IAPP Certified Information Privacy Manager (CIPM) Ultimate Cheat Sheet
Your Quick Reference Study Guide
This cheat sheet covers the core concepts, terms, and definitions you need to know for the IAPP Certified Information Privacy Manager (CIPM). We've distilled the most important domains, topics, and critical details to help your exam preparation.
💡 Note: While this study guide highlights essential concepts, it's designed to complement—not replace—comprehensiv e learning materials. Use it for quick reviews, last-minute prep, or to identify areas that need deeper study before your exam.
About This Cheat Sheet: This study guide covers core concepts for IAPP Certified Information Privacy Manager (CIPM). It highlights key terms, definitions, common mistakes, and frequently confused topics to support your exam preparation.
Use this as a quick reference alongside comprehensive study materials.
IAPP Certified Information Privacy Manager (CIPM)
Cheat Sheet •
About This Cheat Sheet: This study guide covers core concepts for IAPP Certified Information Privacy Manager (CIPM). It highlights key terms, definitions, common mistakes, and frequently confused topics to support your exam preparation.
Use this as a quick reference alongside comprehensive study materials.
Privacy Program: Developing a Framework
19%Stakeholder Alignment — Privacy as Business Enablement
Map roles, data touchpoints and governance to embed privacy controls with business priorities for adoption.
Key Insight
Continuous engagement turns named stakeholders into accountable owners; tie controls to business KPIs to prioritize.
Often Confused With
Common Mistakes
- Counting only execs/legal as stakeholders; ops owners who implement controls are ignored.
- Treating stakeholder lists as engagement; a name ≠ commitment or decision authority.
- Doing alignment once and never updating as products, vendors, or processes change.
Privacy Frameworks — Select, Tailor & Embed
Choose a fit-for-purpose framework, tailor controls across policies, contracts, tech and metrics, then operationalize.
Key Insight
Frameworks guide design but do not equal compliance — map controls to laws, vendors, and measurable KPIs and test them.
Often Confused With
Common Mistakes
- Assuming a well-known framework automatically satisfies all regional laws.
- Treating framework adoption as a one‑off project; skipping continuous monitoring and improvement.
- Relying only on policy or contract language—omit technical controls, audits, and role-based training.
Privacy Policy Lifecycle: Policies → Procedures → Standards
Document and govern privacy rules and operational steps so controls are discoverable, auditable, and legally consistent.
Key Insight
Treat policy management as a lifecycle: create, approve, version, review, train, monitor and retire with stakeholders.
Often Confused With
Common Mistakes
- Treating versioning as a technical detail instead of audit/governance evidence
- Publishing policy only—skipping scheduled review, training, enforcement and retirement
- Letting legal own changes alone; omit operational owners and approvals
Privacy Vision & Strategy (Leadership)
A short, aspirational leadership statement that directs long‑term privacy priorities and decision tradeoffs.
Key Insight
Keep it high‑level, business‑aligned and revisable; vision guides choices, not controls or metrics.
Often Confused With
Common Mistakes
- Making the vision procedural or metric‑heavy—that's for strategy/objectives, not the vision
- Drafting only within privacy/legal and excluding business/stakeholder input
- Defining vision as mere 'legal compliance' instead of broader organizational value
FIPPs — Fair Information Practice Principles
Global privacy principles (notice, purpose, minimization, choice, access, integrity, security, accountability) for map‑p
Key Insight
Principles are normative guides for mapping multiple controls — no single technical control fully satisfies a principle.
Often Confused With
Common Mistakes
- Treating FIPPs/OECD as binding law rather than interpretive guidance.
- Relying on one technical control (e.g., encryption) to 'meet' a principle.
- Insisting on explicit consent for every choice — opt‑out/other legal bases may apply.
Proactive Regulatory Monitoring & Impact Analysis
Continuous tracking and analysis of laws, guidance, and cases to prioritize remediation, report impacts, and enforce the
Key Insight
Alerts are the start — you must scope applicability, perform cross‑functional impact analysis, prioritize remediation, and retain evidence.
Often Confused With
Common Mistakes
- Relying solely on automated feeds or alerts without human cross‑functional analysis.
- Equating monitoring with compliance — detection without timely remediation or evidence fails obligations.
- Assuming a change in one jurisdiction automatically applies across all operating regions.
Stakeholder Alignment — Privacy as Business Enablement
Map roles, data touchpoints and governance to embed privacy controls with business priorities for adoption.
Key Insight
Continuous engagement turns named stakeholders into accountable owners; tie controls to business KPIs to prioritize.
Often Confused With
Common Mistakes
- Counting only execs/legal as stakeholders; ops owners who implement controls are ignored.
- Treating stakeholder lists as engagement; a name ≠ commitment or decision authority.
- Doing alignment once and never updating as products, vendors, or processes change.
Privacy Frameworks — Select, Tailor & Embed
Choose a fit-for-purpose framework, tailor controls across policies, contracts, tech and metrics, then operationalize.
Key Insight
Frameworks guide design but do not equal compliance — map controls to laws, vendors, and measurable KPIs and test them.
Often Confused With
Common Mistakes
- Assuming a well-known framework automatically satisfies all regional laws.
- Treating framework adoption as a one‑off project; skipping continuous monitoring and improvement.
- Relying only on policy or contract language—omit technical controls, audits, and role-based training.
Privacy Policy Lifecycle: Policies → Procedures → Standards
Document and govern privacy rules and operational steps so controls are discoverable, auditable, and legally consistent.
Key Insight
Treat policy management as a lifecycle: create, approve, version, review, train, monitor and retire with stakeholders.
Often Confused With
Common Mistakes
- Treating versioning as a technical detail instead of audit/governance evidence
- Publishing policy only—skipping scheduled review, training, enforcement and retirement
- Letting legal own changes alone; omit operational owners and approvals
Privacy Vision & Strategy (Leadership)
A short, aspirational leadership statement that directs long‑term privacy priorities and decision tradeoffs.
Key Insight
Keep it high‑level, business‑aligned and revisable; vision guides choices, not controls or metrics.
Often Confused With
Common Mistakes
- Making the vision procedural or metric‑heavy—that's for strategy/objectives, not the vision
- Drafting only within privacy/legal and excluding business/stakeholder input
- Defining vision as mere 'legal compliance' instead of broader organizational value
FIPPs — Fair Information Practice Principles
Global privacy principles (notice, purpose, minimization, choice, access, integrity, security, accountability) for map‑p
Key Insight
Principles are normative guides for mapping multiple controls — no single technical control fully satisfies a principle.
Often Confused With
Common Mistakes
- Treating FIPPs/OECD as binding law rather than interpretive guidance.
- Relying on one technical control (e.g., encryption) to 'meet' a principle.
- Insisting on explicit consent for every choice — opt‑out/other legal bases may apply.
Proactive Regulatory Monitoring & Impact Analysis
Continuous tracking and analysis of laws, guidance, and cases to prioritize remediation, report impacts, and enforce the
Key Insight
Alerts are the start — you must scope applicability, perform cross‑functional impact analysis, prioritize remediation, and retain evidence.
Often Confused With
Common Mistakes
- Relying solely on automated feeds or alerts without human cross‑functional analysis.
- Equating monitoring with compliance — detection without timely remediation or evidence fails obligations.
- Assuming a change in one jurisdiction automatically applies across all operating regions.
Privacy Program: Establishing Program Governance
17%Notice & Purpose‑Limitation — Link to Lawful Basis
Tell subjects what you collect and why; map each purpose to a lawful basis, retention and transfer rules.
Key Insight
Purpose drives retention, rights and transfers — change of use needs compatibility test or a new lawful basis.
Often Confused With
Common Mistakes
- Assuming consent is always required for processing.
- Setting retention periods without tying them to purpose or law.
- Using vague purposes (e.g., 'business operations') to cover future uses.
DSAR Lifecycle — Verify, Triage, Execute, Record
Standardize intake channels, verify identity, apply legal exemptions, meet statutory timeframes and log outcomes.
Key Insight
Identity verification and legal assessment are gating steps — no disclosure/deletion until both are cleared.
Often Confused With
Common Mistakes
- Treating a DSAR as only an access request (ignores rectification/erasure/objection/portability).
- Relying on weak ID checks (e.g., just matching an email) for disclosures or deletions.
- Assuming all requests must be complied with immediately without legal assessment or exemptions.
Accountability — FIPPs (Fair Information Practice Principles) & PbD
Assign accountable owners, explicit policies, validated metrics, and clear escalation/remediation for measurable privacy
Key Insight
Ownership + validated metrics + escalation = real accountability; numbers alone aren't accountability.
Often Confused With
Common Mistakes
- Treating an 'owner' as the lone doer instead of an accountable leader who delegates and escalates.
- Relying on written policies alone—no owners, no resources, no review cycles.
- Assuming metrics equal accountability without validated data sources or escalation paths.
Chief Privacy Officer (CPO) — Role & Accountability
Senior accountable leader who designs, oversees, and is the external contact for the organization’s privacy program.
Key Insight
CPO = program accountability and coordination, not sole operator; needs authority, resources, and escalation routes.
Often Confused With
Common Mistakes
- Assuming hiring a CPO alone satisfies all legal mandates (some jurisdictions require a DPO or extra controls).
- Expecting the CPO to perform every privacy task instead of delegating and governing.
- Fixing the CPO in Legal by default—placement should balance independence, access to leadership, and risk.
Living Personal Data Inventory (PII/Personal Data)
Living repo mapping data categories, locations, owners, purposes, flows and controls; metrics drive oversight & prioritz
Key Insight
Measure coverage + record-level classification accuracy + timeliness; validate with sampling and evidence, not system counts
Often Confused With
Common Mistakes
- Treating % of systems inventoried as completeness (ignores record-level gaps)
- Counting unvalidated or default labels as 'classified' records
- Treating the inventory as a one-time deliverable, not a living repo
Monitoring: Collection, Use & Retention Compliance
Continuous + periodic checks validating data collection, use and retention against law, policy and contracts; produces,
Key Insight
Blend automated and human checks; track exception rate, data aging, and detection-to-remediation time — monitoring finds issues, it doesn't fix them
Often Confused With
Common Mistakes
- Relying only on periodic audits instead of continuous monitoring
- Assuming automated tools alone suffice; missing human context
- Expecting monitoring to equal compliance rather than enabling remediation
Training vs Awareness — Competency Map
Awareness = broad behavior prompts; Training = role-specific skills you can test and certify.
Key Insight
Awareness raises risk visibility; training builds measurable task-based competencies — track them separately.
Often Confused With
Common Mistakes
- Equating awareness emails with closing competency gaps — awareness ≠ skill change.
- Relying on a single assessment — reassess when roles, processes, or risks change.
- Defining training by job title alone instead of tasks, data handled, and lifecycle stage.
Role-Based Training — Task → Competency Fit
Create modules mapped to specific role tasks, data access, and risk; set depth, cadence, and success metrics per role.
Key Insight
Map each role to required competencies and observable outcomes; update training when responsibilities, tech, or risk profiles change.
Often Confused With
Common Mistakes
- Using one generic course for all staff — ignores differing data access and decisions.
- Treating role-based training as a substitute for technical access controls or enforcement.
- Delivering a one-off course and never updating or reassessing technical depth or relevance.
Privacy Program Operational Life Cycle: Assessing Data
17%Privacy Roles & RACI (Single-Owner Rule)
Assign R/A/C/I with a single Accountable owner per outcome; define approvals, escalation and reporting lines.
Key Insight
Accountable = one named person; RACI shows who does what but does NOT grant budget, processes, or independence.
Often Confused With
Common Mistakes
- Assigning 'Responsible' and 'Accountable' to the same group — removes clear ownership.
- Using the RACI as a replacement for documented processes, resources or escalation procedures.
- Assuming reporting to the CEO automatically ensures independence or adequate resourcing.
Data Inventory & Mapping — Flows, Not Lists
Continuously map sources, flows, processors, recipients, retention and unstructured stores to locate privacy risk.
Key Insight
Mapping is living: include structured + unstructured data, lifecycle stages, transfers, third parties and retention.
Often Confused With
Common Mistakes
- Treating mapping as one-time; not updating maps after system, vendor or process changes.
- Recording only PII or storage locations and omitting processing, recipients or retention rules.
- Ignoring unstructured sources (emails, documents, logs) where personal data often hides.
HIPAA BAA — PHI Vendor Contract
Mandatory contract that binds any vendor handling PHI to HIPAA use, security, breach, and subcontractor rules.
Key Insight
A BAA is required whenever PHI is handled and does NOT shift ultimate HIPAA liability away from the covered entity.
Often Confused With
Common Mistakes
- Assuming a generic DPA or NDA satisfies HIPAA — a BAA is required for PHI.
- Treating the BAA as proof of technical controls — you must verify safeguards operationally.
- Believing a BAA transfers full legal liability from the covered entity to the vendor.
Data Sharing Agreement (DSA) — Purpose & Controls
Pre-transfer contract that specifies data categories, lawful purpose, permitted recipients, retention, safeguards, and e
Key Insight
DSAs set the legal and operational boundaries for sharing but don’t replace DPIAs or hands‑on control testing.
Often Confused With
Common Mistakes
- Relying on a generic security/SLA clause — DSAs must name concrete technical and organizational measures.
- Assuming a signed DSA removes the need for a DPIA or risk testing for high‑risk processing.
- Thinking contract language can waive statutory obligations like lawful basis or data subject rights.
Media Sanitization & Disposal (Overwrite, Crypto‑erase, Degauss, Shred)
Make storage media unreadable or destroyed—use the method matched to media type, sensitivity, and audit evidence.
Key Insight
Select method by media: overwrite for magnetic HDDs, crypto‑erase or key destruction for encrypted drives, degauss ≠ SSD, shred when physical destroy/
Often Confused With
Common Mistakes
- Assuming file delete or reformat fully erases data
- Relying on full‑disk encryption without destroying keys or documented proof
- Believing a single overwrite or degaussing sanitizes SSDs
Physical & Environmental Controls — Retention, Sanitization, Device Security
Assess access controls, device handling, HVAC (heating, ventilation, air conditioning), fire suppression and power to止防止
Key Insight
Physical controls = access + environmental systems + vendor evidence; technical controls (encryption/IAM) don't obviate physical safeguards.
Often Confused With
Common Mistakes
- Equating physical security with only locks and CCTV
- Trusting vendor/third‑party sites without assessment or destruction certificates
- Believing logical controls (encryption/IAM) replace physical/environmental safeguards
Vendor Inventory & Data‑Sharing Contracts
A live inventory + contracts proving who handles what data, subprocessors, controls and residual privacy risk.
Key Insight
Treat certifications/clauses as evidence, not proof — verify scope/dates, right‑to‑audit, subprocessor change controls and mapped controls to your org
Often Confused With
Common Mistakes
- Accepting a certification (e.g., SOC/ISO) as complete proof without checking scope and date
- Relying on signed clauses alone — skip operational evidence and monitoring
- Ignoring shared‑responsibility and subprocessor change/notification controls
Tamper‑Evident Audit Trails & Logs
Chronological, integrity‑protected logs (system + human approvals) with retention, SIEM tuning and forensic context for検
Key Insight
Logs are only forensically useful when complete, contextualized, integrity‑protected and mapped to detection rules; SIEMs must be fed, tuned and teste
Often Confused With
Common Mistakes
- Assuming any stored logs meet audit — ignoring gaps, context and integrity
- Believing a SIEM alone guarantees detection — missing sources, rules or tuning
- Centralizing logs without integrity/immutability (signing, WORM, access controls)
Data Lifecycle — Collection, Retention & Transaction Disposal
Controls for what data is collected, how it's used, retained and securely disposed—critical in M&A/TSA contexts.
Key Insight
Minimization is field‑level + retention; TSAs/sale agreements must assign disposal responsibilities and cover backups.
Often Confused With
Common Mistakes
- Assuming anonymization fully removes re‑identification risk or retention obligations
- Treating pseudonymization as full anonymization and therefore zero privacy risk
- Believing a single deletion command clears backups, archives and downstream copies
Cross‑Border Transfers & Transfer Risk Assessments
Legal, contractual and technical measures (TIAs/TRAs) to lawfully move personal data across borders, including deal‑driv
Key Insight
A lawful transfer mechanism + contractual/technical mitigations are required — adequacy or encryption alone rarely suffice.
Often Confused With
Common Mistakes
- Assuming an adequacy decision removes need for contractual or technical safeguards
- Relying on encryption alone to avoid needing a lawful transfer mechanism
- Using derogations (e.g., consent) for routine, ongoing commercial transfers
Privacy Program Operational Life Cycle: Protecting Personal Data
14%NIST Privacy Framework — Protect (Identity, Data, Access)
Select, implement and validate identity, data‑security and access controls to reduce privacy risk across processing.
Key Insight
Use layered controls — identity proofing, least‑privilege access, data classification + PETs — and continuously test effectiveness, not just deploy.
Often Confused With
Common Mistakes
- Assuming encryption alone solves all personal‑data risk.
- Treating pseudonymization as anonymization (can be re‑identified).
- Relying on a single control or one‑size‑fits‑all access model (e.g., only RBAC).
Safeguards Tripod — Technical, Administrative, Organizational
Combine technical controls, policies/training, and organizational processes (including vendor oversight) to mitigate and
Key Insight
Effectiveness = implementation + evidence: policies, training and vendor controls must be operationalized, monitored and audited — documentation alone
Often Confused With
Common Mistakes
- Treating safeguards as IT‑only; ignoring admin and organizational measures.
- Assuming a documented policy equals an effective control.
- Ignoring organizational controls and vendor oversight when outsourcing.
PIA/DPIA — Risk → Decision Gate
Structured assessment that uncovers privacy risk, forces mitigations into the SDLC, and gates approvals.
Key Insight
PIA integrates findings into design/approvals; DPIA can be a legal trigger; PTAs only screen — residual risk remains.
Often Confused With
Common Mistakes
- Treating PIA and DPIA as always interchangeable — DPIAs can be legally mandated.
- Using a PTA as a substitute for a full PIA when significant risks exist.
- Assuming a PIA eliminates risk or is a one‑time checkbox at project start.
PbD: Embed Privacy & Enforce Default Limits
Bake privacy into architecture, SDLC and processes; 'by default' limits collection, retention and sharing (GDPR Art 25).
Key Insight
PbD = continuous technical + organizational controls; 'by default' means minimizing collection/retention/sharing, not a UI trick.
Often Confused With
Common Mistakes
- Treating PbD as optional guidance instead of an Art 25 obligation under GDPR.
- Equating 'privacy by default' to a single hidden UI toggle instead of default-limited processing.
- Implementing PbD only at launch and skipping ongoing change management and reviews.
Encryption & Key Lifecycle (Compliance)
Cryptographic protection for data at rest, in transit, and in use, enforced by strict key‑lifecycle controls for legal/
Key Insight
Strong algorithms matter — but compliance fails without separate key management, rotation, access controls, HSMs and backup handling.
