CDPSE
Coming Soon
Expected availability announced soon
This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.
CDPSE
The ISACA Certified Data Privacy Solutions Engineer (CDPSE) exam validates expertise in privacy governance, risk management, data lifecycle, and engineering, enabling professionals to design compliant, secure data solutions across jurisdictions.
210
Minutes
120
Questions
450/800
Passing Score
${'member': 575, 'non_member': 760}
Exam Cost
Who Should Take This
It is intended for privacy engineers, security architects, or compliance analysts who have at least three years of hands‑on experience implementing privacy controls in enterprise environments. These professionals seek to deepen their technical knowledge of multi‑jurisdictional regulations and to demonstrate the ability to embed privacy by design into complex systems.
What's Covered
1
All domains and objectives in the ISACA Certified Data Privacy Solutions Engineer (CDPSE) exam: Domain 1 Privacy Governance
2
, Domain 2 Privacy Risk Management and Compliance
3
, Domain 3 Data Life Cycle Management
4
, and Domain 4 Privacy Engineering
What's Included in AccelaStudy® AI
Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats
Course Outline
52 learning goals
1
Domain 1: Privacy Governance
2 topics
Privacy governance framework
- Apply privacy governance frameworks to establish organizational structures including privacy officer roles, privacy committees, and accountability mechanisms.
- Analyze global privacy regulations including GDPR, CCPA/CPRA, LGPD, and PIPEDA to determine organizational compliance obligations and implementation requirements.
- Design privacy policies and standards that address data collection, processing, storage, sharing, and deletion requirements across applicable regulatory jurisdictions.
- Evaluate privacy governance maturity models to benchmark organizational privacy capabilities against industry peers and regulatory expectations.
Privacy program management
- Apply privacy program management practices to coordinate privacy initiatives, track compliance milestones, and measure program effectiveness through metrics.
- Evaluate privacy training and awareness programs to assess their effectiveness in building a privacy-conscious organizational culture.
- Analyze cross-border data transfer mechanisms including standard contractual clauses, binding corporate rules, and adequacy decisions to ensure lawful international data flows.
- Design privacy-by-default configurations that ensure the most privacy-protective settings are applied automatically across organizational systems.
2
Domain 2: Privacy Risk Management and Compliance
3 topics
Privacy risk assessment
- Apply privacy impact assessment (PIA) methodologies to identify and evaluate privacy risks in new and existing systems, processes, and data flows.
- Analyze data protection impact assessments (DPIAs) to evaluate high-risk processing activities and determine necessary safeguards and mitigating controls.
- Evaluate vendor and third-party privacy risks by assessing data processing agreements, sub-processor chains, and compliance certifications.
- Apply privacy risk treatment frameworks to develop mitigation plans that balance data utility requirements with regulatory compliance and individual rights.
Privacy compliance and incident management
- Apply compliance monitoring mechanisms to verify ongoing adherence to privacy regulations and organizational privacy policies across data processing activities.
- Implement privacy breach detection, notification, and response procedures that meet regulatory timelines and documentation requirements.
- Design privacy risk treatment strategies that balance data utility, regulatory compliance, and individual rights protection through appropriate technical and organizational measures.
- Evaluate privacy incident investigation processes to assess root cause analysis, impact quantification, and regulatory notification decision-making adequacy.
Privacy audit and assurance
- Apply privacy audit methodologies to evaluate organizational privacy controls, data processing practices, and regulatory compliance posture.
- Evaluate privacy certification frameworks including ISO 27701, SOC 2 Privacy, and TrustArc certifications for organizational applicability.
- Design privacy metrics and reporting frameworks that measure privacy program effectiveness and demonstrate compliance to regulators and stakeholders.
3
Domain 3: Data Life Cycle Management
3 topics
Data inventory and classification
- Implement data inventory and mapping processes to identify personal data flows across systems, jurisdictions, and third-party processors.
- Apply data classification schemes to categorize personal data by sensitivity, regulatory requirements, and processing purposes for appropriate protection levels.
- Evaluate data quality management practices to ensure personal data accuracy, completeness, and currency requirements are maintained throughout the lifecycle.
- Apply records of processing activities (ROPA) management to document all personal data processing activities with legal bases, purposes, and retention periods.
Data collection and processing
- Apply data minimization principles to limit personal data collection to what is necessary for specified, explicit, and legitimate processing purposes.
- Implement consent management mechanisms that capture, store, and enforce data subject consent preferences across processing activities and systems.
- Analyze purpose limitation requirements to evaluate whether data processing activities remain within the scope of originally collected consent and legal bases.
- Evaluate legitimate interest assessments to determine whether non-consent legal bases for data processing are properly documented and balanced.
Data retention and disposal
- Design data retention policies that define storage periods based on legal requirements, business needs, and data subject expectations for different data categories.
- Implement secure data destruction procedures including cryptographic erasure, physical destruction, and verification mechanisms for complete data removal.
- Evaluate data archiving strategies to balance regulatory retention requirements with privacy principles of storage limitation and data minimization.
- Apply data backup privacy controls to ensure personal data in backups is subject to the same retention limits, access controls, and deletion requirements as primary data.
4
Domain 4: Privacy Engineering
5 topics
Privacy by design and architecture
- Apply privacy-by-design principles to embed privacy protections into system architecture, development processes, and operational procedures from inception.
- Design privacy architecture patterns including data isolation, purpose-based access control, and privacy-preserving data sharing for distributed systems.
- Evaluate privacy requirements in cloud architectures including data residency, multi-tenancy isolation, and processor vs. controller responsibilities.
- Apply privacy engineering patterns for microservices architectures including API privacy gateways, data mesh privacy, and event-driven consent propagation.
Privacy-enhancing technologies
- Implement anonymization techniques including k-anonymity, l-diversity, t-closeness, and differential privacy to de-identify personal data while preserving analytical utility.
- Apply pseudonymization techniques including tokenization, data masking, and format-preserving encryption to reduce re-identification risk in data processing.
- Evaluate privacy-preserving computation methods including homomorphic encryption, secure multi-party computation, and federated learning for privacy-safe analytics.
- Recommend privacy technology solutions by comparing anonymization effectiveness, performance impact, and re-identification risk for specific data processing scenarios.
- Evaluate re-identification risk assessment methods to determine the effectiveness of anonymization techniques against linkage attacks and auxiliary data.
Data subject rights implementation
- Implement data subject access request (DSAR) fulfillment systems that automate identity verification, data retrieval, and response within regulatory timelines.
- Apply right to erasure implementation procedures including cascading deletion across systems, backup handling, and verification of complete data removal.
- Implement data portability mechanisms that export personal data in structured, commonly used, and machine-readable formats for data subject transfer requests.
- Design automated decision-making transparency mechanisms that provide meaningful explanations and enable human review for profiling-based processing activities.
- Evaluate data subject rights management platforms to assess scalability, automation capability, and cross-system integration for high-volume DSAR processing.
Infrastructure and platform privacy
- Apply encryption strategies for privacy including end-to-end encryption, at-rest encryption, and key management practices that protect personal data across infrastructure layers.
- Evaluate network and communication privacy controls including secure transmission protocols, VPN configurations, and DNS privacy mechanisms.
- Implement logging and monitoring controls that balance security visibility needs with privacy requirements including data minimization in log collection.
- Design privacy-aware identity management systems that minimize personal data collection in authentication while maintaining security and fraud prevention capabilities.
AI and emerging technology privacy
- Evaluate privacy risks in AI and machine learning systems including training data bias, model memorization, inference attacks, and automated profiling.
- Apply privacy-preserving AI techniques including federated learning, differential privacy in model training, and synthetic data generation for privacy-safe analytics.
- Design privacy controls for IoT ecosystems including device data collection minimization, edge computing privacy, and connected device consent management.
Scope
Included Topics
- All domains and objectives in the ISACA Certified Data Privacy Solutions Engineer (CDPSE) exam: Domain 1 Privacy Governance (20%), Domain 2 Privacy Risk Management and Compliance (18%), Domain 3 Data Life Cycle Management (23%), and Domain 4 Privacy Engineering (39%).
- Professional-level data privacy engineering including privacy-by-design, privacy impact assessments, data protection architecture, consent management, data subject rights implementation, and privacy-enhancing technologies.
- Privacy governance: organizational privacy structures, privacy policies and standards, regulatory framework analysis (GDPR, CCPA/CPRA, LGPD, PIPEDA), cross-border data transfer mechanisms, and privacy program management.
- Privacy risk management: privacy impact assessments, data protection impact assessments, privacy risk identification and treatment, vendor privacy risk, and privacy breach risk evaluation.
- Data lifecycle management: data classification, data inventory and mapping, data minimization, retention policies, secure data destruction, and data quality management.
- Privacy engineering: anonymization and pseudonymization techniques, encryption for privacy, privacy-preserving computation, consent management platforms, data subject access request automation, and privacy architecture patterns.
Not Covered
- General IT audit procedures not specific to privacy (covered by CISA).
- Broad information security program management (covered by CISM).
- General IT risk management beyond privacy-specific risks (covered by CRISC).
- Legal practice of privacy law and regulatory interpretation beyond technical compliance requirements.
- Vendor-specific privacy tool configuration and platform administration.
Official Exam Page
Learn more at ISACA
CDPSE is coming soon
Adaptive learning that maps your knowledge and closes your gaps.
Create Free Account to Be Notified