Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free CDPSE Practice Questions

Pass your ISACA Certified Data Privacy Solutions Engineer exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published by ISACA Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which of these is the MOST important characteristic of a strong privacy strategy document?

A
B
C
D
to track
Same family resources

Explore More ISACA Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CISA

Practice QuestionsStudy Guide
2 blogs

CISM

Practice QuestionsStudy Guide
2 blogs

CRISC Certified in Risk and Information Systems Control

Practice Questions
1 blog

ISACA COBIT 2019 Foundation

Practice Questions
1 blog

ISACA AAIA Advanced in AI Audit

Practice Questions

ISACA AAIR Advanced in AI Risk

Practice Questions

More From This Family

Videos and articles for deeper review.

ArticleCISA Exam Guide 2026: FREE ISACA Study Plan + Practice28 min readArticleCISM Exam Guide 2026: FREE ISACA Study Plan + Practice30 min readArticleCOBIT 2019 Foundation 2026: Governance-First Prep6 min readArticleCRISC Exam Guide 2026: FREE ISACA Study Plan + Practice30 min read
2026 Statistics

Key Facts: CDPSE Exam

120

Exam Questions

ISACA

3.5 hrs

Time Limit

ISACA

450/800

Passing Score

ISACA

39%

Privacy Engineering Weight

ISACA ECO June 2, 2025

$575

Exam Fee (Member)

ISACA

3 yrs

Privacy Experience

Required for certification

ISACA's Certified Data Privacy Solutions Engineer (CDPSE) is a privacy-engineering certification with a 120-question, 3.5-hour exam, a 200-800 scaled score, and a 450 passing threshold. The current ISACA Exam Content Outline (updated June 2, 2025) weights Privacy Governance at 20%, Privacy Risk Management and Compliance at 18%, Data Life Cycle Management at 23%, and Privacy Engineering at 39% — making engineering the dominant domain. The exam fee is $575 for ISACA members ($760 for nonmembers), plus a $50 application fee, with delivery through PSI test centers or remote proctoring. Certification requires three years of cumulative privacy experience across the CDPSE domains; the exam itself is open to anyone.

Sample CDPSE Practice Questions

Try these sample questions to test your CDPSE exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Under GDPR, who is primarily responsible for ensuring that an organization's privacy program aligns with business strategy and applicable laws?
A.The Data Protection Officer (DPO)
B.Senior management and the board of directors
C.The Chief Information Security Officer (CISO)
D.The IT operations team
Explanation: While a DPO advises and monitors compliance under GDPR Article 39, accountability for the privacy program rests with senior management and the board. ISACA's CDPSE governance framing aligns with GDPR Article 5(2) accountability and the NIST Privacy Framework Govern-P function, which require executive sponsorship of privacy strategy and resourcing.
2Which document set establishes the highest-level expectations for how an organization handles personal data and is typically approved by the board or executive committee?
A.Privacy notices
B.Privacy policy
C.Data processing agreements
D.Records of processing activity (RoPA)
Explanation: The privacy policy is an internal, board-endorsed governance document that sets out principles, roles, and high-level rules for personal data. Privacy notices are external-facing disclosures, DPAs are vendor contracts, and RoPAs are operational inventories required by GDPR Article 30.
3An organization is forming a privacy steering committee. Which composition best supports cross-functional privacy governance?
A.Only the DPO and privacy office staff
B.Legal, security, IT, HR, marketing, product, and a business sponsor
C.Internal audit and external counsel only
D.The CISO and the CIO
Explanation: Privacy is cross-functional. ISACA guidance recommends a steering committee that includes legal, security, IT, HR, marketing, product, and an executive business sponsor so that each function with personal data exposure participates in decisions and trade-offs.
4Under GDPR Article 37, which condition triggers a mandatory DPO appointment?
A.Any organization with more than 50 employees
B.Core activities consisting of large-scale, regular and systematic monitoring of data subjects, or large-scale processing of special categories of data
C.Any organization that processes any personal data
D.Only public authorities established outside the EU
Explanation: GDPR Article 37(1) mandates DPOs for public authorities and for controllers/processors whose core activities involve large-scale, regular and systematic monitoring of data subjects or large-scale processing of special categories of data or criminal conviction data.
5Which role is primarily responsible for translating privacy requirements into technical and operational controls within engineering teams?
A.Data Protection Officer (DPO)
B.Business Information Security Officer (BISO) or Privacy Engineer
C.Chief Compliance Officer
D.Data subject
Explanation: A BISO or privacy engineer embedded in engineering translates privacy policy and risk decisions into concrete technical controls (encryption, minimization, access patterns). The DPO provides advice and monitoring; compliance officers oversee broader regulatory adherence.
6An organization is selecting a privacy program framework. Which standard is purpose-built as a Privacy Information Management System extension to ISO/IEC 27001?
A.ISO/IEC 27001
B.ISO/IEC 27701
C.ISO 31000
D.ISO 9001
Explanation: ISO/IEC 27701 extends ISO/IEC 27001 and 27002 with controller and processor requirements for a Privacy Information Management System (PIMS). ISO 27001 is information security; ISO 31000 is enterprise risk; ISO 9001 is quality management.
7Which NIST Privacy Framework function focuses on developing and implementing the organizational understanding to manage privacy risk?
A.Identify-P
B.Govern-P
C.Control-P
D.Communicate-P
Explanation: Identify-P develops organizational understanding of privacy risk: inventory and mapping, business environment, risk assessment, and data processing ecosystem risk management. Govern-P sets policy and accountability; Control-P implements controls; Communicate-P enables transparency.
8Which NIST Privacy Framework function specifically focuses on developing organizational policies, processes, and procedures to ensure privacy values are reflected throughout the enterprise?
A.Identify-P
B.Govern-P
C.Protect-P
D.Control-P
Explanation: Govern-P develops and implements organizational governance to ensure privacy strategy is established, communicated, and enforced. Protect-P focuses on data protection safeguards (similar to the Cybersecurity Framework's Protect function), and Control-P enables individual data management.
9A board asks for evidence that the privacy program is operating effectively. Which set of metrics best demonstrates program performance?
A.Number of marketing emails sent and click-through rates
B.DSAR response time, breach notification timeliness, training completion, vendor risk assessment closure rate, and PIA coverage
C.Total revenue and EBITDA
D.Number of new product launches
Explanation: Privacy program metrics should reflect operational effectiveness across rights handling, incident response, awareness, third-party risk, and project-level assessments. Generic financial or marketing metrics do not measure privacy outcomes.
10Which combination most accurately describes the GDPR concept of accountability under Article 5(2)?
A.The controller must publish all personal data they process
B.The controller is responsible for, and must be able to demonstrate, compliance with the data protection principles
C.Only data subjects are responsible for protecting their own data
D.Processors are exclusively accountable for compliance
Explanation: Article 5(2) places responsibility for, and the burden of demonstrating, compliance with the GDPR principles squarely on the controller. This drives RoPAs, DPIAs, contracts, training, and audit-style evidence retention.

About the CDPSE Exam

The ISACA Certified Data Privacy Solutions Engineer (CDPSE) is a technology-focused privacy certification for engineers, architects, and privacy practitioners who design, implement, and assess privacy solutions. It validates the ability to translate privacy strategy and regulatory obligations (GDPR, CCPA/CPRA, HIPAA, state and international laws) into technical and operational controls across governance, risk and compliance, data life cycle management, and privacy engineering — including privacy by design, privacy enhancing technologies, de-identification, consent management, DSAR workflows, and cross-border transfer architectures.

Assessment

120 multiple-choice questions covering Privacy Governance (20%), Privacy Risk Management and Compliance (18%), Data Life Cycle Management (23%), and Privacy Engineering (39%)

Time Limit

3.5 hours

Passing Score

450/800

Exam Fee

$575 (members) / $760 (non-members) plus $50 application fee (ISACA / PSI)

CDPSE Exam Content Outline

20%

Privacy Governance

Privacy program structure, policies, roles (DPO, BISO, Privacy Officer), privacy steering committee, management oversight, NIST Privacy Framework (Identify-P, Govern-P, Control-P, Communicate-P, Protect-P), and ISO/IEC 27701 PIMS.

18%

Privacy Risk Management and Compliance

PIA/DPIA and threshold analysis, NIST AI RMF, ISO 31000, GDPR (Articles 5-32, lawful basis, DSAR rights, 72-hour breach notification), CCPA/CPRA, HIPAA, COPPA, PIPEDA, GLBA, FERPA, state laws (VCDPA, CPA, CTDPA, UCPA, TDPSA, MHMDA, MODPA), DPDPA, LGPD, PIPL, and EU AI Act privacy provisions.

23%

Data Life Cycle Management

Collection minimization, purpose limitation, retention schedule, deletion and erasure (right to be forgotten), data inventory and lineage, classification (Public/Internal/Confidential/Restricted), and data discovery tools (BigID, OneTrust, Securiti, Microsoft Purview, IBM Guardium).

39%

Privacy Engineering

Privacy by design (Cavoukian) and privacy by default, FIPPs, PETs (AES-256, tokenization, format-preserving encryption, differential privacy, federated learning, homomorphic encryption, secure multi-party computation), k-anonymity/l-diversity/t-closeness, synthetic data, pseudonymization vs anonymization, NIST SP 800-188, HIPAA Safe Harbor 18 identifiers, expert determination, data flow mapping, trust boundaries, consent management (IAB TCF, Global Privacy Control), DSAR workflows, breach response, vendor due diligence (DPA, SCC, BCR, DPF), and cross-border transfer mechanisms.

How to Pass the CDPSE Exam

What You Need to Know

  • Passing score: 450/800
  • Assessment: 120 multiple-choice questions covering Privacy Governance (20%), Privacy Risk Management and Compliance (18%), Data Life Cycle Management (23%), and Privacy Engineering (39%)
  • Time limit: 3.5 hours
  • Exam fee: $575 (members) / $760 (non-members) plus $50 application fee

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

CDPSE Study Tips from Top Performers

1Allocate the most preparation time to Privacy Engineering — it is 39% of the exam and the most technical domain (PETs, de-identification, PbD, consent management, DSAR automation).
2Memorize the GDPR articles you will be tested on indirectly: Article 5 principles, Article 6 lawful bases, Article 9 special categories, Article 17 erasure, Article 20 portability, Articles 25 and 32 privacy/security by design, Articles 33 and 34 breach notification, Article 35 DPIA, and Articles 37-39 DPO.
3Learn the NIST Privacy Framework five functions (Identify-P, Govern-P, Control-P, Communicate-P, Protect-P) and how they map to engineering controls.
4Distinguish PETs precisely: tokenization vs format-preserving encryption vs pseudonymization vs anonymization vs differential privacy vs federated learning vs homomorphic encryption vs MPC.
5Be ready to compare US state laws (VCDPA, CPA, CTDPA, UCPA, TDPSA, MHMDA, MODPA) and key international laws (DPDPA, LGPD, PIPL) on consumer rights, sale opt-outs, and sensitive data.
6Practice cross-border transfer mechanisms: SCCs (modular 2021), BCRs (Article 47), the EU-US Data Privacy Framework (2023 adequacy), and supplementary measures after Schrems II.

Frequently Asked Questions

What is the ISACA CDPSE exam format?

The CDPSE exam contains 120 multiple-choice questions with a 3.5-hour (210-minute) time limit. ISACA reports scores on a 200-800 scaled scale, and candidates must earn 450 or higher to pass. The exam is delivered through PSI test centers or remote online proctoring.

What are the current CDPSE domain weights?

Per the ISACA Exam Content Outline updated June 2, 2025, CDPSE has four domains: Privacy Governance (20%), Privacy Risk Management and Compliance (18%), Data Life Cycle Management (23%), and Privacy Engineering (39%). Privacy Engineering is the dominant domain at 39%, reflecting the credential's hands-on technical focus.

How much does the CDPSE exam cost?

The CDPSE exam costs $575 USD for ISACA members and $760 for non-members. There is also a one-time $50 application fee for certification once you pass. Maintenance fees and CPE reporting apply once certified.

What experience is required for CDPSE certification?

Anyone can sit the CDPSE exam, but to earn the certification you must verify three years of cumulative privacy experience across the CDPSE domains. ISACA does not require all three years in a single domain. Candidates have five years from the passing date to apply for certification.

How is CDPSE different from CIPP/E or CIPT?

CIPP/E (IAPP) is a privacy-law credential focused on European data protection law. CIPT (IAPP) is a technologist credential focused on privacy by design. CDPSE is a privacy-engineering credential that combines governance, risk and compliance, lifecycle management, and substantial privacy-engineering content (39%) — making it especially relevant for engineers, architects, and security teams implementing privacy controls.

Is the CDPSE exam open or closed book?

The CDPSE exam is closed book and computer-based. Candidates take it through PSI testing centers or remote proctoring with strict ID verification, monitoring, and no outside reference materials. Scratch material handling is governed by the ISACA Candidate Guide.

How should I study for the CDPSE exam?

Study from the current ISACA CDPSE Exam Content Outline (updated June 2, 2025), prioritize Privacy Engineering because it is 39% of the exam, and read the NIST Privacy Framework and ISO/IEC 27701 alongside GDPR Articles 5-34. Practice scenario questions on PIA/DPIA, PETs, de-identification, DSAR workflows, and breach response. Reinforce with timed practice exams to build pacing for the 120-question, 3.5-hour format.