Often Confused With
Common Mistakes
- Assuming encryption alone equals compliance; missing KMS, access controls, policies or audit trails.
- Treating TLS and at‑rest encryption as equivalent for insider/endpoint threats.
- Reusing keys long‑term or storing keys with ciphertext (hard‑coded or on same host).
Anonymization — Irreversible De‑identification
Transform or remove identifiers so re‑identification is not reasonably likely; choose methods to balance utility vs. re‑
Key Insight
Anonymity is a risk threshold — quasi‑identifiers, linkage, and external datasets often defeat naive techniques.
Often Confused With
Common Mistakes
- Believing stripping direct IDs alone achieves anonymity; quasi‑IDs can re‑identify.
- Treating hashing or encryption of identifiers as true anonymization.
- Assuming anonymized data is automatically outside privacy law or free to share.
Privacy Program Operational Life Cycle: Sustaining Program Performance
10%Privacy Metric Blueprint
Precise, auditable metric definitions (formula, source, owner, frequency, baseline) for oversight.
Key Insight
A metric is only useful if it has a numeric formula, source, owner, cadence and normalization.
Often Confused With
Common Mistakes
- Labeling any available data point a 'metric' without formula, owner or source.
- Using raw counts as proof of health without normalization or baselines.
- Assuming quantitative metrics are inherently objective and replace qualitative evidence.
Privacy Dashboards & Compliance Indicators
Validated dashboards and indicators to monitor controls, surface risk, and trigger remediation.
Key Insight
Dashboards are signals, not proof — validate sources, show severity, coverage and remediation status.
Often Confused With
Common Mistakes
- Believing a visible dashboard equals compliance without validation or remediation.
- Interpreting strong indicator values as low risk while ignoring coverage and data quality gaps.
- Relying on incident counts alone without severity, recurrence, or remediation context.
Program Assurance — Internal & External Audits
Independent audits that verify governance, segregation of duties, and alignment of monitoring, evidence, and metrics.
Key Insight
True independence = separate reporting line + rotation/conflict rules + no consulting-to-audit crossovers; evidence must trace to controls.
Often Confused With
Common Mistakes
- Assuming internal auditors are independent solely because they're a different department.
- Believing placing audit under the C‑suite guarantees impartial reporting.
- Using the same firm for consulting and audit — ignores familiarity and independence threats.
Monitoring vs Audit — Operational Oversight
Continuous monitoring detects operational drift; independent audits provide periodic, point-in-time assurance and verify
Key Insight
Monitoring surfaces trends/anomalies for fast remediation; audits validate control design, sampling, evidence integrity, and governance.
Often Confused With
Common Mistakes
- Treating monitoring as a full substitute for independent audits.
- Using raw monitoring outputs as audit evidence without validating tool integrity.
- Relying on metrics alone — skipping interpretation, root cause analysis, and remediation.
Continuous Privacy Monitoring — DLP/SIEM/CASB/UEBA
Automated telemetry (DLP, SIEM, CASB, UEBA) to detect privacy risks, measure control effectiveness, and trigger remediat
Key Insight
Alerts ≠ incidents — tune rules, correlate signals across tools, and preserve telemetry with chain-of-custody and retention for investigations.
Often Confused With
Common Mistakes
- Treating every automated alert as a confirmed incident.
- Relying on DLP alone to prevent all data exfiltration.
- Assuming telemetry is admissible evidence without retention/integrity or chain-of-custody controls.
Privacy Program Lifecycle — Assess • Protect • Sustain
Iterative framework: assess risks, implement Protect/Sustain controls, measure performance, optimize, and respond to fit
Key Insight
The lifecycle is iterative: continuous assessment informs targeted controls, metrics, training, and post-incident root-cause improvements.
Often Confused With
Common Mistakes
- Treating the lifecycle as linear and one-time.
- Limiting Protect to technical controls; skipping governance, policies, and training.
