30/1/2023Privacy + CyberSecurity Law
30/1/2023Privacy + CyberSecurity Law
On January 27, 2023 I passed the IAPP CIPP/US exam (updated October, 2022) and earned the ANSI-Accredited Certified Information Privacy Professional/United States (CIPP/US) credential through the International Association of Privacy Professionals (IAPP).
Studying for this "Gold-Standard" Privacy Professional Credential has assisted me on a number of fronts at the same time.
It has allowed me to quickly and cost effectively:
1️⃣ Bring myself up to speed on the rapidly evolving speciality area of U.S. (Private-Sector) Privacy Law;
2️⃣ Ensure Blue Ocean Law Group's privacy practices & website (including its Privacy + Cookie Policies, California CCPA Opt-Out Notices) are in full compliance with the most recent amendments to California/U.S. legislation +/or best practices;
3️⃣ Afforded me the opportunity to gain an important and highly valued independent verification that I possess the required level of competence to become a Certified Privacy Professional; and allowed me to
4️⃣ Start to position Blue Ocean Law Group as as provider of US Privacy Law services.
Jess Miers wrote a very helpful blog article in August 2018 called "My thoughts on Studying, Taking and passing the IAPP CIPP/US Exam".
Her rationale for writing her article is copied below:
"For an exam so heavily focused on information sharing, there’s a surprising lack of it between privacy professionals regarding this certification. I aim to change that by starting a collaborative, open source resource for those attempting to tackle this privacy achievement. I am writing these reflections roughly two hours after passing the exam in an effort to bring a fresh perspective on studying and acing the cert.
Online study resources are slim to none if you don’t count the resources you can (must) purchase from IAPP. Googling “how difficult is the CIPP/US exam” or “CIPP/US exam tips” will lead you to: http://law.scu.edu/wp-content/uploads/Tips-for-Passing-the-CIPP-Exam-Feb-2015.pdf
(Full bias disclosure: I am an SCU law student but the “helpful tactics” are actually helpful, especially the point about mastering the minutiae)
A slew of forums about how awful the test is and lawyers that claim to have 20+ years of privacy experience but still managed to fail the exam. I won’t link those here because I thoroughly advise you steer clear of those conversations. They’ll psych you out before you sit for the test. If you decide to venture down the forum path anyways, I can assure you I’ve read them and they are incredibly exaggerated and melodramatic. Tl;dr, take them with a grain of salt.
And that’s about it. Hence, my inspiration to start this conversation."
As I undertook the work required to adequately prepare to sit and pass the CIPP/US exam I searched for unbiased guidance online.
The one blog article I did find on Jess Miers' blog Cntrl-Alt-Dissent (refer above for more information) was very helpful, but was published in August 2018 (more than 4 years ago).
During that time, the material being tested has changed by at least circa 40% (10% a year).
In my search for cost-effective guidance I think I have discovered a few new options and resources that most likely did not exist 4+ years ago.
If your employer is footing the bill and is willing to pay for the complete IAPP training package (an option I did not take) then you may not need to read this blog article as much as those of you who are paying for the exam and study resources yourselves and most likely attempting to pass the exam on a tight budget.
Today, data is the new oil.
It has become one of the most valuable assets a business can have, yet threats to data privacy are evolving at a breakneck pace and the stakes are high.
Every day data is being accessed, sold, shared, managed and transferred both inside and outside organizations, and can potentially reside on cloud servers globally.
Unless you and your organisation have a solid understanding of the considerations and challenges involved in managing data, you risk a data breach, diminished customer trust and possibly ruinous enforcement action.
Privacy Professionals are the arbiters of trust in today’s data-driven global economy.
They help organizations manage rapidly evolving privacy threats and mitigate the potential loss and misuse of information assets.
The IAPP is the first organization to publicly establish standards in professional education and testing for privacy and data protection. IAPP privacy certification is internationally recognized as a reputable, independent program that professionals seek and employers demand.
The CIPP was developed and launched by the IAPP in collaboration with leading privacy experts.
The CIPP is the world’s first broad-based global privacy and data protection credentialing program.
The CIPP/US demonstrates a strong foundation in U.S. Private-Sector privacy laws and regulations and understanding of the legal requirements for the responsible transfer of sensitive personal data to/from the U.S., the EU and other jurisdictions.
