Peter's Principles / By
Peter Geelen

Peter Geelen

Data protection Professionals certification comparison IAPP  & PECB

Download the full document here:
 

Introduction

Many times, we get questions on the different learning and personal certification tracks for privacy, correction: “data protection”. And I’m sure there are a lot of education providers offering these courses.

While there are a bunch of certification tracks you can chase, the main question is the comparison between IAPP and PECB certification tracks for privacy and data protection professionals.  Both are globally well respected and well known players on this market.

So I can imagine that a lot of training providers, delivering IAPP and PECB get the same questions…

For explanation of the acronyms, see end of article.

Acknowledgements

I want to thank the teams at PECB and IAPP for their cooperation to validate their respective part of the comparison.

Thank you:

  • Tim Rama, Deputy CEO at PECB
  • Marla Berry, Director, Training at IAPP
  • Doug Forman, Director of Certification at IAPP
  • Lindsay Hinkle, External Affairs Director at IAPP

Scope

It would take me a tremendous amount of time to list all other local or regional providers, but I would challenge you to collect and list them.

Feel free to send me the details on the data protection course you attended. I’ll collect and publish the references. 

It would be a great resource to have a larger overview on privacy and data protection certification and education. But I can’t do that on my own.

This article focuses on education tracks for privacy and data protection professionals, or DPOs (ref. GDPR) that need a mix of expertise in legal, operational and business knowledge in their job.  

IMPORTANT NOTE:

Some of the info referenced in this article is prone to changes, like marketing, exam fees, maintenance fees, certification maintenance requirements (like CPE or CPD). Therefore, I provide the source links as much as possible, allowing you to crosscheck the latest info.

Information is current as the date of publication and will be updated when possible.

Any feedback or suggestions are welcome to maximize the quality of this document by relevant updates or fixing inconsistencies.

Important notes

Certification and accreditation

Certified

First of all the term “certified” in CIPP/E, CIPM, CIPT, CDPO, … and other like Certified Lead Implementer, Certified Lead auditor, are titles recognized by their respective vendor.

Certainly for CDPO, there is some confusion because “certified” DPO, in this context means “PECB certified” DPO.

It’s a commercial title, that is offered by PECB. (Some other data protection course vendors also name their course CDPO or similar).

To be clear: the title “Certified Data Protection Officer” is not an official EU certification or accreditation, meaning recognized by an official ISO Accreditation body or the EU (like EC, EDPB, …)

As explained in next paragraph, the GDPR does NOT provide in personal (DPO) certification.

Accredited

You can certify for various courses and exams and earn the respective title, bound to certain conditions. That’s what the document below is about to explain for data protection and privacy professional certifications.

But if you are certified professional, that does not mean you’re accredited. For the scope of this document is less important.  But for example as ISO27001 or PIMS auditor it is important to know the difference:

  • certified (lead) auditor has passed the technical requirements incl. exam and/or professional experience (eg. proven track record for audits)
  • An accredited (lead) auditor has been accepted to work as auditor by an accreditation or assessment body and is allowed to perform ISMS or PIMS audits. Certification is by default a requirement for accreditation as auditor.

ISO vs EU (EDPB)

Although that you’ll find 2 articles in the GDPR (Art. 42 and Art. 43.) on certification and accreditation, you should know that

  • The GDPR does NOT provide in certification of persons (like DPO)
  • Currently (as of Feb 2020), there is no official GDPR certification track on European level yet, for the processing activities of data controllers and data processors. The program is in progress.

Therefore, the only official way of proving compliance with the GDPR, is currently sourced from the ISO27001 certification including the ISO27701 extension, tuned for GDPR. These are both auditable standards with ISO requirements definitions that can be officially audited.

Useful references

GDPR certification

Comparison chart

See the table below for a quick comparison. Keep reading if you need a more detailed explanation and relevant online material.