- Interpreting Optimize as only cost-cutting rather than improving effectiveness/efficiency.
Privacy Program Operational Life Cycle: Responding to Requests and Incidents
23%GDPR Art.15 — Right of Access (Redaction & Safe‑Summaries)
Subject's right to access personal data; redaction, safe‑summaries, or lawful refusal allowed with documented rationale.
Key Insight
Access is not absolute — apply redaction or safe‑summaries and record the legal balancing test and decision.
Often Confused With
Common Mistakes
- Assuming access equals entitlement to all unredacted original records.
- Treating redaction as only a technical edit; skipping legal balancing and documentation.
- Believing third‑party consent is always required before any disclosure.
Right to be Forgotten — Erasure & Exceptions
Erase personal data on verified requests unless legal exceptions, retention obligations, or necessity prevent it.
Key Insight
Erasure isn't automatic — verify requester, reconcile retention holds/backups, and log lawful exceptions.
Often Confused With
Common Mistakes
- Attempting immediate deletion of backups or immutable logs without assessing retention/legal holds.
- Complying before verifying identity or authorization.
- Assuming anonymized/aggregated data must be erased.
Contain → Remediate → Verify (Incident Cycle)
Stop spread, fix root cause, restore operations, and document verifiable evidence for legal/compliance.
Key Insight
Containment is immediate mitigation; remediation is long‑term fixes plus verification, cross‑functional sign‑off, and preserved evidence.
Often Confused With
Common Mistakes
- Treating remediation as only patching or restores; ignoring root‑cause/systemic fixes.
- Assuming systems back online equals remediation complete; skipping verification and monitoring.
- Letting IT lead alone; excluding privacy, legal, business input and proper evidence preservation.
Incident Register — Tamper‑Proof Audit Trail
Centralized, access‑controlled ledger of all incidents, actions, notifications, evidence and retention for compliance.
Key Insight
Record suspected incidents and near‑misses; keep full timelines, evidence, access controls and legal retention—regulators expect auditable trails.
Often Confused With
Common Mistakes
- Logging only confirmed breaches; omitting suspected incidents and near‑misses.
- Keeping only short summaries; not preserving timelines, communications, or evidence.
- Treating the register as informal—no access controls, audit trail, or adherence to retention schedules.
DPIA — Data Protection Impact Assessment
Structured, risk‑based review for high‑risk processing; required to identify, mitigate, document and approve residual P/
Key Insight
DPIA is triggered by likelihood of high risk (not just special‑category data); it must be versioned, approved and updated post‑incident.
Often Confused With
Common Mistakes
- Assuming DPIA is required only for special‑category data (it's risk‑based).
- Relying on a short checklist without documented rationale, risk scoring or residual risk.
- Implementing DPIA/policy changes without versioning, stakeholder review or formal sign‑off.
Breach Notifications: Roles, Timelines & Content
Who notifies whom, when, and what to include — controller/processor duties, timelines from awareness, and cross‑jurisdic
Key Insight
Start the clock when the organisation becomes aware; notify only if the risk/harm threshold is met; multiple jurisdictions can create separate notices
Often Confused With
Common Mistakes
- Thinking every security incident must be reported to the supervisory authority.
- Calculating deadlines from breach occurrence instead of from when the organisation became aware.
- Expecting to include a full forensic root‑cause in the initial notification.
Certification Overview
Cheat Sheet Content
Similar Cheat Sheets
- PMI Certified Associate in Project Management (CAPM)® Cheat Sheet
- PMI Professional in Business Analysis (PMI-PBA)® Cheat Sheet
- PMI Agile Certified Practitioner (PMI-ACP)® Cheat Sheet
- Google Cloud Certified Generative AI Leader Cheat Sheet
- Project Management Institute Portfolio Management Professional (PfMP)® Examination Cheat Sheet
- IAPP CIPP/US (Certified Information Privacy Professional/United States) Cheat Sheet