The International Association of Privacy Professionals (IAPP) is the world’s largest and most comprehensive privacy resource. Its mission is to define, support and improve the privacy profession globally. Founded in 2000, the IAPP is a not-for-profit, non-advocacy membership organization that brings together the people, tools and global-information-management practices organizations and individuals need to succeed.
IAPP members benefit from sharing ideas, challenges and best practices across diverse outlooks and venues.
The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world.
More information about the IAPP is available at www.iapp.org.
Data breaches. Identity theft. Diminished customer trust. These threats and more can wreak havoc on your organization, which is why the call for skilled, knowledgeable Privacy Professionals continues to rise.
I wrote the following in one of my recent LinkedIn posts:
Increasingly helping our users/clients' protect their privacy will be both our competitive edge and one of our "top of agenda" corporate governance matters.
Blue Ocean Law Group strives to embrace pragmatic + proactive best practices which ensure we are globally compliant, transparent with our privacy and security practices, provide our client's with choice, whilst protecting our clients' privacy.
In many ways, from what we have been able to decipher we appear to be the only law firm globally to implement low-cost innovative market-leading initiatives such as Trax Print - GPS Document Protection & Fraud + Litigation Prevention Technology, and one of a handful of law firms globally using Trustify End-to_End Email Encryption, and offering our clients the use of a dedicated Digital Safe-Custody Vault.
The most difficult task to date has been educating our clients (and prospective clients) on the merits of our privacy protection initiatives, as well as differentiating our competence in the field of privacy and cybersecurity.
Being able to showcase a CIPP/US certification instantly provides widespread recognition that Blue Ocean Law Group is lead by a Privacy Professional, and as a result Blue Ocean Law Group are a trustworthy guardian of our clients' personal data.
The book "Our Data, Ourselves: A Personal Guide to Digital Privacy" is where I started my introduction to U.S. Privacy law.
The book is an enjoyable read whilst providing an up-to-date (published September, 2022) practical primer about U.S. Privacy Law. It has a chapter dedicated to a discussion on why European Privacy Law has lead the way and needs to be top of mind for all Privacy Professionals.
One of the reasons I wanted to write this blog article so soon after taking the exam was to be able to share my experience whilst it is still fresh in my mind.
The exam was not what I expected, based on the sample exam I purchased from IAPP.
When I took the sample exam provided by IAPP everything seemed familiar and low-stress.
It was a breeze, and I managed to ace the sample exam with plenty of time to spare.
This was NOT THE CASE on the actual exam.
I had moments when I was frozen trying to comprehend what I was being asked with no reference point to anchor back to from my study preparation.
If I had at least seen something similar before, even if only momentarily, I would have been able to place the questions in some context which may have made them a whole lot easier to answer correctly.
I think that a large part of the difficulty in passing this exam is the secrecy with which the exam questions are held.
The exam questions are protected like trade secrets.
When you take the exam you are asked to digitally sign an agreement that you will not share any of the content in the exam.
In any event, professional ethics aside, with no ability to take notes away with you and no photographic memory to match Mike Ross in Suits there isn't much of a chance to remember the questions or even know which questions you got right and which ones you got wrong.
I concur with Jess Miers' description of the actual CIPP/US exam:
"This test was by far one of the strangest exams I’ve taken... It’s the test structure and the lack of online resources that make it seemingly daunting and unnecessarily mysterious."
In the process of conducting my research regarding how widespread the CIPP/US certification was, I stumbled across Privacy Professionals who had also been awarded a OneTest Privacy Professional Certification.
After reading positive reviews about OneTest, and discovering that the training is offered online for free I signed up to participate in the full-day training course as part of my final preparations for the CIPP/US exam.
If you are based in Australia you will need to pull an all-nighter as the time zones are not favourable to course participants based in the souther hemisphere.
The training covers both practical hands-on work using the OneTest software within a training environment as well as covering legal considerations.
I did note that the Onetest guidance about the California CPRA (effective 1 Jan 2023) contained errors and did not include all of the changes made by this legislation.
Appropriate feedback has been provided, therefore I am confident that OneTest will have taken the required steps to update their training material by the time you signup take the course.
What this inaccuracy does highlight is that the Privacy Law landscape in the US (and indeed globally) is dynamic and it is difficult, even for major privacy software companies to keep their material up to date.
Whilst you have 30 days to take the OneTest Privacy Professional Certification exam after you complete the training, I strongly recommend you take the exam as soon as practical as you only have access to the OneTest software training environment for 5 days after you complete the training.
As the exam is open book you absolutely require access to their software to answer the questions the exam poses about using their software.
Without access to the OneTrust training environment, in my view your chances of passing the exam are greatly diminished.
After passing the exam, you are sent a certificate designating that you are a OneTrust Certified Privacy Professional and are certified to server as an administrator of the OneTrust Privacy management Platform.
The IAPP website provides a warning to avoid (Non-IAPP) approved CIPP training providers as well as the many practice exams available online as they are too easy and do not provide the guidance you will need to pass the exam.
In the majority of cases this warning is probably correct.
With the warning sounding in the back of my mind I nevertheless sought out alternative CIPP training to see what was available.
After I discovered CIPPTraining.com and carefully analysed the reviews from test-takers who had trained with CIPPTraining I decided to take the plunge and signup for their online course and summary of the official textbook.
Some negative reviews complained that there was not enough study material.
On the contrary, I fully understand the value of having expert assistance to distill a large body of knowledge into the most important and commonly tested core elements.
CIPPTraining.com does a great job in delivering "what you need to know" so you can focus on getting to know it well.
They have developed 3 practice exams, which you can retake as many times as you like to ensure you are able to apply what you have learned.
I supplemented the CIPPTraining practice exams with an additional two practice exams from Jasper Jacobs CIPP/US, CIPP/E, CIPM, CIPT (not by IAPP) and subsequently, I was recommended these same exams by CIPPTraining as well as from a pinned post in a LinkedIn study group which provides guidance to CIPP exam takers. Both of these practice exams were worthwhile, especially the case study edition.
Some past test-takers have stated:
"You will not pass the exam without buying and reading the Official Text Book cover to cover."
If that is the case, I am an exception as I scored way above passing and I didn't buy or read the official textbook.
Having said that, if I had my time again I would definitely buy the textbook.
Why would you spend the money when you scored so highly without it, I hear you ask?
⭐️ If reading the book gains an advantage on exam day (anecdotally that is the consensus view from past test-takers) then it is a no-brainer!
In the end result, I still scored very well on the actual exam so I can't say that I agree with the above statement.
I propose an amended statement:
"If you want to reduce your stress levels on exam day, and give yourself the best chance of passing then don't be stingy. Buy and read the Official Text Book cover to cover."
If the sample exam had been designed in the same way as the actual exam, I would have worked out that I needed to buy the textbook well in advance of the actual exam.
Instead I developed a false level of confidence.
Next time I would buy and read the Official Text Book.
Here are my three reasons:
1️⃣ For the relatively low cost, it is a small price to pay and you never know what minor details are included in the book that are tested in the exam;
2️⃣ To reduce my stress levels on the actual exam; and lastly
2️⃣ To use as a reference book in my US Privacy Law practice.
When I shared this blog article with Remon Janssen, CIPP/E CIPP/US from CIPPTraining.com he replied as follows:
"I think reading the textbook wouldn't have helped you more. All important topics are in the CIPPTraining textbook outline.
The book mainly contains additional details and many duplications.
Questions are regularly asked that do not appear in the textbook.
The IAPP indicates that you should also follow the news and therefore choose other topics, I think.
We therefore really focus on the most important things from the book so that you get a passing grade.
We can't predict the other questions anyway."
As part of studying for the exam I developed my own online study tool to help me walk through the lawyer-logic involved in various practical privacy situations, such as a data breach, stepping through the same steps any lawyer faced with the practical privacy situation needs to step though.
The online study tool is still only in alpha version.
Once I have additional time to devote to developing it further into at least a beta version, I will add a link here so you can try it.
By way of example, if you would like to try the online tool I developed whilst studying for the California Bar exam Professional Responsibility essay question you can find it here.
From the IAPP website:
Glossary of Privacy Terms
Please surf our Digital Life ➲ The Law Playing Catch Up on Privacy + CyberSecurity Smartlist for our latest curated links.
This article was written by James D. Ford Esq., GAICD CIPP/US| Principal Solicitor, Blue Ocean Law Group℠.
This blog article is intended for general interest + information only.
To the extent this article is deemed advertising or solicitation, it is hereby identified as such.
It is not intended to constitute legal advice; the statements made are opinions about general situations, and they are not a substitute for advice as to any specific matter.
We recommend you always consult a lawyer for legal advice specifically tailored to your needs & circumstances.