 

PECB

IAPP

Title

CDPO

CIPP/E + CIPM

(offered in the GDPR ready package)

Course format

In person

Online (Self Study)

In person

Online (Self study)

Live Online Training

Technology part

Separate

= ISO27701

Foundation (2d)

Lead Implementer (4d + exam)

Lead Auditor (4d + exam)

Separate

= CIPT (2d + exam)

Course level

intermediate,

prerequisite knowledge advised

intermediate,

prerequisite knowledge advised

Advised prerequisites

Legal (GPDR)

ISO27001

Business experience

Legal (GPDR)

ISO27001

Business experience

# Courses

1

2

Total Days in course

4 + exam

4 (2x2d) + 2x exams

Course material

Slide notes print

Online Access via KATE

Exam Preparation Guide

CIPPE Course participant guide

CIPPE sample questions

CIPPE textbook

CIPM course participant guide

CIPM sample questions

CIPM textbook

Extra material (online)

Yes (see below)

Yes (see below)

Membership included

1st year

1st year

Course includes exam

Yes

Yes

Additional study time advised for exam

No

(but certification requires professional experience)

Yes, 30hrs advised

(ref. student guide)

# Exams

1

2

Retry incl.

Yes (Free retry)

No (Retry to pay)

Exam Format

Essay type

(paper-based or online)

Computer exam –

Multiple choice

# Exam questions

10-12

CIPP/E: 90

CIPM: 90

CIPT: 90

Exam type

In class (partner invigilator), or

Via web (PECB invigilator)

Exam Center (3rd party invigilator)

Program Accreditation

ISO 17024:2012

ANSI/ISO 17024:2012

Exam max. duration

3H (180′)

+ extension for non-native language

·         Foundation: +10 minutes

·         Manager:  +20 minutes

·         Lead: +30 minutes

CIPP/E: 2.5 Hours

CIPM: 2.5 Hours

CIPT: 2.5 Hours

Language

English

French

German

CIPP/E + CIPM

English

French

German.

Course planning

PECB agenda, or

Via partner delivery

IAPP direct delivery, or

IAPP partner delivery

Training URL

https://pecb.com/en/partnerEvent/event_schedule_list

https://iapp.org/store/trainings/

Equivalent exam accepted

Yes, CIPP/E+CIPM are accepted to replace exam requirements.

No

Certification

Experience requirements

Yes, pass exam +

Provisional DPO: none

CDPO:

5y professional experience with 2y in Data protection

DP project experience: 300h required

No, pass exam only.

Stand-alone Exam cost

Depending on the PECB partner

(€600-€800)

$550 / first exam

$375 2nd exam or retake

Certification term

3 years

2 years

Certification maintenance fee

$100/ year + CPD

$250/2-year term for all certifications

Extra info

 

PECB

IAPP

Foundation/entry-level available

Yes, GDPR Foundation

(2 days + exam)

No Experience requirements

No

Relevant extensions or other exams to complement course

(Lead) Implementer

ISO27701 (PIMS)

ISO27001 (Information Security)

ISO27002 (Info Sec Controls)

ISO27005 (Risk Management)

ISO27035 (Incident Management)

Lead Auditor

ISO27701

ISO27001

CIPT

FIP designation (no course)

Step up to other tracks

Yes, IAPP track

Yes, CDPO.

Company approach and purpose

Before you can compare and understand the courses, it’s important to understand the organizations behind these certifications.

General

Both PECB as IAPP are accredited by US institutions IAS and ANSI that are member of IAF.

About IAPP (non-profit)

Company

Source: https://iapp.org/about/mission-and-background/

“The IAPP is a not-for-profit association founded in 2000 with a mission to define, support and improve the privacy profession globally. We are committed to providing a forum for privacy professionals to share best practices, track trends, advance privacy management issues, standardize the designations for privacy professionals and provide education and guidance on opportunities in the field of information privacy.”

Relevant certifications

Important note: this is just a quick overview, we’ll discuss the content more in detail in a later part of this article.

The certifications that IAPP offers are

On top of these certifications, IAPP also offers the title of “Privacy Law Specialist”, but that is out of scope of this discussion as this certification is targeted at lawyers.

