CIPT Cheat Sheet 2026

The 30 highest-yield CIPT facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

90 questions
150 min time limit
70.00% to pass
  1. Which individual developed the Seven Principles of Privacy by Design? Ann Cavoukian
  2. When building a consent management platform, which engineering requirement is most critical from a Privacy by Design perspective? Granular, revocable consent with clear audit logs
  3. Which phase of the data lifecycle involves determining what data to collect, for what purpose, and under what legal basis? Data collection and creation
  4. An organization must delete a customer's data upon request. Which governance process ensures all copies — including backups — are identified and removed? Data mapping combined with a defined erasure workflow
  5. A company's privacy notice is written at a 16th-grade reading level. Which privacy principle does this most directly violate? Transparency (right to clear, intelligible information)
  6. Which risk treatment option involves stopping a high-risk data processing activity because residual risk cannot be reduced to an acceptable level? Risk avoidance
  7. Data protection regulations vary from country to country, but what is the underlying concept common to all? Keeping data safe while allowing authorized access
  8. A company maintains records of all its data processing activities including purposes, categories of data, and retention periods. What is this record called? Record of Processing Activities (RoPA)
  9. Which element of the Privacy by Design framework highlights the significance of ensuring that decisions revolve around fulfilling the user's needs? Respect for User Privacy – Keep it User-Centric
  10. In Privacy by Design, what does the principle 'Proactive not Reactive' mean? Anticipate and prevent privacy-invasive events before they occur
  11. What is the central objective of the Privacy by Design (PbD) framework? To embed privacy into development from the outset
  12. A privacy engineer proposes using 'k-anonymity' when publishing a dataset. What does this guarantee? Each record is indistinguishable from at least k-1 other records on quasi-identifiers
  13. Which element is generally NOT required in a breach notification sent directly to affected individuals? A list of all employees who handled the breached data internally
  14. Which data protection law in Canada enforces regulations on specific sectors and includes breach reporting requirements? Federal: PIPEDA
  15. An organization implements automated data expiry rules that delete personal records when their retention period ends. What governance benefit does this provide? Reduces risk of holding data beyond its legal or business justification
  16. A privacy team implements a process to handle user requests to access, correct, or delete their personal data. What is this process called? Data Subject Rights (DSR) or Data Subject Access Request (DSAR) fulfillment process
  17. Under GDPR Article 33, within how many hours must a personal data breach be reported to the supervisory authority? 72 hours
  18. Which engineering technique adds statistical noise to datasets to protect individual privacy while preserving overall data utility? Differential privacy
  19. Which authentication method provides the strongest privacy protection by ensuring that even if a password is stolen, unauthorized access is prevented? Multi-factor authentication (MFA)
  20. What is the primary objective of a Data Protection Impact Assessment (DPIA)? Identify and mitigate privacy risks of high-risk processing activities before they begin
  21. What is the role of "End-to-End Protection – Lifecycle Security" within the Privacy by Design framework? To ensure security throughout the data lifecycle
  22. What is the main goal of applying 'data separation' or 'compartmentalization' as a privacy engineering technique? Limiting the combination of data that could re-identify individuals
  23. What privacy risk does 'orphaned accounts' (accounts of former employees that were not deprovisioned) create? Unauthorized access to personal data by individuals who no longer have a legitimate need
  24. Which approach involves transferring privacy risk to a third party, such as through cyber liability insurance or vendor contractual indemnification? Risk transfer
  25. Which data governance artifact defines who can access specific datasets, under what conditions, and for what approved purposes? Data access policy
  26. During the data disposal phase, which method best ensures that magnetic hard drive data is unrecoverable? Degaussing followed by physical destruction
  27. What is an 'access log' used for from a privacy accountability perspective? Creating an auditable record of who accessed personal data, when, and from where
  28. Which practice should businesses adopt to ensure compliance with data privacy laws? Gather, handle, and store only necessary customer data
  29. In privacy risk management, what does 'risk tolerance' define? The level of risk the organization is willing to accept without further treatment
  30. What is the key focus of the "Visibility and Transparency" principle? Demonstrating accountability and making policies accessible
Turn these facts into recall: