CIPT Cheat Sheet 2026
The 30 highest-yield CIPT facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
90 questions
150 min time limit
70.00% to pass
- Which individual developed the Seven Principles of Privacy by Design? → Ann Cavoukian
- When building a consent management platform, which engineering requirement is most critical from a Privacy by Design perspective? → Granular, revocable consent with clear audit logs
- Which phase of the data lifecycle involves determining what data to collect, for what purpose, and under what legal basis? → Data collection and creation
- An organization must delete a customer's data upon request. Which governance process ensures all copies — including backups — are identified and removed? → Data mapping combined with a defined erasure workflow
- A company's privacy notice is written at a 16th-grade reading level. Which privacy principle does this most directly violate? → Transparency (right to clear, intelligible information)
- Which risk treatment option involves stopping a high-risk data processing activity because residual risk cannot be reduced to an acceptable level? → Risk avoidance
- Data protection regulations vary from country to country, but what is the underlying concept common to all? → Keeping data safe while allowing authorized access
- A company maintains records of all its data processing activities including purposes, categories of data, and retention periods. What is this record called? → Record of Processing Activities (RoPA)
- Which element of the Privacy by Design framework highlights the significance of ensuring that decisions revolve around fulfilling the user's needs? → Respect for User Privacy – Keep it User-Centric
- In Privacy by Design, what does the principle 'Proactive not Reactive' mean? → Anticipate and prevent privacy-invasive events before they occur
- What is the central objective of the Privacy by Design (PbD) framework? → To embed privacy into development from the outset
- A privacy engineer proposes using 'k-anonymity' when publishing a dataset. What does this guarantee? → Each record is indistinguishable from at least k-1 other records on quasi-identifiers
- Which element is generally NOT required in a breach notification sent directly to affected individuals? → A list of all employees who handled the breached data internally
- Which data protection law in Canada enforces regulations on specific sectors and includes breach reporting requirements? → Federal: PIPEDA
- An organization implements automated data expiry rules that delete personal records when their retention period ends. What governance benefit does this provide? → Reduces risk of holding data beyond its legal or business justification
- A privacy team implements a process to handle user requests to access, correct, or delete their personal data. What is this process called? → Data Subject Rights (DSR) or Data Subject Access Request (DSAR) fulfillment process
- Under GDPR Article 33, within how many hours must a personal data breach be reported to the supervisory authority? → 72 hours
- Which engineering technique adds statistical noise to datasets to protect individual privacy while preserving overall data utility? → Differential privacy
- Which authentication method provides the strongest privacy protection by ensuring that even if a password is stolen, unauthorized access is prevented? → Multi-factor authentication (MFA)
- What is the primary objective of a Data Protection Impact Assessment (DPIA)? → Identify and mitigate privacy risks of high-risk processing activities before they begin
- What is the role of "End-to-End Protection – Lifecycle Security" within the Privacy by Design framework? → To ensure security throughout the data lifecycle
- What is the main goal of applying 'data separation' or 'compartmentalization' as a privacy engineering technique? → Limiting the combination of data that could re-identify individuals
- What privacy risk does 'orphaned accounts' (accounts of former employees that were not deprovisioned) create? → Unauthorized access to personal data by individuals who no longer have a legitimate need
- Which approach involves transferring privacy risk to a third party, such as through cyber liability insurance or vendor contractual indemnification? → Risk transfer
- Which data governance artifact defines who can access specific datasets, under what conditions, and for what approved purposes? → Data access policy
- During the data disposal phase, which method best ensures that magnetic hard drive data is unrecoverable? → Degaussing followed by physical destruction
- What is an 'access log' used for from a privacy accountability perspective? → Creating an auditable record of who accessed personal data, when, and from where
- Which practice should businesses adopt to ensure compliance with data privacy laws? → Gather, handle, and store only necessary customer data
- In privacy risk management, what does 'risk tolerance' define? → The level of risk the organization is willing to accept without further treatment
- What is the key focus of the "Visibility and Transparency" principle? → Demonstrating accountability and making policies accessible
Turn these facts into recall: