Data protection Professionals certification comparison IAPP & PECB
Introduction
Many times, we get questions on the different learning and personal certification tracks for privacy, correction: “data protection”. And I’m sure there are a lot of education providers offering these courses.
While there are a bunch of certification tracks you can chase, the main question is the comparison between IAPP and PECB certification tracks for privacy and data protection professionals. Both are globally well respected and well known players on this market.
So I can imagine that a lot of training providers, delivering IAPP and PECB get the same questions…
For explanation of the acronyms, see end of article.
Acknowledgements
I want to thank the teams at PECB and IAPP for their cooperation to validate their respective part of the comparison.
Thank you:
- Tim Rama, Deputy CEO at PECB
- Marla Berry, Director, Training at IAPP
- Doug Forman, Director of Certification at IAPP
- Lindsay Hinkle, External Affairs Director at IAPP
Scope
It would take me a tremendous amount of time to list all other local or regional providers, but I would challenge you to collect and list them.
Feel free to send me the details on the data protection course you attended. I’ll collect and publish the references.
It would be a great resource to have a larger overview on privacy and data protection certification and education. But I can’t do that on my own.
This article focuses on education tracks for privacy and data protection professionals, or DPOs (ref. GDPR) that need a mix of expertise in legal, operational and business knowledge in their job.
IMPORTANT NOTE:
Some of the info referenced in this article is prone to changes, like marketing, exam fees, maintenance fees, certification maintenance requirements (like CPE or CPD). Therefore, I provide the source links as much as possible, allowing you to crosscheck the latest info.
Information is current as the date of publication and will be updated when possible.
Any feedback or suggestions are welcome to maximize the quality of this document by relevant updates or fixing inconsistencies.
Important notes
Certification and accreditation
Certified
First of all the term “certified” in CIPP/E, CIPM, CIPT, CDPO, … and other like Certified Lead Implementer, Certified Lead auditor, are titles recognized by their respective vendor.
Certainly for CDPO, there is some confusion because “certified” DPO, in this context means “PECB certified” DPO.
It’s a commercial title, that is offered by PECB. (Some other data protection course vendors also name their course CDPO or similar).
To be clear: the title “Certified Data Protection Officer” is not an official EU certification or accreditation, meaning recognized by an official ISO Accreditation body or the EU (like EC, EDPB, …)
As explained in next paragraph, the GDPR does NOT provide in personal (DPO) certification.
Accredited
You can certify for various courses and exams and earn the respective title, bound to certain conditions. That’s what the document below is about to explain for data protection and privacy professional certifications.
But if you are certified professional, that does not mean you’re accredited. For the scope of this document is less important. But for example as ISO27001 or PIMS auditor it is important to know the difference:
- A certified (lead) auditor has passed the technical requirements incl. exam and/or professional experience (eg. proven track record for audits)
- An accredited (lead) auditor has been accepted to work as auditor by an accreditation or assessment body and is allowed to perform ISMS or PIMS audits. Certification is by default a requirement for accreditation as auditor.
ISO vs EU (EDPB)
Although that you’ll find 2 articles in the GDPR (Art. 42 and Art. 43.) on certification and accreditation, you should know that
- The GDPR does NOT provide in certification of persons (like DPO)
- Currently (as of Feb 2020), there is no official GDPR certification track on European level yet, for the processing activities of data controllers and data processors. The program is in progress.
Therefore, the only official way of proving compliance with the GDPR, is currently sourced from the ISO27001 certification including the ISO27701 extension, tuned for GDPR. These are both auditable standards with ISO requirements definitions that can be officially audited.
Useful references
GDPR certification
- https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en
- EDPB Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation – version adopted after public consultation
- EDPB Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679) – version adopted after public consultation
Comparison chart
See the table below for a quick comparison. Keep reading if you need a more detailed explanation and relevant online material.
|
PECB |
IAPP |
Title |
CDPO |
CIPP/E + CIPM (offered in the GDPR ready package) |
Course format |
In person Online (Self Study) |
In person Online (Self study) Live Online Training |
Technology part |
Separate = ISO27701 Foundation (2d) Lead Implementer (4d + exam) Lead Auditor (4d + exam) |
Separate = CIPT (2d + exam) |
Course level |
intermediate, prerequisite knowledge advised |
intermediate, prerequisite knowledge advised |
Advised prerequisites |
Legal (GPDR) ISO27001 Business experience |
Legal (GPDR) ISO27001 Business experience |
# Courses |
1 |
2 |
Total Days in course |
4 + exam |
4 (2x2d) + 2x exams |
Course material |
Slide notes print Online Access via KATE Exam Preparation Guide
|
CIPPE Course participant guide CIPPE sample questions CIPPE textbook CIPM course participant guide CIPM sample questions CIPM textbook |
Extra material (online) |
Yes (see below) |
Yes (see below) |
Membership included |
1st year |
1st year |
Course includes exam |
Yes |
Yes |
Additional study time advised for exam |
No (but certification requires professional experience) |
Yes, 30hrs advised (ref. student guide) |
# Exams |
1 |
2 |
Retry incl. |
Yes (Free retry) |
No (Retry to pay) |
Exam Format |
Essay type (paper-based or online) |
Computer exam – Multiple choice |
# Exam questions |
10-12 |
CIPP/E: 90 CIPM: 90 CIPT: 90 |
Exam type |
In class (partner invigilator), or Via web (PECB invigilator) |
Exam Center (3rd party invigilator) |
Program Accreditation |
ISO 17024:2012 |
ANSI/ISO 17024:2012 |
Exam max. duration |
3H (180′) + extension for non-native language · Foundation: +10 minutes · Manager: +20 minutes · Lead: +30 minutes |
CIPP/E: 2.5 Hours CIPM: 2.5 Hours CIPT: 2.5 Hours |
Language |
English French German |
CIPP/E + CIPM English French German. |
Course planning |
PECB agenda, or Via partner delivery |
IAPP direct delivery, or IAPP partner delivery |
Training URL |
||
Equivalent exam accepted |
Yes, CIPP/E+CIPM are accepted to replace exam requirements. |
No |
Certification Experience requirements |
Yes, pass exam + Provisional DPO: none CDPO: 5y professional experience with 2y in Data protection DP project experience: 300h required |
No, pass exam only. |
Stand-alone Exam cost |
Depending on the PECB partner (€600-€800) |
$550 / first exam $375 2nd exam or retake |
Certification term |
3 years |
2 years |
Certification maintenance fee |
$100/ year + CPD |
$250/2-year term for all certifications |
Extra info
|
PECB |
IAPP |
Foundation/entry-level available |
Yes, GDPR Foundation (2 days + exam) No Experience requirements |
No |
Relevant extensions or other exams to complement course |
(Lead) Implementer ISO27701 (PIMS) ISO27001 (Information Security) ISO27002 (Info Sec Controls) ISO27005 (Risk Management) ISO27035 (Incident Management) Lead Auditor ISO27701 ISO27001 |
CIPT FIP designation (no course)
|
Step up to other tracks |
Yes, IAPP track |
Yes, CDPO. |
Company approach and purpose
Before you can compare and understand the courses, it’s important to understand the organizations behind these certifications.
General
Both PECB as IAPP are accredited by US institutions IAS and ANSI that are member of IAF.
About IAPP (non-profit)
Company
Source: https://iapp.org/about/mission-and-background/
“The IAPP is a not-for-profit association founded in 2000 with a mission to define, support and improve the privacy profession globally. We are committed to providing a forum for privacy professionals to share best practices, track trends, advance privacy management issues, standardize the designations for privacy professionals and provide education and guidance on opportunities in the field of information privacy.”
Relevant certifications
Important note: this is just a quick overview, we’ll discuss the content more in detail in a later part of this article.
The certifications that IAPP offers are
- Certified Information Privacy Professional (CIPP): the CIPP track is mainly about the legal content. “WHAT” is the regulation about? the CIPP track has multiple versions for different global regulations
- CIPP/E: Europe (GDPR)
- CIPP/US: Unites States private sector
- CIPP/C: Canada
- CIPP/A: Asia
- Certified Information Privacy Manager (CIPM): is focused on implementing and managing a privacy program. It’s not bound to the type of CIPP, as it provides a global approach to operationalizing privacy.
- Certified Information Privacy Technologist (CIPT): this course focusses on privacy technology, concepts and techniques including privacy engineering and “privacy by design” which or
On top of these certifications, IAPP also offers the title of “Privacy Law Specialist”, but that is out of scope of this discussion as this certification is targeted at lawyers.
About PECB (Commercial)
Source: https://pecb.com/en/about
“PECB is a certification body which provides education and certification under ISO/IEC 17024 for individuals on a wide range of disciplines.
We help professionals and organizations show commitment and competence by providing them with valuable education, evaluation and certification against rigorous internationally recognized standards. Our mission is to provide our clients with comprehensive services that inspire trust, continual improvement, demonstrate recognition, and benefit the society as a whole.“
PECB is comprised of
- Education and Certification of Individuals
- PECB University
- PECB Management Systems Certification
See also: https://pecb.com/en/values-of-pecb-certification
Relevant certifications to compare
To compare the relevant certifications, you should look at these PECB courses & exams
Additional training and certification in privacy and data protection:
- ISO/IEC 29100 Lead Privacy Implementer
- California Consumer Privacy Act (coming soon)
PECB is completing the requirements to become accredited by CNIL, which will be a major advantage for candidates in France.
Course Comparison
IAPP Courses
Relevant
- IAPP CIPPE: 2 days + exam (later, exam center)
- IAPP CIPM: 2 days + exam (later, exam center)
Optional
- IAPP CIPT: 2 days + exam (later)
PECB Courses
Relevant
- PECB: CDPO : 4 days + exam (onsite proctor or later)
- PECB: GDPR Foundation: 2 days with exam
- PECB: GDPR Introduction: 1 day training only
Optional
- ISO27701 Foundation: 2 days + exam
- ISO27701 Lead implementer: 4 days + exam
- ISO27701 Lead Auditor: 4 days + exam
Course Content
IAPP Course content
CIPP/E
Source: CIPP/E Body of Knowledge (https://iapp.org/media/pdf/certification/CIPP_E_BoK_1.2.1.pdf)
Topics
- Introduction to European Data Protection: Origins and Historical context, EU institutions, Legislative framework
- European Data Protection Law and Regulation: GDPR articles
- Compliance with European Data Protection Law and Regulation: Employment, Surveillance, Direct marketing, Internet technology & communications,
CIPM
Source: CIPM BOK (https://iapp.org/media/pdf/certification/CIPM_BOK_1.0.4_APPROVED.pdf)
Topics
- Privacy program governance: organization level, program framework development & implementation, metrics
- Privacy operational lifecycle: assessment, protect, sustain, respond,
CIPT
Source: CIPT BOK (https://iapp.org/media/pdf/certification/CIPT_BOK_v3.0.0.pdf)
Topics
- Foundation principles: risk models and frameworks, privacy by design, value sensitive design, data lifecycle
- Role of IT in privacy: fundamentals, information security, privacy responsibilities of IT professional,
- Privacy Threats and violations: data collection, use, dissemination, intrusion, software security,
- Technical measures: data oriented strategies, techniques, processes oriented strategies
- Privacy engineering
- Privacy by design,
- Technology challenges
PECB Course content
CDPO
Source:
Topics (V6)
- Day 1: Introduction to the GDPR concepts and principles
- GDPR, core considerations
- Day 2: Designation of the DPO and analysis of the GDPR Compliance Program
- Designation of DPO, analysis of GDPR compliance program, relation with top management, data protection policy, register, risk management
- Day 3: DPO operations
- DPIA, documentation management, evaluation of DP controls, technology, awareness & training
- Day 4: Monitoring and continual improvement of the GDPR compliance
- Incident management, monitoring, internal audit, treatment of non-conformities, continual improvement
Course Support – Extra Material
IAPP online support material
General
For each of the exams, you’ll discover:
- Key areas of programme knowledge
- Recommended exam preparation steps
- Sample questions
- General exam information
CIPP/E (Registration required)
CIPM
CIPT
- New 2020 CIPT Free Study Guide Available Soon.
PECB online support material
CDPO
- GDPR Exam Preparation Guide: https://pecb.com/pdf/exam-preparation-guides/pecb-certified-data-protection-officer-exam-preparation-guide.pdf
Exam Comparison
IAPP Exams
Number of exams
- CIPP/E: 1
- CIPM: 1
Also
- CIPT: 1
Type of exam
- Exam center, computer exam
Retry included
- no
PECB
Number of exams
- CDPO: 1
- GDPR Foundation: 1
Also
- ISO27701 Lead implementer: 1
- ISO27701 Lead Auditor: 1
Type of exam
- On-site after course (vendor invigilator)
- Online (PECB online invigilator)
Retry included
- Yes
Experience requirements
IAPP experience requirements
No Experience requirements
PECB Experience requirements
“The requirements for PECB Data Protection Certifications are:
Credential |
Exam |
Professional experience |
DPMS project experience |
Other requirements |
PECB Certified Provisional Data Protection Officer |
PECB Certified Data Protection Officer Exam |
None |
None |
Signing the PECB Code of Ethics |
PECB Certified Data Protection Officer |
PECB Certified Data Protection Officer Exam or equivalent |
Five years: Two years of work experience in Data Protection |
Data Protection activities: a total of 300 hours |
Signing the PECB Code of Ethics |
To be considered valid, these implementation activities should follow best implementation practices and include the following activities:
- Drafting a Data Protection plan
- Initiating a Data Protection implementation
- Implementing a Data Protection Policy
- Monitoring and managing a Data Protection implementation
- Performing continual improvement measures”
During the experience validation PECB requires to submit 2 references they will contact by mail/phone.
More info: https://pecb.com/en/pecb-certification-process
Certification Maintenance requirements
IAPP CPE
Source: https://iapp.org/certify/cpe/
Certificants are required to submit 20 CPEs per term, per credential.
More information: Check out the official IAPP CPE policy for all the details.
IAPP defines 1 CPE as “A continuing privacy education (CPE) credit is defined as a (usually) one-hour unit earned from participating in or attending any program, event, or forum, reading or writing any published written material, creating and administering a presentation, course of instruction, or other activity that relates to privacy and/or security“
PECB CPD
Source https://pecb.com/en/certification-maintenance
” PECB Certificates are valid for three years. In order to maintain a certificate, PECB Professionals are required to demonstrate that they are performing certification related activities on an annual basis. In addition to that, PECB Professionals are required to pay an Annual Maintenance Fee (AMF). “
CERTIFICATION |
Annual Requirements |
Total (hours) |
|
Experience/Education |
Experience/Education |
||
CDPO |
30 |
Hours of work experience related to the certification field, training, private study, coaching, attendance at seminars and conferences or other relevant activities. |
90 hours |
Maintenance fee
IAPP Fees
Source: https://iapp.org/certify/fees/: (quote) “
Fees |
Nonmember |
Member |
Certification Maintenance Fee (2-year term) |
$250 USD |
Included |
*A certification maintenance fee of $250 USD is due when you register for your first IAPP certification exam and then at the beginning of every certification term renewal to maintain your IAPP certification. One fee covers all IAPP certifications. For members, the certification maintenance fee is covered by the membership benefits.”
PECB Fees
Source:
- https://pecb.com/help/index.php/knowledgebase/annual-maintenance-fees-amf/
- https://pecb.com/en/certification-maintenance
AMF
- First year included in course
- Capped to first 5
- CDPO = $100.
Certification |
AMF |
Foundation, Provisional, and Transition |
None |
All other certifications |
$100 |
Master |
$200 |
Commercial channel
IAPP channel
IAPP uses a mixed channel to deliver their courses. You can book courses and exams (+ extra) via the IAPP website and member portal.
Alternatively you can book courses and exams via their partner channel.
PECB channel
PECB works with a partner channel exclusively. All courses and exams must be booked via an authorized partner.
Community
IAPP
Source: https://iapp.org/connect/
Public
- LinkedIn:
- Career central: https://iapp.org/connect/career-central/
- Official Training Partners: https://iapp.org/train/iapp-official-training-partners/
- …
For Members only
- Local chapters (KnowledgeNets): https://iapp.org/connect/communities/chapters/
- Privacy list: https://iapp.org/connect/privacy-list/
- Sections/communities of common interest: https://iapp.org/connect/communities/sections/
- Affinity groups: https://iapp.org/connect/communities/affinity-groups/
- …
PECB
Public:
- Authorized Partners: https://pecb.com/en/partner/active_partners
- LinkedIn: https://www.linkedin.com/company/1798225
- Best Practices for Privacy and Data Protection – ISO Standards, Privacy by Design, GDPR and NIST: https://www.linkedin.com/groups/13732060/
- GDPR Professionals: https://www.linkedin.com/groups/13561940/
For Members only:
- Professional Evaluation and Certification Board (PECB): https://www.linkedin.com/groups/1150487/
Hints & tips
ISO27001
There is no data protection without information security.
Both the IAPP CIPM and the PECB CDPO course refer to the principles of the ISO27001 standard. The ISO27001 and ISO27002 standards are professional added value for privacy and data protection professionals.
Conclusion
In short
(IAPP CIPP/E + IAPP CIPM) + experience = PECB CDPO
Focus & community
IAPP does privacy, only privacy, already for a long time. Due to that focus, IAPP does it very well.
It nurses a very competent privacy professional community and stays on the edge to stay relevant. With the strict focus on privacy.
PECB does mainly ISO, not only privacy, not only data protection or information security certification. It also does ISO9001 quality management, ISO 31000 risk management, ISO 37001 anti-bribery, ISO 22301 business continuity and many more.
PECB s working very hard to build community, but it’s an ISO mindset, more legacy business approach. So there is a long way to go for PECB in privacy field compared to IAPP. Their community covers a large scale of enterprise topics, way beyond data protection. A different and bigger world.
Certification
On the other hand, except for the 3 exams and the FIP designation, IAPP does not offer other certification tracks.
And IAPP does not validate experience when you apply for certification, so also a junior professional can obtain certification.
To obtain a PECB certification, they validate your professional experience (except for Foundation level). You need to submit a proven track record for experience.
Compatibility
The CIPP/E+CIPM, CDPO, ISO27701 and ISO27001 are highly compatible and provide added value, these are an easy entry to do more and grow.
But exactly that difference makes them both compatible and complementary.
The IAPP certifications are top notch and very much respected. They offer a perfect starting point to become professional and even expert in privacy and data protection.
Once you grow beyond that point, with a larger focus like information security, enterprise security, disaster recovery, incident management, cybersecurity, the PECB courses and exams offer the next step.
They are perfectly complementary, and it only depends on your starting point of your journey.
Your roadmap
You just need GDPR basics
- IAPP CIPP/E (2 days)
- PECB GDPR foundation (2 days)
DPO track
- IAPP CIPP/E (2 days) + CIPM (2 days)
- 2 exams (but no experience requirement)
- PECB CDPO (4 days)
- 1 exam + experience
Straight forward Certification as Data Protection Professional
- GDPR legislations: CIPP/E (2 days)
- Privacy program implementation and management: CIPM (2 days)
- Privacy technology CIPT (2 days)
The fast track to Certified DPO
- PECB CDPO course (4 days, 1 exam) + experience check
The economical CDPO track with limited experience
- First CIPP/E + CIPM
- Then request certification as PECB provisional DPO
- No need for the CDPO exam, but request certification based on the CIPP/E and CIPM exam.
- Extend your certification to PECB CDPO when you have built the required experience
The economical CDPO track with full experience
- First CIPP/E + CIPM
- Then request certification as PECB CDPO
References
ISO
- Free ISO standards (Download from: https://ffwd2.me/FreeISO)
- ISO29100: Privacy Framework
- ISO27701: Privacy Information Management System
- ISO27001: Information security Management System
- ISO27002: Information Security Guidance
- ISO27005: Risk management
- ISO27035: Incident Management
IAPP interesting links
- IAPP Resources (Tools, Research, Glossary, DPA, Career central ,…) : https://iapp.org/resources/
- IAPP Conferences: https://iapp.org/conferences/
- IAPP Faculty: https://iapp.org/about/faculty/
- IAPP web conferences (registration required) https://iapp.org/train/web-conferences/
PECB interesting links
- PECB Training catalogue 2020: https://pecb.com/pdf/catalogue/pecb-catalogue-2020.pdf
- PECB Webinars: https://pecb.com/en/webinars
- PECB university: https://pecb.com/en/university
- Transfer Your Certificate to PECB: https://pecb.com/pdf/brochures/transfer-your-certificate-to-pecb.pdf
Acronyms & Abbreviations
Acronym or Abbreviation |
Description |
AMF |
PECB Annual Maintenance Fee |
ANSI |
American National Standards Institute |
BOK |
Body of knowledge |
CDPO |
PECB Certified Data Protection Officer |
CIPP |
IAPP Certified Information Privacy Professional |
CIPM |
IAPP Certified Information Privacy Manager |
CIPT |
IAPP Certified Information Privacy Technologist |
CMF |
IAPP Certification Maintenance fee |
CPD |
Continued Professional Development |
CPE |
Continued Professional Education |
DP |
Data Protection |
DPIA |
Data Protection Impact Assessment |
DPO |
Data Protection Officer (GDPR) |
EC |
European Commission |
EDPB |
European Data Protection Board |
EU |
European Union |
IAPP |
International Association of Privacy Professionals |
IAS |
International Accreditation Service |
ISMS |
Information Security Management System (ISO 27001) |
ISO |
International Organization for Standardization |
PECB |
Professional Evaluation and Certification Board |
PIMS |
Privacy Information Management System (ISO27701) |
All Trademarks referred to are the property of their respective owners.
The rest of the work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.