CDPSE Cheat Sheet 2026
The 30 highest-yield CDPSE facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
120 questions
210 min time limit
70.00% to pass
- A CDPSE candidate is designing a data retention schedule. Which factor is MOST critical to determine first? → Legal and regulatory retention requirements
- Which of the following needs to be created first before a privacy office creates a campaign to raise awareness of data protection and privacy? → Strategic goals of the organization
- What is the main function of a Consent Management Platform (CMP)? → To automate the collection, storage, and enforcement of user consent preferences
- What does a data retention legal hold require an organization to do? → Suspend normal retention schedules and preserve relevant data for legal proceedings
- Under the CDPSE framework, who bears primary accountability for defining data retention policies? → Data owner or business unit responsible for the data
- Which sanitization standard is MOST commonly referenced for the secure disposal of US government data on magnetic media? → NIST SP 800-88
- What is a Record of Processing Activities (RoPA) primarily used for? → Documenting all personal data processing operations within an organization
- When conducting a privacy impact assessment (PIA), which of the following should be the FIRST factor taken into account? → The systems in which privacy-related data is stored
- What is the purpose of a privacy attestation in a vendor relationship? → To formally confirm that a vendor meets specified privacy and data protection requirements
- What is the primary purpose of consent management in data privacy? → To document and enforce user agreements for the collection and processing of personal data
- Which of the following BEST exemplifies the methodology for modeling privacy threats? → Mitigating inherent risks and threats associated with privacy control weaknesses
- During which data lifecycle phase is the Privacy Impact Assessment (PIA) MOST effectively initiated? → Data collection phase
- Which body must approve Binding Corporate Rules submitted by EU-based multinational organizations? → The competent national Data Protection Authority and the European Data Protection Board
- When using SCCs for a data transfer, what additional step may be required following the Schrems II ruling? → Conducting a Transfer Impact Assessment to verify the SCCs remain effective
- An organization is preparing for a GDPR supervisory authority audit. Which document is MOST important to have readily available? → Record of Processing Activities (RoPA)
- A key principle within the GDPR is 'Accountability'. What does this principle require of an organization? → To be responsible for and able to demonstrate compliance with all GDPR principles.
- Which derogation under GDPR Article 49 permits a cross-border data transfer without an adequacy decision or appropriate safeguards? → Vital interests of the data subject
- Which CDPSE domain is MOST directly responsible for ensuring ongoing privacy compliance? → Privacy Governance
- Which activity BEST supports the principle of data minimization during system design? → Collecting only the data elements strictly required for the defined purpose
- Under GDPR, which mechanism allows a US company to legally receive personal data from the EU without an adequacy decision? → Standard Contractual Clauses (SCCs)
- How should the chief privacy officer of a global company BEST strike a balance between the demands of the company's privacy standards and local laws? → Create a local version of the organizational standards.
- Which metric BEST measures the effectiveness of an organization's privacy awareness training program? → Reduction in privacy-related incidents attributable to employee error over time
- What did the Court of Justice of the EU (CJEU) determine in the Schrems II ruling regarding Privacy Shield? → Privacy Shield was invalidated due to inadequate US surveillance law protections
- Which type of audit evaluates both the design and operating effectiveness of privacy controls? → Control effectiveness audit
- Which technique renders personal data permanently unusable by removing all direct and indirect identifiers? → Anonymization
- Which of the following BEST describes 'data provenance' in the context of privacy? → The origin and chain of custody of data throughout its lifecycle
- Which of the following best describes the primary role of a Data Protection Officer (DPO) within a privacy governance framework? → To independently advise on and monitor compliance with data protection laws.
- Which of the following, in terms of information security and privacy, would be considered the first line of defense? → Identification and authentication of users
- Under GDPR, which role is responsible for independently monitoring an organization's compliance with data protection obligations? → Data Protection Officer (DPO)
- What would be the BEST justification from a privacy standpoint for including log generation in a system's design? → Facilitate early detection of abuse or misuse of the data that a system processes.
Turn these facts into recall: