Preparing for the iapp CIPP/E Exam? Some exam prep tips

Thinking of taking the iapp CIPP/E exam but not sure how to prepare or whether you’re ready?  The following are some tips and guidance to help you on your way.

The CIPP/E is billed as delivering comprehensive GDPR knowledge, perspective and understanding to ensure compliance and data protection success in Europe.  It’s directed at equipping privacy officers to take advantage of the career opportunity this sweeping legislation represents.

Privacy108 has been running iapp’s Certified Information Privacy Professional/EU (CIPP/E) training course in Australia for over 2 years.  Since we started delivering CIPP/E training, quite a few students have asked how they should prepare for the exam and also provide some feedback on how hard it is (particularly for non-lawyers).

Unfortunately, unlike certifications such as the CISSP and the CISM, there’s little advice out there about what you need to do, or banks of practice questions to test how ready you might be to take the CIPM exam. The following is some advice for anyone thinking of taking the CIPP/E exam based on our own experience, plus feedback from students and on-line discussion groups.

iapp Resources

The curriculum for CIPP/E is contained in the Body of Knowledge.  The iapp doesn’t leave much guesswork to exam takers, the Body of Knowledge (BoK) outlines what you need to know and what will be tested.  The CIPP/E BoK outlines all the concepts and topics you need to know to become certified.

In summary, there are three domains within the BoK:

  1. Introduction to European Data Protection – history of data protection and creation of the EU;
  2. European Data Protection Law and Regulation – detailed examinations of GDPR;
  3. Other European Data Protection Law and Regulation – covers specific areas like employment, direct marketing and surveillance.

There is an exam blueprint that indicates how many questions from each topic area you can expect on the exam. Most of the content on the exam will be from Domain 2 (approximately 70%) but don’t leave out 1 or 3.

Remember, the CIPP/E Body of Knowledge was updated on 1 September 2020 so make sure you check out the changes here.

The body of knowledge and exam for CIPP/E were updated again on 1 July 2021. Read this blog post to find out more about the update.

We highly recommend that you familiarise yourself with the BoK and those resources….

It’s also a good idea to read the official text book European Data Protection: Law and Practice by Eduardo Ustaran (editor), published by the IAPP. This text contains all the information you need.  It is a series of chapters on different topics written by different authors which can be more engaging because of the different styles and has recently been updated.  However, there is some duplication between the Chapters so try and summarise the information you need to remember.

The iapp CIPP/E Authoritative Reference list is excellent.  It contains a series of other resources that are helpful as part of your exam prep.

There is also a glossary of privacy terms that is helpful if you’re not familiar with privacy terminology.  You can use the glossary to create flash cards.

Other iapp materials to help prepare for the CIPP/E exam include

You can also sign up for other information from iapp, like the Europe Data Protection Digest with latest developments in European Data Protection.

How much study should I do?

The iapp recommends that you train and study for a minimum of 30 hours.[1]  I usually tell candidates who’ve done the 2-day course to read the course notes plus the text book a couple of times and compare both to the BoK til you’re happy that you’ve got an understanding of all content in the BoK.

Be familiar with the GDPR

There are four different CIPP certifications, that cover different legal jurisdictions.  They are designed to show the world you know data privacy laws and regulations and how to apply them.  Being focused on the law (unlike for example the CIPM or the CIPT which are more operationalO, there is an expectation that you understand and can apply most of the Articles of the GDPR.

You should be very familiar with Articles 1 – 50 and have a good understanding of how the enforcement provisions work.  You must read those Articles.  Go through them one by one if you’ve not done that before and make sure you are familiar with them.

I know this is hard if you’re not a lawyer but this is a test on how well you know the laws and regulations so make sure you do.

Feedback from the field

The following advice comes from privacy professionals via an iapp on-line forum and from students who’ve provided us with feedback on the exam directly:

  • If you’re not from Europe you may not be familiar with what countries are in the EU or the difference between the Council of Europe and the EU, let alone the treaties and other developments that led to the GDPR. Spend some time learning this if you can. as there will be questions on it …
  • There’s some feeling that the practice exam does not provide a good example of the sort of questions included in the actual exam, so don’t get too smug if you do well on that. Some of the feedback on the practice exam includes ‘The sample test in no way prepared me for the actual exam questions’ and ‘I scored perfect on the sample test provided with the class but did not get anywhere close to that on the actual exam so take your results on the sample test with a grain of salt.’
  • There will be scenario questions to test your application of the principles to a real life situation. Read the scenario carefully but don’t try and memorise it.  It will appear on each screen as you answer multiple questions about the same facts.

Last thoughts …

You should take the exam seriously.  It’s a long time since many of us have done an exam so work out what’s the best time for you to do it (morning or afternoon?), how to manage the available time appropriately (90 multiple choice questions in 150 minutes) and your strategy for dealing with questions you may not know the answer to.  In particular, don’t freak out if you don’t know what the question is about or have no clue on which is the right answer. You can mark those questions as ones you’ll come back to (which is the strategy I used).

Remember, sometimes it will be the ‘least wrong’ rather than the ‘most right.’


So, take it seriously, do your preparation and you should be OK. For non-EU practitioners, make sure you understand the history of the EU, European treaties like the Council of Europe) and other relevant privacy laws, like the e-privacy directive, and how the GDPR will be enforced.

And make sure you’ve read Articles 1 – 50, understand the history of data protection (including the development of the EU.

It’s a good certification for privacy professionals and requires a detailed knowledge of the law that is setting the benchmark for privacy regulation internationally.   It’s difficult but what good things come easy?

How much do you know?

Interested in testing your knowledge?  Take the CIPP/E Mini Quiz and see how well you go? Just enter your name and email and you will receive a link to the quiz.

  • We collect and handle all personal information in accordance with our Privacy Policy.

Need Training

We offer instructor led online training for CIPM, CIPP/E and CIPT. Led by Dr Jodie Siganto and giving you exclusive access to additional resources to help you pass your exam.

Click here for more information.

iapp Guidance:


  • Council of Europe ‘Handbook European Data Protection Law’:

  • White & Case Guidance

GDPR Handbook: Unlocking the EU General Data Protection Regulation | White & Case LLP

Other resources:


Another training option (directed at GDPR):

iapp Resources:



Want to receive updates like this in your inbox? Subscribe

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.