|

2025 IAPP Updates: Full Overview of Curriculum Changes

ByBas Hennis Updated on

The 2025 IAPP updates bring extensive curriculum changes to four major privacy certifications: CIPP/E, CIPP/US, CIPM, and CIPT. These updates, effective from Monday 1 September 2025, reflect shifts in legal interpretation, practical compliance challenges, and emerging regulatory frameworks. They include new European Data Protection Board (EDPB) opinions, restructuring of exam content, evolving U.S. regulatory focus, and a deeper integration of technical, programmatic, and risk-oriented concepts. Anyone preparing for these exams must now revise their approach and materials accordingly.

While the scope of changes differs by certification, all programmes now include new examinable material that directly affects question content and preparation priorities. This article outlines the key updates for each certification and provides practical guidance to help candidates prepare effectively for the revised exams. Candidates should also follow the Privacy Study Group on LinkedIn for regular updates, study tips, and peer discussions related to the IAPP exams.

CIPP/E

The CIPP/E curriculum includes new content from key EDPB opinions, updated coverage of AI systems under GDPR, and a restructured domain format. These changes enhance the exam’s focus on real-world responsibilities of controllers and processors, cross-border governance, and emerging compliance risks.

EDPB Opinion on Chains of Controllers, Processors and Sub-Processors

The inclusion of EDPB Opinion 22/2024 in the CIPP/E curriculum marks a major clarification of legal roles within complex data processing chains. Candidates must now understand how liability is distributed among controllers, processors, and sub-processors under Article 28 of the GDPR. The controller retains primary responsibility for defining processing purposes and verifying compliance across all entities involved. Even when a processor appoints a sub-processor, the controller must ensure appropriate safeguards are in place.

The opinion makes clear that processors are not merely intermediaries. They must monitor and report any changes in their subcontracting arrangements and remain liable for the conduct of sub-processors. Contracts must outline due diligence procedures, cooperation with DPIAs, and protocols for incident response. These provisions are now core exam content, with the curriculum including updated guidance on drafting compliant processor agreements, conducting supplier audits, and interpreting layered accountability scenarios.

EDPB Opinion on Main Establishment and the One-Stop Shop

Opinion 04/2024 addresses how controllers and processors determine their main establishment under GDPR Article 4(16). This determination affects eligibility for the one-stop shop mechanism, which allows organisations to work with a single lead supervisory authority. The EDPB sets out specific functional criteria that must be met. The main establishment must be the location where data processing decisions are made and implemented, and where internal structures such as DPOs and compliance teams are based.

The burden of proof lies with the controller. Supporting documentation may include governance charts, job roles, decision logs, and implementation records. Exam scenarios now test candidates on the legal and operational distinctions between formal corporate headquarters and functional main establishments. Understanding these distinctions is critical for managing cross-border regulatory relationships.

Legitimate Interest Under Article 6(1)(f)

EDPB Guidelines 1/2024 introduce a more structured interpretation of the legitimate interest legal basis under GDPR. This basis must now be examined using a three-part test: the interest must be lawful and well-defined; the processing must be strictly necessary to achieve it; and a balancing test must confirm that the rights of the data subject do not override the interest.

CIPP/E candidates must be able to evaluate processing scenarios and determine whether legitimate interest applies, particularly in contexts like fraud prevention, network security, and litigation. They must also identify cases where consent or another legal basis would be more appropriate, such as behavioural advertising or processing involving minors. New content in the exam includes documenting balancing assessments, justifying necessity, and identifying applicable safeguards.

GDPR Compliance for AI Systems

The 2025 curriculum expands its focus on artificial intelligence. Candidates must now understand how GDPR principles such as transparency, fairness, data minimisation, and accountability apply to AI design and deployment. The updated content also introduces relevant AI governance frameworks, including the OECD AI Principles and the NIST AI Risk Management Framework. These tools support data protection by design and default as required under Article 25.

Topics include how to conduct DPIAs for AI use cases, the role of explainability in automated decision-making, and the importance of human oversight in high-risk applications. The CIPP/E exam now includes questions on AI system compliance and the intersection of GDPR with the upcoming EU AI Act.

Breach Notification and Incident Response

The GDPR’s Articles 33 and 34 impose strict obligations on controllers to notify supervisory authorities and data subjects in the event of a personal data breach. The 2025 update strengthens this topic’s coverage. Candidates must now understand how to differentiate between general security incidents and notifiable breaches, evaluate risk to data subjects, and determine when to communicate with regulators or individuals.

Scenario-based questions focus on timing requirements, content of notifications, and exceptions to the duty to inform. The exam also tests knowledge of cross-border incident coordination under the one-stop shop mechanism. Effective incident response plans, audit readiness, and breach reporting templates are also part of the expanded content.

Domain Structure Reorganisation

The structural change to the CIPP/E Body of Knowledge is one of the most visible updates. Domain II has been split into three distinct domains: Rights and Principles, Compliance Requirements, and Corporate Application of GDPR. This realignment does not introduce new content but offers clearer grouping and navigation. Candidates using pre-2025 materials must now remap their notes, flashcards, and revision schedules to reflect the new structure.

CIPP/US

The 2025 CIPP/US updates introduce a broader scope of U.S. sector-specific laws and add emerging privacy concepts. New exam topics include M&A due diligence, insurance regulation, children’s data protection, and information fiduciaries, all tested through updated scenarios and legal frameworks.

Privacy in Mergers and Acquisitions

The updated CIPP/US curriculum adds a new focus on how data privacy is managed during mergers, acquisitions, and divestitures. Candidates must now understand the risks associated with inheriting personal data, especially when prior compliance, consent, or vendor contract history is unclear.

The curriculum includes new guidance on due diligence activities, such as reviewing the target company’s data inventories, policies, incident history, and vendor agreements. Scenario questions may ask candidates to assess whether data collected under one privacy notice can be used post-transaction and how to resolve jurisdictional conflicts under HIPAA, CCPA, and GLBA.

Privacy Regulation in the Insurance Sector

Another important addition is the inclusion of model laws from the National Association of Insurance Commissioners (NAIC). These include the Insurance Data Security Model Law (#668), the Privacy of Consumer Financial and Health Information Regulation (#672), and the new draft Privacy Protections Model Act (#674).

Candidates must now understand how these laws apply to health and financial data in the insurance context, how state variations affect implementation, and how sector-specific obligations intersect with broader U.S. and international frameworks. These laws are examinable through both theoretical and practical lenses, especially in relation to breach response and consumer transparency.

Information Fiduciaries

The concept of information fiduciaries has entered the curriculum as an emerging legal and ethical framework. The idea proposes that data-collecting entities should owe duties of loyalty and care to their users, similar to those imposed on lawyers or doctors. Candidates must now evaluate how this model differs from standard consumer relationships and how it might shape future federal privacy legislation.

Scenario-based questions may test how a fiduciary obligation would change data usage decisions, particularly when user trust or platform power imbalances are involved.

COPPA and Parental Consent

The updated CIPP/US curriculum expands coverage of the Children’s Online Privacy Protection Act (COPPA), especially around the requirement for verifiable parental consent. The exam now includes acceptable methods of obtaining consent, such as signed forms, ID verification, or credit card checks, as well as the consequences for non-compliance. Exceptions for internal use or one-time communication are also included.

Cross-Border Transfers: U.S. vs. GDPR and FADP

Candidates must now compare U.S. privacy frameworks with international systems, particularly the EU GDPR and the Swiss FADP. The update includes the Swiss–U.S. Data Privacy Framework, in effect since September 2024, which simplifies transfers for certified U.S. companies. Candidates must understand adequacy decisions, standard contractual clauses, and the restrictions on transferring sensitive data to high-risk countries.

Workforce Training and Data Leaks

The 2025 curriculum underscores the importance of employee training in preventing privacy violations. Candidates must now evaluate the effectiveness of awareness campaigns, phishing simulations, and policy enforcement. Questions may cover password hygiene, incident reporting culture, and training audit metrics.

CIPM

The CIPM certification has been revised to strengthen its emphasis on measurable programme effectiveness. The 2025 update integrates new guidance on using performance metrics to demonstrate accountability, align governance structures, and show the business value of privacy programmes.

Programme Metrics and Measurable Outcomes

The CIPM curriculum now treats metrics as a core subject. The focus is on demonstrating programme effectiveness using quantifiable indicators. Candidates must understand how to define meaningful privacy KPIs, such as request handling times, audit readiness, and breach mitigation timelines.

Metrics are also linked to strategic governance. Boards and regulators increasingly expect transparency in how privacy programmes contribute to organisational trust, compliance, and risk reduction. The exam requires candidates to select metrics aligned with business goals and maturity level.

Clarified Content and Reorganisation

While the CIPM curriculum remains substantively consistent, redundant content has been removed and the remaining material more clearly structured. Emphasis is placed on aligning governance, roles, risk management, and programme accountability within a privacy lifecycle framework.

CIPT

The CIPT curriculum is now organised into five more coherent domains, with new content on lifecycle management and privacy threat modelling. It reflects current engineering realities, particularly in systems design, secure storage, and data disposal practices.

Domain Reorganisation and Lifecycle Focus

The CIPT curriculum has been restructured from seven to five domains, reflecting a more intuitive flow. One new domain is dedicated entirely to the data lifecycle, including collection, processing, storage, and disposal. This better reflects operational realities and supports GDPR’s storage limitation and minimisation principles.

Privacy Threat Modelling with LINDDUN

The CIPT exam now includes privacy-specific threat modelling, with a focus on the LINDDUN framework. Candidates must be able to identify and address threats such as linking, detecting, or unawareness, and design systems that support privacy by design from the outset.

Secure Storage and Data Disposal

Greater focus is given to encryption, access controls, retention schedules, and secure destruction methods. Candidates must understand how poor data handling practices at the end of the lifecycle can lead to breaches and legal consequences.

Practical Tips to Prepare for the 2025 IAPP updates

With the 2025 IAPP updates now active for all exams from 1 September forward, candidates need to revise both the content and the structure of their study approach. Relying on pre-2025 materials without adjustments will leave critical gaps. Updated regulatory interpretations, domain reorganisations, and new exam scenarios require fresh preparation strategies.

To prepare effectively, consider the following:

  • Confirm that your study materials reflect the 2025 Body of Knowledge for your certification
  • Reorganise any older notes or flashcards to match new domain structures, especially for CIPP/E and CIPT
  • Focus on newly added topics such as controller–processor chains, AI governance, information fiduciaries, and privacy metrics
  • Incorporate regulatory texts and EDPB opinions directly into your study sessions to understand source material
  • Join active forums or communities where candidates discuss the new exam content in real time
  • Take practice exams that reflect the 2025 curriculum to identify weak areas early

For candidates who want materials already aligned with the updates, all relevant 22Academy courses have been revised to include new topics, domain layouts, and exam formats; both the CIPP/E Prep Suite and the CIPM Prep Kit have been revised to reflect the 2025 curriculum. These resources cover all recent changes, including new topics and reorganised domain structures. The Exam Question Masterclass, focused on learning skills  is also available for each certification and offers an effective way to improve exam performance by focusing on question interpretation, strategy, and time management.

Conclusion

The 2025 IAPP updates introduce both new content and reorganised structures that will affect every candidate sitting for CIPP/E, CIPP/US, CIPM, or CIPT certifications after 1 September 2025. From new legal opinions and operational metrics to updated frameworks and training content, these changes reflect a maturing privacy profession and evolving regulatory expectations.

Studying from outdated materials will result in knowledge gaps that could impact exam performance. By aligning preparation with the current Body of Knowledge and applying practical understanding to real-world scenarios, candidates will be better positioned for success across all IAPP certifications.

Similar Posts

Three diverse adult learners studying together at a table, with one explaining a concept to the others.
| | |

Studying Together for Certification Success

ByBas Hennis

Studying for a certification exam doesn’t have to be a solo effort. Small study groups of two or three people can dramatically improve exam performance. This blog explores the benefits of collaborative learning—supported by educational research—and offers practical tips for candidates preparing for CIPP/E, CIPM, AIGP, or similar certifications.

Woman studying practice exams for certification success with books and laptop in a library setting.

Study Tip: Using Practice Exams for Certification Success

ByBas Hennis

Preparing for a certification exam can be overwhelming, but using practice exams strategically can make all the difference. In this guide, you’ll learn how to incorporate practice exams at each stage of your study plan, tackle scenario-based questions effectively, and manage time under exam conditions. With these tips, you’ll build confidence and set yourself up for certification success.

A person sitting at a desk, using a calculator while taking notes, surrounded by study materials such as textbooks, a laptop, and a coffee mug, in a cosy home office with bookshelves in the background.
| | | | |

Study Tips: Studying on a Budget

ByBas Hennis

Studying on a budget is a challenge for many professionals pursuing certifications like CIPP/E, CIPM, or AIGP, especially in the privacy and data protection fields. As you may already know, certifications from the International Association of Privacy Professionals (IAPP) come with a significant financial commitment. Exam fees alone start at $550, and additional costs like…

Laptop displaying a study planner with books, sticky notes, and a clock on a well-organised desk, representing effective study time management.

Study Tips: Effective Study Time Management

ByBas Hennis

Mastering study time management is key to success in IAPP certification exams. Learn how to create a structured schedule, balance your workload, and use practical tools to track your progress. Discover tips and resources to help you stay focused, including eLearning platforms like 22Academy that offer real-time tracking, practice exams, and audio articles for on-the-go learning.

Person using a laptop at a desk with plants, preparing for an IAPP certification exam.

Study Tips: Exam Structure and Policies

ByBas Hennis

Preparing for an International Association of Privacy Professionals (IAPP) certification exam, such as the Certified Information Privacy Professional/Europe (CIPP/E), Certified Information Privacy Manager (CIPM), or Artificial Intelligence Governance Professional (AIGP), is a major step in advancing your privacy career. Mastering the content is essential, but understanding the exam structure and the policies that govern it…