About PECB (Commercial)

Source: https://pecb.com/en/about

PECB  is a certification body which provides education and certification under ISO/IEC 17024 for individuals on a wide range of disciplines.

We help professionals and organizations show commitment and competence by providing them with valuable education, evaluation and certification against rigorous internationally recognized standards. Our mission is to provide our clients with comprehensive services that inspire trust, continual improvement, demonstrate recognition, and benefit the society as a whole.

PECB is comprised of

  • Education and Certification of Individuals
  • PECB University
  • PECB Management Systems Certification

See also: https://pecb.com/en/values-of-pecb-certification

Relevant certifications to compare

To compare the relevant certifications, you should look at these PECB courses & exams

Additional training and certification in privacy and data protection:

PECB is completing the requirements to become accredited by CNIL, which will be a major advantage for candidates in France.

Course Comparison

IAPP Courses

Relevant

  • IAPP CIPPE: 2 days + exam (later, exam center)
  • IAPP CIPM: 2 days + exam (later, exam center)

Optional

  • IAPP CIPT: 2 days + exam (later)

PECB Courses

Relevant

  • PECB: CDPO : 4 days + exam (onsite proctor or later)
  • PECB: GDPR Foundation: 2 days with exam
  • PECB: GDPR Introduction: 1 day training only

Optional

  • ISO27701 Foundation: 2 days + exam
  • ISO27701 Lead implementer: 4 days + exam
  • ISO27701 Lead Auditor: 4 days + exam

Course Content

IAPP Course content

CIPP/E

Source: CIPP/E Body of Knowledge (https://iapp.org/media/pdf/certification/CIPP_E_BoK_1.2.1.pdf)

Topics

  1. Introduction to European Data Protection: Origins and Historical context, EU institutions, Legislative framework
  2. European Data Protection Law and Regulation: GDPR articles
  3. Compliance with European Data Protection Law and Regulation: Employment, Surveillance, Direct marketing, Internet technology & communications,

CIPM

Source: CIPM BOK (https://iapp.org/media/pdf/certification/CIPM_BOK_1.0.4_APPROVED.pdf)

Topics

  1. Privacy program governance: organization level, program framework development & implementation, metrics
  2. Privacy operational lifecycle: assessment, protect, sustain, respond,

CIPT

Source: CIPT BOK (https://iapp.org/media/pdf/certification/CIPT_BOK_v3.0.0.pdf)

Topics

  1. Foundation principles: risk models and frameworks, privacy by design, value sensitive design, data lifecycle
  2. Role of IT in privacy: fundamentals, information security, privacy responsibilities of IT professional,
  3. Privacy Threats and violations: data collection, use, dissemination, intrusion, software security,
  4. Technical measures: data oriented strategies, techniques, processes oriented strategies
  5. Privacy engineering
  6. Privacy by design,
  7. Technology challenges

PECB Course content

CDPO

Source:

Topics (V6)

  1. Day 1: Introduction to the GDPR concepts and principles
    • GDPR, core considerations
  2. Day 2: Designation of the DPO and analysis of the GDPR Compliance Program
    • Designation of DPO, analysis of GDPR compliance program, relation with top management, data protection policy, register, risk management
  3. Day 3: DPO operations
    • DPIA, documentation management, evaluation of DP controls, technology, awareness & training
  4. Day 4: Monitoring and continual improvement of the GDPR compliance
    • Incident management, monitoring, internal audit, treatment of non-conformities, continual improvement

Course Support – Extra Material

IAPP online support material

General

For each of the exams, you’ll discover:

  • Key areas of programme knowledge
  • Recommended exam preparation steps
  • Sample questions
  • General exam information

CIPP/E (Registration required)

CIPM

CIPT

  • New 2020 CIPT Free Study Guide Available Soon.

PECB online support material

CDPO

Exam Comparison

IAPP Exams

Number of exams

  • CIPP/E: 1
  • CIPM: 1

Also

  • CIPT: 1

Type of exam

  • Exam center, computer exam

Retry included

  • no

PECB

Number of exams

  • CDPO: 1
  • GDPR Foundation: 1

Also

  • ISO27701 Lead implementer: 1
  • ISO27701 Lead Auditor: 1

Type of exam

  • On-site after course (vendor invigilator)
  • Online (PECB online invigilator)

Retry included

  • Yes

Experience requirements

IAPP experience requirements

No Experience requirements

PECB Experience requirements

Source: https://pecb.com/en/education-and-certification-for-individuals/gdpr/certified-data-protection-officer

“The requirements for PECB Data Protection Certifications are:

Credential

Exam

Professional experience

DPMS project experience

Other requirements

PECB Certified Provisional Data Protection Officer

PECB Certified Data Protection Officer Exam

None

None

Signing the PECB Code of Ethics

PECB Certified Data Protection Officer

PECB Certified Data Protection Officer Exam or equivalent

Five years: Two years of work experience in Data Protection

Data Protection activities: a total of 300 hours

Signing the PECB Code of Ethics

To be considered valid, these implementation activities should follow best implementation practices and include the following activities:

  1. Drafting a Data Protection plan
  2. Initiating a Data Protection implementation
  3. Implementing a Data Protection Policy
  4. Monitoring and managing a Data Protection implementation
  5. Performing continual improvement measures”

During the experience validation PECB requires to submit 2 references they will contact by mail/phone.

More info: https://pecb.com/en/pecb-certification-process

Certification Maintenance requirements

IAPP CPE

Source: https://iapp.org/certify/cpe/

Certificants are required to submit 20 CPEs per term, per credential.

More information: Check out the official IAPP CPE policy for all the details.

IAPP defines 1 CPE as “A continuing privacy education (CPE) credit is defined as a (usually) one-hour unit earned from participating in or attending any program, event, or forum, reading or writing any published written material, creating and administering a presentation, course of instruction, or other activity that relates to privacy and/or security

PECB CPD

Source https://pecb.com/en/certification-maintenance

” PECB Certificates are valid for three years. In order to maintain a certificate, PECB Professionals are required to demonstrate that they are performing certification related activities on an annual basis. In addition to that, PECB Professionals are required to pay an Annual Maintenance Fee (AMF).  “

CERTIFICATION

Annual Requirements

 Total (hours)

Experience/Education

Experience/Education

CDPO

30

Hours of work experience related to the certification field, training, private study, coaching, attendance at seminars and conferences or other relevant activities.

90 hours
       

 

Maintenance fee

IAPP Fees

Source: https://iapp.org/certify/fees/: (quote) “

Fees

 Nonmember

 Member

Certification Maintenance Fee (2-year term)

$250 USD

Included

*A certification maintenance fee of $250 USD is due when you register for your first IAPP certification exam and then at the beginning of every certification term renewal to maintain your IAPP certification. One fee covers all IAPP certifications. For members, the certification maintenance fee is covered by the membership benefits.”

PECB Fees

Source:

AMF

  • First year included in course
  • Capped to first 5
  • CDPO = $100.

Certification

AMF
(rate per year)

Foundation, Provisional, and Transition

None

All other certifications

$100

Master

$200

Commercial channel

IAPP channel

IAPP uses a mixed channel to deliver their courses. You can book courses and exams (+ extra) via the IAPP website and member portal.

Alternatively you can book courses and exams via their partner channel.

PECB channel

PECB works with a partner channel exclusively. All courses and exams must be booked via an authorized partner.

Community

IAPP

Source: https://iapp.org/connect/

Public

For Members only

PECB

Public:

For Members only:

Hints & tips

ISO27001

There is no data protection without information security.

Both the IAPP CIPM and the PECB CDPO course refer to the principles of the ISO27001 standard. The ISO27001 and ISO27002 standards are professional added value for privacy and data protection professionals. 

Conclusion

In short

(IAPP CIPP/E + IAPP CIPM) + experience = PECB CDPO

Focus & community

IAPP does privacy, only privacy, already for a long time. Due to that focus, IAPP does it very well.
It nurses a very competent privacy professional community and stays on the edge to stay relevant. With the strict focus on privacy.

PECB does mainly ISO, not only privacy, not only data protection or information security certification. It also does ISO9001 quality management, ISO 31000 risk management, ISO 37001 anti-bribery, ISO 22301 business continuity and many more.

PECB s working very hard to build community, but it’s an ISO mindset, more legacy business approach. So there is a long way to go for PECB in privacy field compared to IAPP. Their community covers a large scale of enterprise topics, way beyond data protection. A different and bigger world.

Certification

On the other hand, except for the 3 exams and the FIP designation, IAPP does not offer other certification tracks.

And IAPP does not validate experience when you apply for certification, so also a junior professional can obtain certification.

To obtain a PECB certification, they validate your professional experience (except for Foundation level). You need to submit a proven track record for experience.

Compatibility

The CIPP/E+CIPM, CDPO, ISO27701 and ISO27001 are highly compatible and provide added value, these are an easy entry to do more and grow.

But exactly that difference makes them both compatible and complementary.

The IAPP certifications are top notch and very much respected. They offer a perfect starting point to become professional and even expert in privacy and data protection.

Once you grow beyond that point, with a larger focus like information security, enterprise security, disaster recovery, incident management, cybersecurity, the PECB courses and exams offer the next step.

They are perfectly complementary, and it only depends on your starting point of your journey.

Your roadmap

You just need GDPR basics

  • IAPP CIPP/E (2 days)
  • PECB GDPR foundation (2 days)

DPO track

  • IAPP CIPP/E (2 days) + CIPM (2 days)
    • 2 exams (but no experience requirement)
  • PECB CDPO (4 days)
    • 1 exam + experience

Straight forward Certification as Data Protection Professional

  1. GDPR legislations: CIPP/E (2 days)
  2. Privacy program implementation and management: CIPM (2 days)
  3. Privacy technology CIPT (2 days)

The fast track to Certified DPO

  • PECB CDPO course (4 days, 1 exam) + experience check

The economical CDPO track with limited experience

  1. First CIPP/E + CIPM
  2. Then request certification as PECB provisional DPO
    1. No need for the CDPO exam, but request certification based on the CIPP/E and CIPM exam.
  3. Extend your certification to PECB CDPO when you have built the required experience

The economical CDPO track with full experience

  1. First CIPP/E + CIPM
  2. Then request certification as PECB CDPO

References

ISO

  • Free ISO standards (Download from: https://ffwd2.me/FreeISO)
  • ISO29100: Privacy Framework
  • ISO27701: Privacy Information Management System
  • ISO27001: Information security Management System
  • ISO27002: Information Security Guidance
  • ISO27005: Risk management
  • ISO27035: Incident Management

IAPP interesting links

PECB interesting links

Acronyms & Abbreviations

Acronym or Abbreviation

Description

AMF

PECB Annual Maintenance Fee

ANSI

American National Standards Institute

BOK

Body of knowledge

CDPO

PECB Certified Data Protection Officer

CIPP

IAPP Certified Information Privacy Professional

CIPM

IAPP Certified Information Privacy Manager

CIPT

IAPP Certified Information Privacy Technologist

CMF

IAPP Certification Maintenance fee

CPD

Continued Professional Development

CPE

Continued Professional Education

DP

Data Protection

DPIA

Data Protection Impact Assessment

DPO

Data Protection Officer (GDPR)

EC

European Commission

EDPB

European Data Protection Board

EU

European Union

IAPP

International Association of Privacy Professionals

IAS

International Accreditation Service

ISMS

Information Security Management System (ISO 27001)

ISO

International Organization for Standardization

PECB

Professional Evaluation and Certification Board

PIMS

Privacy Information Management System (ISO27701)

All Trademarks referred to are the property of their respective owners.

The rest of the work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.