Data protection Professionals certification comparison IAPP  & PECB

Download the full document here:


Many times, we get questions on the different learning and personal certification tracks for privacy, correction: “data protection”. And I’m sure there are a lot of education providers offering these courses.

While there are a bunch of certification tracks you can chase, the main question is the comparison between IAPP and PECB certification tracks for privacy and data protection professionals.  Both are globally well respected and well known players on this market.

So I can imagine that a lot of training providers, delivering IAPP and PECB get the same questions…

For explanation of the acronyms, see end of article.


I want to thank the teams at PECB and IAPP for their cooperation to validate their respective part of the comparison.

Thank you:

  • Tim Rama, Deputy CEO at PECB
  • Marla Berry, Director, Training at IAPP
  • Doug Forman, Director of Certification at IAPP
  • Lindsay Hinkle, External Affairs Director at IAPP


It would take me a tremendous amount of time to list all other local or regional providers, but I would challenge you to collect and list them.

Feel free to send me the details on the data protection course you attended. I’ll collect and publish the references. 

It would be a great resource to have a larger overview on privacy and data protection certification and education. But I can’t do that on my own.

This article focuses on education tracks for privacy and data protection professionals, or DPOs (ref. GDPR) that need a mix of expertise in legal, operational and business knowledge in their job.  


Some of the info referenced in this article is prone to changes, like marketing, exam fees, maintenance fees, certification maintenance requirements (like CPE or CPD). Therefore, I provide the source links as much as possible, allowing you to crosscheck the latest info.

Information is current as the date of publication and will be updated when possible.

Any feedback or suggestions are welcome to maximize the quality of this document by relevant updates or fixing inconsistencies.

Important notes

Certification and accreditation


First of all the term “certified” in CIPP/E, CIPM, CIPT, CDPO, … and other like Certified Lead Implementer, Certified Lead auditor, are titles recognized by their respective vendor.

Certainly for CDPO, there is some confusion because “certified” DPO, in this context means “PECB certified” DPO.

It’s a commercial title, that is offered by PECB. (Some other data protection course vendors also name their course CDPO or similar).

To be clear: the title “Certified Data Protection Officer” is not an official EU certification or accreditation, meaning recognized by an official ISO Accreditation body or the EU (like EC, EDPB, …)

As explained in next paragraph, the GDPR does NOT provide in personal (DPO) certification.


You can certify for various courses and exams and earn the respective title, bound to certain conditions. That’s what the document below is about to explain for data protection and privacy professional certifications.

But if you are certified professional, that does not mean you’re accredited. For the scope of this document is less important.  But for example as ISO27001 or PIMS auditor it is important to know the difference:

  • certified (lead) auditor has passed the technical requirements incl. exam and/or professional experience (eg. proven track record for audits)
  • An accredited (lead) auditor has been accepted to work as auditor by an accreditation or assessment body and is allowed to perform ISMS or PIMS audits. Certification is by default a requirement for accreditation as auditor.


Although that you’ll find 2 articles in the GDPR (Art. 42 and Art. 43.) on certification and accreditation, you should know that

  • The GDPR does NOT provide in certification of persons (like DPO)
  • Currently (as of Feb 2020), there is no official GDPR certification track on European level yet, for the processing activities of data controllers and data processors. The program is in progress.

Therefore, the only official way of proving compliance with the GDPR, is currently sourced from the ISO27001 certification including the ISO27701 extension, tuned for GDPR. These are both auditable standards with ISO requirements definitions that can be officially audited.

Useful references

GDPR certification

Comparison chart

See the table below for a quick comparison. Keep reading if you need a more detailed explanation and relevant online material.







(offered in the GDPR ready package)

Course format

In person

Online (Self Study)

In person

Online (Self study)

Live Online Training

Technology part


= ISO27701

Foundation (2d)

Lead Implementer (4d + exam)

Lead Auditor (4d + exam)


= CIPT (2d + exam)

Course level


prerequisite knowledge advised


prerequisite knowledge advised

Advised prerequisites

Legal (GPDR)


Business experience

Legal (GPDR)


Business experience

# Courses



Total Days in course

4 + exam

4 (2x2d) + 2x exams

Course material

Slide notes print

Online Access via KATE

Exam Preparation Guide

CIPPE Course participant guide

CIPPE sample questions

CIPPE textbook

CIPM course participant guide

CIPM sample questions

CIPM textbook

Extra material (online)

Yes (see below)

Yes (see below)

Membership included

1st year

1st year

Course includes exam



Additional study time advised for exam


(but certification requires professional experience)

Yes, 30hrs advised

(ref. student guide)

# Exams



Retry incl.

