The 2023 Updated CIPT Body of Knowledge: What Has Changed?

Privacy for technologists is a rapidly developing field. The IAPP’s CIPT Body of Knowledge has recently been updated to reflect some of these developments and support better alignment with score skills required by privacy technologists. 

 The IAPP’s CIPT certification covers the foundations for embedding privacy into products and services. It also covers the fundamentals of privacy as they relate to privacy technologists, including privacy risks and privacy engineering.  As with the IAPP’s other certifications, the CIPT Body of Knowledge is regularly updated to reflect the current state of privacy. The most recent version of the CIPT Body of Knowledge (v 3.2.0) is now in effect – and exams will reflect the changes.  

The IAPP says only about 10% of the content has changed but it feels like a lot more. 

Here is what you need to know:  

Overview of Changes to CIPT Body of Knowledge 

 More detail about the changes is included below. 

Updated CIPT Body of Knowledge V 3.2.0 

Changes to Domain 1 – Foundation Principles 

• Section B has been renamed “General Understanding of Privacy by Design Principles” (It was Privacy by Design Foundational Principles in the earlier version).  

• Section C has been completely overhauled. It previously covered value sensitive design, but this section has been moved elsewhere in the current version. It is now called “General Understanding of Privacy-related Technology Fundamentals” and it covers:  

a. Risk concepts (e.g., threats, vulnerability)  

b. Data/security incidents vs. personal data/privacy breaches  

c. Privacy and security practices within an organization  

d. Understanding how technology supports information governance in an organization 

e. External Data Protection and Privacy notices 

f. Internal Data Protection and Privacy guidelines, policies and procedures  

g. Third-party contracts and agreements  

h. Data inventories, classification and records of processing  

i. Enterprise architecture and data flows, including cross-border transfers  

j. Data Protection and Privacy impact assessments (DPIA/PIAs) 

k. Privacy related Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) 

• Section D has been renamed “General Understanding of the Data Life Cycle”. It was previously “The Data Life Cycle”. 

While section C has undergone significant changes, it will still likely only represent 1-3 questions in the CIPT exam. The changes are very helpful for test takers because the IAPP has now spelled out what topics it will cover (those outlined in a-k above). The previous BOK had just two points: a. How Design Affects Users; and b. Strategies for Skillful Practice. These points are vague in comparison to those in the updated BOK and we expect test takers will welcome the change and added certainty.  

Changes to Domain 2: The Privacy Technologist’s Role 

Section II of the CIPT BOK has undergone significant changes. The earlier BOK contained three sections, outlining the fundamentals of privacy-related IT, information security, and the privacy responsibilities of the IT professional.  

Those sections have been removed, and replaced with the following: 

A. General Responsibilities

a. Understanding various roles within the privacy team (e.g., DPO, CPO, legal compliance, security 

b. Implementing industry Privacy Standards and Frameworks  

c. Translating legal and regulatory requirements into practical technical and/or operational solutions 

d. Consulting on internal privacy notices and external privacy policies 

e. Consulting on contractual and regulatory requirements  

B. Technical Responsibilities

a. Advising on technology elements of privacy and security practices 

b. Advising on the privacy implications of new and emerging technologies 

c. Implementing privacy and security technical measures 

d. Implementing and developing privacy-enhancing technologies and tools 

e. Advising on the effective selection and implementation during acquisition of privacy impacting products 

f. Advising on privacy by design and security and privacy impact assessments in systems development 

g. Handling individuals’ rights requests (e.g., access, deletion) 

h. Supporting records of processing activities (RoPA), automation of inventory and data flow mapping 

i. Reviewing security incidents/investigations and advising on breach notification 

j. Performing and supporting IT privacy oversights and audits including 3rd party assessment 

k. Developing, compiling, and reporting Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs).  

Updates to Domain 3: Privacy Risks, Threats and Violations 

In addition to the inclusion of ‘risks’ in the title for this section, the following changes are notable:  

• Section A is an entirely new section, Data Ethics. Exam takers will need to learn about legal vs ethical considerations, moral and societal issues, and bias/discrimination.  
• The During Data Collection section has been updated to include a further five parts: lack of informed consent, automatic collection, inaccuracies, extracting from publicly available sources, and jurisdictional implications.  

