From rising privacy concerns to the inundation of current and future regulations on personally identifiable information, every organization today is affected by privacy. This puts professionals with privacy skills in high demand.
"Whether you're a technology professional, legal professional or in another part of an organization, you work on compliance issues," said Joe Shelley, co-author of IAPP CIPP/US Certified Information Privacy Professional Study Guide, published by Wiley. "This is a really exciting time to get involved in the privacy field."
With so many moving parts, however, practitioners can easily become overwhelmed.
To help professionals understand the privacy landscape and prove they have what it takes to tackle privacy in the digital world, the International Association of Privacy Professionals (IAPP) created the Certified Information Privacy Professional (CIPP) accreditation.
The nonprofit organization offers regional variants of the exam to accommodate varying jurisdictions, the most common being CIPP/E for Europe and CIPP/US for the United States. The CIPP/US certification covers everything from private sector privacy to government privacy, workplace privacy and state privacy.
Here, Shelley and co-author Mike Chapple offer advice to candidates on the CIPP/US exam, including career benefits, how to prepare and how the U.S. exam differs from other regions.
Editor's note: This transcript has been edited for length and clarity.
What are the benefits of CIPP accreditation?
Mike Chapple: Privacy is an incredibly important field, and it's becoming more important as organizations collect more data. From an individual's perspective, CIPP gives you access to an expanding career field. From an employer's perspective, having certified employees increases your credibility with customers and stakeholders. Additionally, it ensures your organization understands its responsibilities and it has the right staff in place to fulfill those responsibilities.
Joe Shelley: The benefit of certification frameworks is they contribute to the professionalization of a growing field. This framework assures employers and certified professionals know there's an agreed-upon set of skills, knowledge and ability that privacy professionals can bring to an organization.
Who is the exam designed for?
Shelley: The exam and certification are structured for seasoned privacy professionals looking to advance their careers. However, with some work, the exam is accessible to folks in related fields who are looking to add privacy to their areas of expertise or portfolio.
Chapple: The exam appeals to different groups of people. There's a growing contingent of dedicated privacy professionals -- people who only focus on privacy. That career field has exploded in recent years. There are also those with privacy as a tangential responsibility. CIPP certification appeals to cybersecurity professionals and other technologists and privacy attorneys.
What is the career path for CIPP certification holders?
Chapple: Practicing privacy professionals spend their days making sure organizations fulfill their privacy responsibilities. But there's also a set of people who have privacy as a secondary responsibility -- be it an IT professional, attorney or business leader. These professionals already understand privacy, but a certification adds to their credibility.
Shelley: There's also the career advancement track. You have practitioners, perhaps on a technical level, who use the certification to advance their careers within an existing organization. Some small and midsize organizations outsource their legal counsel, so legal practices might use the certification to diversify their workforce. For example, a working attorney looking to specialize in privacy might take the exam. The cybersecurity consulting industry is growing, too, and this exam can help firms add privacy to their portfolios.
What advice would you give people preparing for the exam?
Shelley: The goal of the study guide is to help folks prepare for the exam. Beyond that, I advise aspiring privacy professionals to not underestimate the rigor of the exam. Second, I encourage people to think beyond the exam. As you study, think about how you'll use this knowledge to advance your goals. Most of the information in the exam is quite useful and can really help privacy professionals in the real world.
Chapple: I've been working in the technology, security and privacy certification space for a while. I've found it's useful to have a diverse set of resources because people learn in different ways. Combining studying methods can be helpful -- for example, using a book and video courses or studying with other people. My second piece of advice is to not underestimate the exam. This is a legally technical exam, so it goes into specific privacy laws and regulations in the U.S. You need to know the nuances and the ins and outs of those laws.
The certification covers five major domains of privacy. How should test-takers take this into account?
Chapple: We organized the book around the five domains. Think of each domain as a separate knowledge area, and work your way through the material domain by domain, and master each one as you go.
Shelley: The IAPP provides an exam blueprint with the proportional weight of each domain. It updates it time to time, so aspiring privacy professionals should pay attention to those blueprints.
What areas of the exam do you see test-takers struggle with most?
Chapple: The general principles of privacy are easy to learn and pretty straightforward. The most difficult part of the exam is knowing all the laws. Go through and check you really understand each law, including what it covers, who it applies to and what is the scope of jurisdiction. And who has the right to sue under the law? Is that right restricted to the government? Or is there a private right of action where individuals can sue for violation of their privacy rights? Make sure you know all these details.
Shelley: Mike is absolutely right. The toughest part is knowing how the laws differ. There are some common questions that come up: What are the laws? How are they enforced? What are the various jurisdictional considerations? There are a lot of details to understand and remember.
What are the differences in the geographical regions' CIPP exams? When should a privacy professional consider those exams?
Shelley: Our study guide focuses on the U.S. exam, but we included information on how international regulations impact U.S. organizations. In terms of the international exams, the IAPP offers blueprints for those exams as well. Each exam focuses on the privacy laws of a specific region. For example, the European Union has more comprehensive privacy regulations than other jurisdictions. On the other hand, some governments have more extensive power over their citizens' right to individual privacy. If you have operations in another jurisdiction, you should consider a dual certification.
Chapple: If you're a U.S. company with subsidiaries and customers in the European Union and you find yourself subject to EU regulations, then you probably want to consider having CIPP/US and CIPP/E certifications.
In the book, you mention ransomware is the only cybersecurity threat explicitly mentioned in the exam objectives. Why is this?
Chapple: Ransomware explicitly appears in the exam objectives, so you're likely to see a question about it on the exam. You should have a good understanding of what ransomware is, the threat it poses and the privacy risks associated with an attack.
Shelley: Even though ransomware is explicitly mentioned, the exam also covers different types of attacks. So, Mike is absolutely correct. Ransomware should be a huge area of focus, but the exam also covers regulations about what you should do during accidental disclosures, insufficient encryption -- the list goes on. So again, don't underestimate the exam.
You also note in the book that privacy professionals use the phrases 'security event' and 'security incident' interchangeably. What's the difference?
Chapple: We use the term 'event' to describe something that affects security or privacy. Not everything that happens is bad, and events don't always threaten an organization or its data. An incident is when an event violates a policy or rule and causes significant risk to an organization. It's important to have the right terminology in place so that we can clearly communicate about what is happening. Privacy events happen every day, but hopefully, privacy incidents never happen.
About the authors
Mike Chapple, Ph.D., CIPP/US, is the author of the best-selling (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide and CISSP Official (ISC)2 Practice Tests. He is an infosec professional with two decades of experience in higher education, the private sector and government.
Joe Shelley, M.A., CIPP/US, is a leader in higher education information technologies. He is currently the vice president for libraries and information technology at Hamilton College in New York. In his role, Shelley oversees central IT infrastructure, infosec and privacy programs, to name a few. Before joining Hamilton College, Shelley served as CIO at the University of Washington Bothell.