An Overview Of Changes In The 3rd Edition Of The Privacy Program Management Textbook

The previous post introduced the new structure of the CIPM textbook at the chapter level. In this post the specific additions and adjustments in each of the chapters of the textbook are elaborated. Below is the chapter organization comparison as a recap:

General Updates

General updates include additional discussions/content added and new statistical data where new reports are available (Poneman, IAPP-EY Governance Report, Verizon Report, Wombat, etc.). New references were added that were largely removed in the last edition. As mentioned in the previous post, the chapters were reorganized to better support the BOK and privacy operational life cycle content. In some areas content was consolidated.

Chapter 1 – Introduction to Privacy Program Management

The section 1.6 – “Awareness, Alignment and Involvement” was renamed to “Championing Privacy”.

Chapter 2 – Privacy Governance

The section 2.1 Create an Organizational Privacy Vision and Mission Statement, has new examples for vision and mission statements.

Sections 2.3 through 2.6 have been reshuffled. 2.3 is now “Develop a Privacy Strategy”, which was section 2.6 in the 2nd edition. The smaller section 2.7 Structure the Privacy Team, and section 2.8 Governance Models were merged into one consolidated section 2.7. The following pictures depicts the changes in chapter 2.

2.4.3 Privacy Program Management Solutions which introduces the Privacy by Design (PbD) concept is now included in the 2.5.1 Principles and Standards section.

Chapter 3 – Applicable Privacy Laws and Regulations

References of new privacy regulations around the world added throughout the book where appropriate including LGPD, CCPA, CPRA, Colorado, Nevada, Canada, Latin America (LGPD), East Asia (including China, South Korea, Japan, Malaysia, Singapore, and Thailand), New Zealand and Australia.

The section “3.4 Commonalities of International Privacy Laws” has been removed but it is ideal to know the commonalities between each of these major laws. For instance, requirements for ensuring individual rights (i.e., access, correction and deletion), and obligations are common.

Chapter 4 – Data Assessments

Chapter 4 has three major additions – 4.1 Data Governance, 4.4.6 Assessing Artificial Intelligence, 4.6.1 Assessing Cloud Computing Vendors, and 4.6.3 Assessing Vendors under the CCPA. All these new additions are relevent to the changing privacy landscape.

Chapter 5 – Protecting Personal Information

This was the chapter 8 in the old version and covers the privacy by design concept. Under the section “5.4.4 Information Security Standards and Guidelines”, a list of NIST Guidelines were included in addition to the ISO standards that were previously there. No other major additions were made except for minor expansions to few sub-sections.

Chapter 6 – Policies

As discussed earlier, this chapter 5 in the 2nd edition is now chapter 6. As with other chapters, content was expanded in some sections with additional references. The sections 6.7.2 Developing a Vendor Contract, and 6.7.3 Vendor Risk Management now have additional content.

Chapter 7 – Monitoring and Auditing Program Performance

No major changes were made to this chapter. A new sub section 7.2.14 Training Data was added that discusses the importance of gathering data to boost employee engagement.

Chapter 8 – Training and Awareness

The chapter includes some additional content but notably revised the methods listed in section 8.8 Training and Awareness Methods.

Chapter 9 – Data Subject Rights

Sections on the CCPA, and Virginia’s CDPA and other recently enacted privacy laws have been included. These are sections and respectively. Section 9.5.7 Right to Restriction of Processing and section 9.5.8 Right to Data Portability has new content referencing GDPR articles. “Section 9.8.1 Data Subject Rights Outside the United States and Europe” has been expanded to cover additional country specific changes that occurred in the recent times.

Chapter 10 – Data Breach Incident Plans

This probably is the chapter with least number of changes overall.


Our team at Cyrvana created a two page document that provides and overview of the CIPM content. Many of our trainees find it very helpful and we call it “CIPM On A Page” (well two pages actually!). Please download it and good luck with your CIPM exam!