• The section “During Data Dissemination” is largely the same except that d. Breach of Confidentiality now includes specific reference to personal data breaches.  
• The section “Intrusion, Decisional Interference and Self-Representation” has been updated to include two additional points: blackmail and dark patterns.  
• The “Software Security” section now requires exam takers to demonstrate knowledge of possible violations by service providers.  

Updates to Domain 4: Privacy-Enhancing Strategies, Techniques and Technologies 

Section IV has been renamed and has also undergone significant changes.  

• Section A has been shortened to just four points: separate, minimize, abstract, and hide. The specific techniques for performing each of these data oriented strategies that were outlined in the earlier BOK have been removed. We imagine the IAPP wanted increased flexibility to include new and emerging strategies in their exams.  
• Th’Process Oriented Strategies’ section is now Section B (previously Section C) and it too has been streamlined and simplified to remove the  
• The ‘Techniques’ section has been amended as follows:  

It is likely that between 7-9 questions in the exam will cover these techniques, so it’s very important that you’re familiar with the updated BOK.  

Updates to Section 5: Privacy Engineering 

If you’re reeling from the significant changes outlined above, rest easy here – there’s just one change to report: 

• Section D, Privacy Risks in Software, has been updated to include controls/countermeasures. 

Updates to Section 6: Privacy by Design Methodology 

Two parts have been added to section IV of the CIPT BOK:  

B. Privacy Interfaces and User Experience

a. Design Effects on User Behavior  

b. UX Design and Useability of privacy-related functions  

c. Privacy Notices, Setting and Consent Management  

d. Usability Testing 

C. Value Sensitive Design 

a. How Design Affects Users 

b. Strategies for Skillful Practice 

(Part C was previously included in Section I: Foundational Principles. It migrated to Section 6 in the recent update) 

Updates to Section 7: Evolving or Emerging Technologies in Privacy 

Section VII has been entirely replaced. It now reads:  

A. Robotics and Internet of Things (IoT) 

a. Mobile phones  

b. Wearable devices  

c. Edge Computing  

d. Smart homes and cities (e.g., CCTV and tracking/surveillance)  

e. Robots  

f. Drones  

B. Internet/eCommerce 

a. Adtech  

b. Cookies and other webtracking technologies  

c. Alerts and notifications  

d. Location tracking  

e. Chatbots  

f. Online/mobile payments  

C. Biometrics 

a. Facial recognition 

b. Speech recognition 

c. Fingerprint ID 

d. Behavioral profiling 

D. Corporate IT Services 

a. Shared Data centers 

b. Cloud-based infrastructure 

c. Third-party vendor IT solutions 

d. Remote working 

e. Video calls and conferencing 

E. Advanced Computing

a. Data Management and Analytics 

b. Artificial Intelligence  

c. Quantum computing  

d. Blockchain  

e. Cryptocurrencies  

f. Non-fungible tokens 

g. Machine and Deep Learning  

F. Social Networks 

a. Social media  

b. Messaging and video calling  

c. Virtual/Augmented reality. 

Resources for the Updated CIPT Body of Knowledge 

In addition to the updated CIPT Body of Knowledge, you may wish to review:  

• How To Prepare for the CIPT Exam 
• Where the CIPT Qualification can take you and your career. 
• Whether the CIPT is the right privacy certification for you. 
• 5 Tips on passing the CIPT Exam. 
• Solove’s Taxonology of Privacy.  
• Jaap-Henk Hopeman’s Privacy by Design Strategies 
• Dark patterns: EDPB Guidance https://edpb.europa.eu/system/files/2022-03/edpb_03-2022_guidelines_on_dark_patterns_in_social_media_platform_interfaces_en.pdf  

Book Your CIPT Online Training Course with Privacy 108 

We have updated our CIPT exam preparation course to reflect the significant changes to the body of knowledge.  

You can sign up for our 2 x full-day instructor-led online training here.  

Our online privacy training program is a robust, interactive way to learn the critical privacy concepts that are integral to the Certified Information Privacy Technologist (CIPT) certification exam. 

Alternatively, get in touch to discuss whether the course is a good fit for you: