Founded in 2000, the International Association of Privacy Professionals (IAPP) bills itself as "the largest and most comprehensive global information privacy community and resource." It is more than just a certification body. It is a full-fledged not-for-profit membership association with a focus on information privacy concerns and topics. Its membership includes both individuals and organizations, in the tens of thousands for the former and the hundreds for the latter (including many Fortune 500 outfits).
Its mandate is to help privacy practitioners develop and advance in their careers, and help organizations manage and protect their data. To that end, the IAPP seeks to create a forum where privacy pros can track news and trends, share best practices and processes, and better articulate privacy management issues and concerns.
By 2012, the organization included 10,000 members. By the end of 2015, membership had more than doubled to 23,000 members. According to a Forbes story published that same year, approximately half of the IAPP's membership is women (which makes it pretty special, based on our understanding of the gender composition for most IT associations and certification programs). Current membership must be between 30,000 and 40,000 as growth rates from 2012 to 2015 have continued, if not accelerated in the face of the EU's General Data Protection Regulation (GDPR), which went into full effect on May 25, 2018. The IAPP also claims to have certified "thousands of professionals around the world."
IAPP certification program overview
The IAPP has developed a globally recognized certification program around information privacy. Its current certification offerings include the following credentials:
- Certified Information Privacy Professional (CIPP): seeks to identify professionals who work primarily with privacy laws, regulations and frameworks
- Certified Information Privacy Manager (CIPM): seeks to identify professionals who manage day-to-day privacy operations for businesses and organizations
- Certified Information Privacy Technologist (CIPT): seeks to identify IT professionals who work regularly (if not primarily) with privacy policies, tools and technologies on the job
All these certifications comply with the ANSI/ISO/IEC 17024 standard, which means they have been developed to meet stringent requirements for analyzing the subject matter and the fields of work to which they apply, along with formal psychometric analysis of test items to make sure that exams truly differentiate those who possess the required skills and knowledge to do the related jobs from those who do not.
All the IAPP exams follow the same cost structure, though charges vary by location. In the U.S., each first-time exam costs $550, with a $375 charge for any subsequent retake of the same exam. Those who already hold any IAPP certification pay just $375 for each additional certification exam they take. IAPP certification holders can either pay an annual maintenance fee of $125 to keep their certifications current (and meet continuing education requirements of 20 CPE credits every two years) or they must join the IAPP.
If a person joins, they'll pay an annual membership fee. Currently, that's $250 for professional members, $50 for student members, and $100 for all other membership categories (government, higher education, retired and not-for-profit). Those who elect to pay the certification maintenance fee need pay only once a year, no matter how many IAPP certifications they earn.
IAPP exams are available at Kryterion testing centers, which may be identified with its test center locator. Exams consist of 90 question items. Candidates may take up to 150 minutes (2.5 hours) to complete any IAPP exam. Payment is handled through the IAPP website, but Kryterion handles date and time windows for exams at its test centers.
Certified Information Privacy Technologist (CIPT)
This credential is the most likely place for a person working in IT to start their IAPP efforts. The CIPT validates skills and knowledge about the components and technical controls involved in establishing, ensuring and maintaining data privacy. To be more specific, the body of knowledge (BoK) for the CIPT stresses important privacy concepts and practices that impact IT, and makes sure that practitioners understand consumer privacy expectations and responsibilities.
It also addresses how to bake privacy into early stages of IT products or services to control costs and ensure data accuracy and integrity without impacting time to market. CIPTs understand how to establish privacy policies for data collection and transfer, and how to manage privacy on the internet of things. They also know how to factor privacy into data classification, and how it impacts emerging technologies such as biometrics, surveillance and cloud computing. Finally, CIPTs understand how to communicate on privacy issues with other parts of their organizations, including management, development staff, marketing and legal.
Certified Information Privacy Professional (CIPP)
IAPP describes this certification as just right for "the go-to person for privacy laws, regulations and frameworks" in an organization. This audience may include more senior privacy or security professionals with IT backgrounds, but it may also involve people from management, legal or governance organizations whose responsibilities include data privacy and protection concerns. This goes double for those involved with legal and compliance requirements, information management, data governance, and even human resources (as privacy is a personal matter at its core, involving personal information).
Because managing privacy and protecting private information is often highly regulated and subject to legal systems and frameworks, the IAPP offers versions of the CIPP certification where such content and coverage has been "localized" for prevailing rules, regulations, laws and best practices.
There are five such versions available: Asia (CIPP/A), Canada (CIPP/C), Europe (CIPP/E), U.S. Government (CIPP/G) and U.S. Private Sector (CIPP/US). As of this writing, the CIPP/E perforce offers the most direct and focused coverage of GDPR topics. That said, given that GDPR applies to companies and online presences globally, such material will no doubt soon make its way into other CIPP versions in the next 6-12 months. The U.S.-focused exams are already scheduled for a refresh in August 2018, as per the IAPP website's certification pages.
For example, the CIPP/US page includes the following materials:
- CIPP/US Authoritative Resource List: links to four authoritative and 21 supplemental textbooks, along with web-based privacy resources, privacy principles and standards documents, and U.S. information privacy statutes (six pages in all)
- The current BoK for CIPP/U.S. before Aug. 1, 2018 and the succeeding BoK on or after Aug. 1, 2018
- The current exam blueprint for CIPP/US before Aug. 1, 2018 and the succeeding blueprint on or after Aug. 1, 2018
- A glossary of privacy terms
Each of the other regional versions of the CIPP has a similarly large, detailed and helpful collection of resources available to interested readers and would-be certified professionals.
Certified Information Privacy Manager (CIPM)
The CIPM is a more senior credential in the IAPP collection. It seeks to identify persons who can manage an information privacy program. Thus, the focus is on privacy law and regulations and how those things must guide the formulation of workable and defensible privacy policies, practices and procedures for organizational use. The CIPM BoK covers the following topics:
- Privacy program governance: organizational vision, program definition and creating a privacy team; developing a privacy program framework; implementing a privacy policy framework; and identifying and using metrics to report on privacy for governance, auditing, and regulatory purposes
- Privacy operational lifecycle: assess organizational and third-party partner and processor privacy posture, including physical and business assessments; establish privacy protections over the data lifecycle, following best cybersecurity practices and Privacy by Design; sustain privacy protections by measuring, aligning, auditing and monitoring privacy data; respond to requests for information about personal data; and respond to privacy incidents as they occur
In general, CIPMs play a lead role in defining and maintaining data privacy policies for their organizations. They will usually be responsible for operating the privacy apparatus necessary to demonstrate compliance with all applicable privacy rules, regulations and laws for the organization as well.
Other IAPP certifications
The IAPP also offers two other elements in its certification programs. One is the Privacy Law Specialist, which aims at attorneys or other licensed legal professionals who wish to focus on privacy topics in a legal context. The other, called the Fellow of Information Privacy (FIP), aims at those at the top of the privacy profession and is available only to those who've completed two or more IAPP credentials, including either a CIPM or a CIPT, and one or more of the CIPP credentials. It requires three professional peer referrals and completion of a detailed application form. We won't discuss these credentials much more in this article, except to note here that the Privacy Law Specialist garnered a surprising 200 hits in our job board search (see below for other details gleaned thereby).
Finally, the IAPP website recommends the combination of CIPP/E and CIPM as the possible credentialing for those wishing to focus on GDPR, shown in this screenshot from its Certify pop-up menu:
IAPP employment: Job board stats and example jobs
We visit four job posting sites to check on demand for specific credentials: Simply Hired, Indeed, LinkedIn and LinkUp. Here's what we learned.
Certification | Search string | Simply Hired | Indeed | LinkUp | Total | |
CIPP | CIPP | 668 | 745 | 1,064 | 401 | 2,878 |
CIPM | CIPM | 187 | 198 | 260 | 191 | 836 |
CIPT | CIPT | 146 | 155 | 276 | 210 | 787 |
The breakdown for CIPP fell out like this: CIPP/A 27, CIPP/C 287, CIPP/E 351, CIPP/G 154 and CIPP/US 401. As you'd expect, the U.S. categories combine for a majority, with Europe a surprising second ahead of third-place Canada.
Salary information appears in the next table. We collected low, median and high values for each credential, finding surprisingly little difference between the CIPM and the CIPP. Given that a CIPM is likely to hold a management position, this shows that the CIPP holds considerable value in employers' estimations. It's also interesting that the median values show the CIPT and the CIPP are close to one another too. This bodes well for IT professionals interested in pursuing the CIPT.
Certification | Low | Median | High |
CIPP | $33,969 | $66,748 | $131,156 |
CIPM | $41,069 | $73,936 | $133,106 |
CIPT | $32,131 | $62,279 | $120,716 |
Privacy Law Attorney | $46,146 | $89,026 | $171,752 |
Typical positions for privacy professionals are very much one-offs. We found a risk management and compliance manager position at a South Carolina government agency charged with defining and implementing security and privacy policies for the department of corrections. That position paid $120,000 per year and involved security and audit compliance, business continuity and disaster recovery planning, and risk and incident management. By itself, the requested CIPM would not be enough to qualify for that job.
The next position was for a healthcare services director position in Albuquerque, New Mexico, which involved auditing, risk management, and contract and vendor negotiation. Its pay range was $140,000 to $190,000 per year, and it required serious management chops, along with IT governance and risk and compliance experience, with calls for knowledge of tools like Archer and Clearwell. The third position was for a senior data privacy associate at a Washington law firm, which sought a person with a CIPP/E, CIPP/US and CIPT, with pay in the $120K-$150K range.
Thus, it appears there are plenty of opportunities – some with high rates of pay – for those willing to climb the IAPP certification ladder. Both the job boards and the individual postings speak directly to strong and urgent need in the field for qualified privacy professionals at all levels.
Training resources
IAPP courses are available through many channels, including classroom training through the IAPP and its partner network. Online training classes are also available, for lesser charges. The IAPP provides ample references and resources, with authoritative and supplemental texts, websites, legal references and statutes, and more for each of its credentials. There's also plenty of self-study material for those who prefer that route.
The IAPP also offers practice exams (which it calls sample questions) to help candidates prepare for exams. Surprisingly, there is even something of an aftermarket for IAPP books and materials, as a quick trip to Amazon will attest.