Yes (Free retry)

No (Retry to pay)

Exam Format

Essay type

(paper-based or online)

Computer exam –

Multiple choice

# Exam questions


CIPP/E: 90

CIPM: 90

CIPT: 90

Exam type

In class (partner invigilator), or

Via web (PECB invigilator)

Exam Center (3rd party invigilator)

Program Accreditation

ISO 17024:2012

ANSI/ISO 17024:2012

Exam max. duration

3H (180′)

+ extension for non-native language

·         Foundation: +10 minutes

·         Manager:  +20 minutes

·         Lead: +30 minutes

CIPP/E: 2.5 Hours

CIPM: 2.5 Hours

CIPT: 2.5 Hours









Course planning

PECB agenda, or

Via partner delivery

IAPP direct delivery, or

IAPP partner delivery

Training URL

Equivalent exam accepted

Yes, CIPP/E+CIPM are accepted to replace exam requirements.



Experience requirements

Yes, pass exam +

Provisional DPO: none


5y professional experience with 2y in Data protection

DP project experience: 300h required

No, pass exam only.

Stand-alone Exam cost

Depending on the PECB partner


$550 / first exam

$375 2nd exam or retake

Certification term

3 years

2 years

Certification maintenance fee

$100/ year + CPD

$250/2-year term for all certifications

Extra info




Foundation/entry-level available

Yes, GDPR Foundation

(2 days + exam)

No Experience requirements


Relevant extensions or other exams to complement course

(Lead) Implementer

ISO27701 (PIMS)

ISO27001 (Information Security)

ISO27002 (Info Sec Controls)

ISO27005 (Risk Management)

ISO27035 (Incident Management)

Lead Auditor




FIP designation (no course)

Step up to other tracks

Yes, IAPP track

Yes, CDPO.

Company approach and purpose

Before you can compare and understand the courses, it’s important to understand the organizations behind these certifications.


Both PECB as IAPP are accredited by US institutions IAS and ANSI that are member of IAF.

About IAPP (non-profit)



“The IAPP is a not-for-profit association founded in 2000 with a mission to define, support and improve the privacy profession globally. We are committed to providing a forum for privacy professionals to share best practices, track trends, advance privacy management issues, standardize the designations for privacy professionals and provide education and guidance on opportunities in the field of information privacy.”

Relevant certifications

Important note: this is just a quick overview, we’ll discuss the content more in detail in a later part of this article.

The certifications that IAPP offers are

On top of these certifications, IAPP also offers the title of “Privacy Law Specialist”, but that is out of scope of this discussion as this certification is targeted at lawyers.

About PECB (Commercial)


PECB  is a certification body which provides education and certification under ISO/IEC 17024 for individuals on a wide range of disciplines.

We help professionals and organizations show commitment and competence by providing them with valuable education, evaluation and certification against rigorous internationally recognized standards. Our mission is to provide our clients with comprehensive services that inspire trust, continual improvement, demonstrate recognition, and benefit the society as a whole.

PECB is comprised of

  • Education and Certification of Individuals
  • PECB University
  • PECB Management Systems Certification

See also:

Relevant certifications to compare

To compare the relevant certifications, you should look at these PECB courses & exams

Additional training and certification in privacy and data protection:

PECB is completing the requirements to become accredited by CNIL, which will be a major advantage for candidates in France.

Course Comparison

IAPP Courses


  • IAPP CIPPE: 2 days + exam (later, exam center)
  • IAPP CIPM: 2 days + exam (later, exam center)


  • IAPP CIPT: 2 days + exam (later)

PECB Courses


  • PECB: CDPO : 4 days + exam (onsite proctor or later)
  • PECB: GDPR Foundation: 2 days with exam
  • PECB: GDPR Introduction: 1 day training only


  • ISO27701 Foundation: 2 days + exam
  • ISO27701 Lead implementer: 4 days + exam
  • ISO27701 Lead Auditor: 4 days + exam

