional laws and how privacy impacts data flows across jurisdictions. The IAPP ensures that the certification always reflects, as fully as possible, changes in privacy laws and the data privacy landscape.

CIPP/US certification lasts for two years from the day the exam is passed. Once you have achieved CIPP/US certification you are required to perform 20 hours of Continuing Privacy Education (CPE) over the two-years the exam remains valid. You also have to pay an annual certification maintenance fee (included in your IAP membership fees).

Once you have a CIPP/US certification and three years of privacy experience, with references, you can apply to be a Fellow of Information Privacy (FIP).

Who should earn the CIPP/US?

The large number of data breaches in recent years along with increased scrutiny by regulators around those breaches has made privacy certifications such as CIPP/US very attractive to firms across industries. In addition, new privacy regulations like the EU’s GDPR affect any business that deals with EU citizens irrespective of the company location. This makes employees who have CIPP/US certification an attractive proposition.

In general, those who can gain most from being CIPP/US certified are those who deal with personal data, both from a technical and legal perspective. Holding a CIPP/US certification is useful for the following roles:

  • Chief privacy officers
  • Information security professionals
  • Data protection officers
  • Compliance officers
  • Human resource officials
  • Security professionals wishing to expand their privacy knowledge
  • Those with a legal background wishing to focus on privacy law

What experience do you need to get certified?

Although there are no formal requirements needed to sit the CIPP/US exam, the IAPP “strongly recommend[s] careful preparation” before taking the exam. Having working knowledge of U.S. privacy laws will help you to pass the exam, but preparation is vital. The exam consists of stand-alone assessments that require a degree of professional experience and working knowledge of data privacy practices.

The IAPP provides a blueprint for the CIPP/US exam. In addition, training providers such as InfoSec Institute provide a variety of flexible training courses that can help ensure you successfully pass the exam.

How does the CIPP/US compare to other privacy certs?

There are a number of privacy certifications available; however, CIPP/US specifically has broad appeal. The CIPP/US certification is specific to U.S. privacy laws, so this means that it is most suited to those working in the U.S. or those who need to have a good working knowledge of U.S. privacy issues.

Unlike some counterparts such as ISACA and (ISC)2, CIPP certifications are also suitable for a non-technical audience such as managers and lawyers. InfoSec Institute offers a four-day dual CIPP/US and CIPM (Certified Information Privacy Manager) Boot Camp for managers looking to obtain both certifications.

What is the best way to train for the CIPP/US?

The CIPP/US exam itself is a series of multiple-choice questions over a 2-hour-and-30-minute time period. To prepare for the exam:

  • Read up on the IAPP “body of knowledge” – this is a list of all topics that are covered in the exam
  • Get to know the exam format and use the IAPP exam blueprint to prepare test questions and sample answers for yourself
  • Read books on the matter – there are a number of textbooks available across the subjects covered by the CIPP/US exam
  • Use a dedicated training course, such as one supplied by InfoSec Institute

Sources

IAPP CIPP/US exam blueprint: https://iapp.org/media/pdf/certification/CIPP_US_EBP_after%208.1.17.pdf

IAPP CIPP/US body of knowledge: https://iapp.org/media/pdf/certification/CIPP_US_BoK_after%208.1.17.pdf