Which privacy certification should I take first?

Do you recognize pattern?

There are recently a number of questions in the posts about IAPP certification, more specifically which of the CIPP, CIPM and CIPT privacy professional certificate should I do first. In general the answer I will discuss could be applied to any privacy education or training covering three main pillars: legal, compliance and technical.

Shift from legal to compliance to tech

I am in iapp certification process since 2017 and since had run dozen trainings. What I noticed from my trainees is that the leading certification interest actually had changed over time.

Back in 2017 the main interest was in CIPP (particularly CIPP/E in Europe) due to high expectations better to say concern about GDPR. CIPP/E is what I call in black and white picture “legal” part of privacy. We all had lot of questions about what kind of regulation is that and how it will be enforced.

Then we get some experience and realized that what is most important is how do we run our privacy programs and what is the best approach how to prove our accountability. That was main topic for CIPM, or how we would put it “compliance” part of the story: how to setup and keep running privacy program.

Today what we experience is that many privacy professionals are taking look at something I call “how to implement privacy protection?”. There are technical people looking with questions in their eyes into legal and compliance personnel talking to them about transparency, notices, appropriate technical measures and all that weird legal staff. At the same time legal people, process owners and better to say risk owners are trying to understand why technical guys and girls are shaking their heads telling them this is not possible or but we are already doing that or even worse – write down functional and non functional requirements. Then we have latest guidelines from EDPB telling about what SA expect from Data protection by design by default, we have India PDP Bill 2019 that define fiduciary responsibility about Privacy by design and many others. Suddenly, CIPT becomes topic number one. That is what I call “technical” part of the story. Today I have requests from all over the world coming from legal, compliance, tech and others asking about CIPT. Funny to say but my latest CIPT class is filled only with lawyers and attorneys. As well as CIPP/E and CIPM. What does this tell to me? Legal-tech is running at its fastest.

Does this answer question where to start? Yes. You should start where your pain is and where your national and corporate privacy maturity is. Nobody can tell you but your demanding market where you are working on. If you decide to go all of them, then the best practice sequence should be: CIPP/E, CIPM and CIPT.

Do it yourself or join the training dilemma

Next question is: should I do it myself or purchase IAPP program? The answer is also very simple.

If you can afford it, go for IAPP certification program. Not only that you will prepare for certification exam but you will meet other professionals and learn about pain they have and best practice they experience. If your OTP provide additional value then your training program will not last 2 days but 2 month as he/she will provide you with 4 weeks preparation before training, training itself and mentoring before exam – at least. That is value for the money.

If you do not have funds available, then rely on internet search, quiz-lets, exam sample books, common sense and – your experience. However – take into consideration that legal background make CIPP/E difficult to pass exam and strong IT experience make CIPT challenging exam.

Privacy and data protection is multidisciplinary field of work and that as well is IAPP privacy certification programs. If you need further explanation – feel free to ask me. Happy to be of any help to my fellow privacy professionals.