Course Content

IAPP Course content


Source: CIPP/E Body of Knowledge (


  1. Introduction to European Data Protection: Origins and Historical context, EU institutions, Legislative framework
  2. European Data Protection Law and Regulation: GDPR articles
  3. Compliance with European Data Protection Law and Regulation: Employment, Surveillance, Direct marketing, Internet technology & communications,


Source: CIPM BOK (


  1. Privacy program governance: organization level, program framework development & implementation, metrics
  2. Privacy operational lifecycle: assessment, protect, sustain, respond,


Source: CIPT BOK (


  1. Foundation principles: risk models and frameworks, privacy by design, value sensitive design, data lifecycle
  2. Role of IT in privacy: fundamentals, information security, privacy responsibilities of IT professional,
  3. Privacy Threats and violations: data collection, use, dissemination, intrusion, software security,
  4. Technical measures: data oriented strategies, techniques, processes oriented strategies
  5. Privacy engineering
  6. Privacy by design,
  7. Technology challenges

PECB Course content



Topics (V6)

  1. Day 1: Introduction to the GDPR concepts and principles
    • GDPR, core considerations
  2. Day 2: Designation of the DPO and analysis of the GDPR Compliance Program
    • Designation of DPO, analysis of GDPR compliance program, relation with top management, data protection policy, register, risk management
  3. Day 3: DPO operations
    • DPIA, documentation management, evaluation of DP controls, technology, awareness & training
  4. Day 4: Monitoring and continual improvement of the GDPR compliance
    • Incident management, monitoring, internal audit, treatment of non-conformities, continual improvement

Course Support – Extra Material

IAPP online support material


For each of the exams, you’ll discover:

  • Key areas of programme knowledge
  • Recommended exam preparation steps
  • Sample questions
  • General exam information

CIPP/E (Registration required)



  • New 2020 CIPT Free Study Guide Available Soon.

PECB online support material


Exam Comparison

IAPP Exams

Number of exams

  • CIPP/E: 1
  • CIPM: 1


  • CIPT: 1

Type of exam

  • Exam center, computer exam

Retry included

  • no


Number of exams

  • CDPO: 1
  • GDPR Foundation: 1


  • ISO27701 Lead implementer: 1
  • ISO27701 Lead Auditor: 1

Type of exam

  • On-site after course (vendor invigilator)
  • Online (PECB online invigilator)

Retry included

  • Yes

Experience requirements

IAPP experience requirements

No Experience requirements

PECB Experience requirements


“The requirements for PECB Data Protection Certifications are:



Professional experience

DPMS project experience

Other requirements

PECB Certified Provisional Data Protection Officer

PECB Certified Data Protection Officer Exam



Signing the PECB Code of Ethics

PECB Certified Data Protection Officer

PECB Certified Data Protection Officer Exam or equivalent

Five years: Two years of work experience in Data Protection

Data Protection activities: a total of 300 hours

Signing the PECB Code of Ethics

To be considered valid, these implementation activities should follow best implementation practices and include the following activities:

  1. Drafting a Data Protection plan
  2. Initiating a Data Protection implementation
  3. Implementing a Data Protection Policy
  4. Monitoring and managing a Data Protection implementation
  5. Performing continual improvement measures”

During the experience validation PECB requires to submit 2 references they will contact by mail/phone.

More info:

Certification Maintenance requirements



Certificants are required to submit 20 CPEs per term, per credential.

More information: Check out the official IAPP CPE policy for all the details.

IAPP defines 1 CPE as “A continuing privacy education (CPE) credit is defined as a (usually) one-hour unit earned from participating in or attending any program, event, or forum, reading or writing any published written material, creating and administering a presentation, course of instruction, or other activity that relates to privacy and/or security



” PECB Certificates are valid for three years. In order to maintain a certificate, PECB Professionals are required to demonstrate that they are performing certification related activities on an annual basis. In addition to that, PECB Professionals are required to pay an Annual Maintenance Fee (AMF).  “


Annual Requirements

 Total (hours)





Hours of work experience related to the certification field, training, private study, coaching, attendance at seminars and conferences or other relevant activities.

90 hours



Maintenance fee


Source: (quote) “




Certification Maintenance Fee (2-year term)

$250 USD


*A certification maintenance fee of $250 USD is due when you register for your first IAPP certification exam and then at the beginning of every certification term renewal to maintain your IAPP certification. One fee covers all IAPP certifications. For members, the certification maintenance fee is covered by the membership benefits.”




  • First year included in course
  • Capped to first 5
  • CDPO = $100.


(rate per year)

Foundation, Provisional, and Transition


All other certifications




Commercial channel

IAPP channel

IAPP uses a mixed channel to deliver their courses. You can book courses and exams (+ extra) via the IAPP website and member portal.

Alternatively you can book courses and exams via their partner channel.

PECB channel

PECB works with a partner channel exclusively. All courses and exams must be booked via an authorized partner.





For Members only



For Members only:

Hints & tips


There is no data protection without information security.

Both the IAPP CIPM and the PECB CDPO course refer to the principles of the ISO27001 standard. The ISO27001 and ISO27002 standards are professional added value for privacy and data protection professionals. 


In short

(IAPP CIPP/E + IAPP CIPM) + experience = PECB CDPO

Focus & community

IAPP does privacy, only privacy, already for a long time. Due to that focus, IAPP does it very well.
It nurses a very competent privacy professional community and stays on the edge to stay relevant. With the strict focus on privacy.

PECB does mainly ISO, not only privacy, not only data protection or information security certification. It also does ISO9001 quality management, ISO 31000 risk management, ISO 37001 anti-bribery, ISO 22301 business continuity and many more.

PECB s working very hard to build community, but it’s an ISO mindset, more legacy business approach. So there is a long way to go for PECB in privacy field compared to IAPP. Their community covers a large scale of enterprise topics, way beyond data protection. A different and bigger world.


On the other hand, except for the 3 exams and the FIP designation, IAPP does not offer other certification tracks.

And IAPP does not validate experience when you apply for certification, so also a junior professional can obtain certification.

To obtain a PECB certification, they validate your professional experience (except for Foundation level). You need to submit a proven track record for experience.


The CIPP/E+CIPM, CDPO, ISO27701 and ISO27001 are highly compatible and provide added value, these are an easy entry to do more and grow.

But exactly that difference makes them both compatible and complementary.

The IAPP certifications are top notch and very much respected. They offer a perfect starting point to become professional and even expert in privacy and data protection.

Once you grow beyond that point, with a larger focus like information security, enterprise security, disaster recovery, incident management, cybersecurity, the PECB courses and exams offer the next step.

They are perfectly complementary, and it only depends on your starting point of your journey.

Your roadmap

You just need GDPR basics

  • IAPP CIPP/E (2 days)
  • PECB GDPR foundation (2 days)

DPO track

  • IAPP CIPP/E (2 days) + CIPM (2 days)
    • 2 exams (but no experience requirement)
  • PECB CDPO (4 days)
    • 1 exam + experience

Straight forward Certification as Data Protection Professional

  1. GDPR legislations: CIPP/E (2 days)
  2. Privacy program implementation and management: CIPM (2 days)
  3. Privacy technology CIPT (2 days)

The fast track to Certified DPO

  • PECB CDPO course (4 days, 1 exam) + experience check

The economical CDPO track with limited experience

  1. First CIPP/E + CIPM
  2. Then request certification as PECB provisional DPO
    1. No need for the CDPO exam, but request certification based on the CIPP/E and CIPM exam.
  3. Extend your certification to PECB CDPO when you have built the required experience

The economical CDPO track with full experience

  1. First CIPP/E + CIPM
  2. Then request certification as PECB CDPO



  • Free ISO standards (Download from:
  • ISO29100: Privacy Framework
  • ISO27701: Privacy Information Management System
  • ISO27001: Information security Management System
  • ISO27002: Information Security Guidance
  • ISO27005: Risk management
  • ISO27035: Incident Management

IAPP interesting links

PECB interesting links

Acronyms & Abbreviations

Acronym or Abbreviation



PECB Annual Maintenance Fee


American National Standards Institute


Body of knowledge


PECB Certified Data Protection Officer


IAPP Certified Information Privacy Professional


IAPP Certified Information Privacy Manager


IAPP Certified Information Privacy Technologist


IAPP Certification Maintenance fee


Continued Professional Development


Continued Professional Education


Data Protection


Data Protection Impact Assessment


Data Protection Officer (GDPR)


European Commission


European Data Protection Board


European Union


International Association of Privacy Professionals


International Accreditation Service


Information Security Management System (ISO 27001)


International Organization for Standardization


Professional Evaluation and Certification Board


Privacy Information Management System (ISO27701)

All Trademarks referred to are the property of their respective owners.

The rest of the work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.