CDPSE Cheat Sheet 2026

The 30 highest-yield CDPSE facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

120 questions
210 min time limit
70.00% to pass
  1. A CDPSE candidate is designing a data retention schedule. Which factor is MOST critical to determine first? Legal and regulatory retention requirements
  2. Which of the following needs to be created first before a privacy office creates a campaign to raise awareness of data protection and privacy? Strategic goals of the organization
  3. What is the main function of a Consent Management Platform (CMP)? To automate the collection, storage, and enforcement of user consent preferences
  4. What does a data retention legal hold require an organization to do? Suspend normal retention schedules and preserve relevant data for legal proceedings
  5. Under the CDPSE framework, who bears primary accountability for defining data retention policies? Data owner or business unit responsible for the data
  6. Which sanitization standard is MOST commonly referenced for the secure disposal of US government data on magnetic media? NIST SP 800-88
  7. What is a Record of Processing Activities (RoPA) primarily used for? Documenting all personal data processing operations within an organization
  8. When conducting a privacy impact assessment (PIA), which of the following should be the FIRST factor taken into account? The systems in which privacy-related data is stored
  9. What is the purpose of a privacy attestation in a vendor relationship? To formally confirm that a vendor meets specified privacy and data protection requirements
  10. What is the primary purpose of consent management in data privacy? To document and enforce user agreements for the collection and processing of personal data
  11. Which of the following BEST exemplifies the methodology for modeling privacy threats? Mitigating inherent risks and threats associated with privacy control weaknesses
  12. During which data lifecycle phase is the Privacy Impact Assessment (PIA) MOST effectively initiated? Data collection phase
  13. Which body must approve Binding Corporate Rules submitted by EU-based multinational organizations? The competent national Data Protection Authority and the European Data Protection Board
  14. When using SCCs for a data transfer, what additional step may be required following the Schrems II ruling? Conducting a Transfer Impact Assessment to verify the SCCs remain effective
  15. An organization is preparing for a GDPR supervisory authority audit. Which document is MOST important to have readily available? Record of Processing Activities (RoPA)
  16. A key principle within the GDPR is 'Accountability'. What does this principle require of an organization? To be responsible for and able to demonstrate compliance with all GDPR principles.
  17. Which derogation under GDPR Article 49 permits a cross-border data transfer without an adequacy decision or appropriate safeguards? Vital interests of the data subject
  18. Which CDPSE domain is MOST directly responsible for ensuring ongoing privacy compliance? Privacy Governance
  19. Which activity BEST supports the principle of data minimization during system design? Collecting only the data elements strictly required for the defined purpose
  20. Under GDPR, which mechanism allows a US company to legally receive personal data from the EU without an adequacy decision? Standard Contractual Clauses (SCCs)
  21. How should the chief privacy officer of a global company BEST strike a balance between the demands of the company's privacy standards and local laws? Create a local version of the organizational standards.
  22. Which metric BEST measures the effectiveness of an organization's privacy awareness training program? Reduction in privacy-related incidents attributable to employee error over time
  23. What did the Court of Justice of the EU (CJEU) determine in the Schrems II ruling regarding Privacy Shield? Privacy Shield was invalidated due to inadequate US surveillance law protections
  24. Which type of audit evaluates both the design and operating effectiveness of privacy controls? Control effectiveness audit
  25. Which technique renders personal data permanently unusable by removing all direct and indirect identifiers? Anonymization
  26. Which of the following BEST describes 'data provenance' in the context of privacy? The origin and chain of custody of data throughout its lifecycle
  27. Which of the following best describes the primary role of a Data Protection Officer (DPO) within a privacy governance framework? To independently advise on and monitor compliance with data protection laws.
  28. Which of the following, in terms of information security and privacy, would be considered the first line of defense? Identification and authentication of users
  29. Under GDPR, which role is responsible for independently monitoring an organization's compliance with data protection obligations? Data Protection Officer (DPO)
  30. What would be the BEST justification from a privacy standpoint for including log generation in a system's design? Facilitate early detection of abuse or misuse of the data that a system processes.
Turn these facts into recall: