CIPM Body of Knowledge Update: What’s Changed

Privacy is an exciting and dynamic field that is rapidly changing. While this makes it an incredibly interesting and rewarding field to work in – it does pose some challenges for test administrators, like the IAPP. To keep pace, the IAPP regularly updates the content of its tests – including the CIPM, which has undergone changes that come into effect on 3 October 2022. Here’s what will change once the CIPM Body of Knowledge update comes into effect in October:

What Changed in the 2022 CIPM Body of Knowledge Update? 

CIPM Domain I – Developing a Privacy Program 

The first domain has undergone some changes. First, it is referred to as “Developing a Privacy Program”, which is an update from the “Privacy Program Governance” title it was given in the 2021 edition.  

Secondly, part A of Domain I now states:  

  1. Create an organizational vision.  
  2. Evaluate the intended objective.  
  3. Gain executive sponsor approval for this vision.  

The specific changes here are that the requirement to “acquire knowledge on privacy approaches” has been removed, and the language has been updated to say “organizational” instead of “company vision”.  

Other changes to Domain I include:  

  • The requirement in Part C, section c (iv) to “plan inquiry/complaint handling procedures” has been moved to domain II part A in the 2022 CIPM Body of Knowledge update. 
  • Part D “Structure the privacy team” has been condensed.  
  • Part E has also been restructured and now includes a requirement to “ensure employees have access to policies and procedures and updates relative to their role”.  

CIPM Domain II Updates 

CIPM Domain II covers the Privacy Program Framework. It has been updated as follows in the CIPM Body of Knowledge update for 2022:  

  • Minor changes have been made to Part A (b), including the addition of the inquiry/complaint handling procedures outlined above.  
  • Part B (b) has been updated to include understanding of sectoral and industry regulations (such as HIPAA). 
  • Part B now also includes a section c, which is dedicated to understanding data sharing agreements including international data sharing agreements, vendor agreement, and affiliate and subsidiary agreements.  
  • Metrics relating to “use” have been removed from Part C, while metrics for DPIAs have been added.  

CIPM Domain III Updates 

The CIPM’s Privacy Operational Life Cycle: Assess knowledge requirements have changed as follows:  

  • Part A, which covers knowledge relating to documenting current baselines within the privacy program, section (c) has been expanded to read “assess policy compliance against internal and external requirements. Sections (d), (e), and (f) have also been revised and condensed in such a way that ‘remediation’ is no longer a separate requirement. We suggest you review the changes in the updated Body of Knowledge. 
  • Part B, which considers processor and vendor assessments, section (a)(iv) now reads “Review and set limits on vendor internal use of personal information”. This reflects the movement towards access control and restricting the flow of personal information to what is required for reasonable purposes  
  • Part B (c), which considers risk assessments, has been updated to consider cross-border transfers, as well as technologies and processing methods deployed.  
  • Part D, which relates to mergers, acquisitions, and divestitures, has been updated to include multiple new items, namely contractual and data sharing obligations, risk and control alignment, and post-integration planning and risk mitigation.  
  • Part E, which considers Privacy Assessments and Documentation has been entirely updated to read:  

“E. Privacy Assessments and Documentation  

      1. Privacy Threshold Analysis (PTAs) on systems, applications and processes 
      2. Define a process for conducting privacy assessments (e.g., PIA, DPIA, TIA, LIA) 
      3. i. Understand the life cycle of each assessment type 
      4. Incorporate privacy assessments into system, process, data life cycles”

CIPM Domain IV Updates 

Domain IV of the CIPM discusses the Privacy Operational Life Cycle: Protect. It has been almost entirely rewritten in the 2022 update. As a result, we suggest you read it in full in the updated Body of Knowledge. 

It is interesting to note the changes in language relating to access control, such as the inclusion of “least privileged access”. This highlights the trend in privacy toward as strict as possible access controls. 

CIPM Domain V Updates 

Domain V is entitled “Privacy Operational Life Cycle: Sustain”.  

Part B, which reflects auditing requirements, has undergone some minor changes, as follows:  

  • Section (a) has been updated to include reference to the “maintenance of an audit trail”, as well as the knowledge required to “utilize and report on regulator compliance assessment tools”.   

CIPPM Body of Knowledge Updates to Domain VI 

Domain VI is entitled “Privacy Operational Life Cycle: Respond”. It has been updated as follows:  

  • Part A has been expanded to include ‘complaints, including file reviews’.  
  • Part B (b)(i)(1), which outlines incident response planning key roles, has been updated to include the Head of compliance and external parties.  
  • Part B (d), which relates to incident handling, has been revised and expanded to include conducting risk assessments, performing containment activities, identifying and implementing remediation measures, developing a communications plan for executive management, and notifications.  
  • Part B (e) has been expanded to include a requirement to maintain an incident register and associated records.  

Woman studying the CIPM body of knowledge update on a tablet computer while wearing headphones and a microphone. There are pens in the foreground.

CIPM Body of Knowledge Resources 

For complete and accurate details of the updates, you can compare the 2021 version to the 2022 Updated Body of Knowledge. 

You can also:  

For more information about the CIPM training courses, contact us! 

  • This field is for validation purposes and should be left unchanged.