1.5 Study Plan & Test Strategy

Key Takeaways

  • Use the IAPP textbook and the GDPR text together so you can apply articles, not just read summaries.
  • Budget roughly 100 seconds per question to finish 90 items in 2.5 hours with time to review.
  • A realistic plan is 6-8 weeks, front-loading Domains II and III, then drilling specific-context scenarios.
  • Practice mixed, timed question sets so you can tell similar GDPR obligations apart under pressure.
  • Flag uncertain items, answer everything (no penalty for guessing), and use the scheduled midpoint break to reset.
Last updated: June 2026

Study Plan and Test Strategy

Quick Answer: Most candidates pass with a 6-8 week plan that front-loads Domains II and III, uses the IAPP study materials alongside the GDPR text, and finishes with mixed, timed practice. On test day, pace at about 100 seconds per question (90 items in 150 minutes), answer everything (there is no guessing penalty), and flag uncertain items to revisit.

Depth beats breadth: knowing the high-weight domains cold is worth more than thin coverage of everything. The IAPP suggests at least 30 hours of preparation, but candidates new to EU law typically need 40-60 hours. The biggest predictor of failure is reading passively — skimming the textbook without testing application — so build active recall and timed drilling into the plan from week one.

What to Study With

  • IAPP study materials — the European Data Protection: Law and Practice textbook and the official practice exam are the closest match to exam scope and tone. The practice exam is worth buying because it calibrates your sense of the scenario style.
  • The GDPR text itself — read the high-yield articles so you can apply them, not just recognize them:
Article(s)Topic
3, 4Territorial scope and key definitions
5Principles (lawfulness, fairness, transparency, purpose limitation, minimization, accuracy, storage limitation, integrity, accountability)
6, 7, 9Lawful bases, consent conditions, special categories
12-22Transparency and data subject rights
24, 28Controller responsibility and processor contracts
32-35Security, breach notification, DPIAs
37-39DPO appointment, position, tasks
44-49International transfers
83Two-tier administrative fines
  • ePrivacy Directive — cookies, e-marketing consent, and the GDPR-vs-ePrivacy distinction (Domain V).
  • OpenExamPrep practice questions — free CIPP/E questions mapped to the five-domain blueprint, with AI-powered review to drill weak areas.

A Realistic 6-8 Week Plan

Week(s)FocusGoal
Week 1Domain I + orientationLearn EU institutions, the EDPB, Convention 108+, the Charter, and the legislative framework
Weeks 2-3Domain II (core GDPR)Concepts, controller/processor roles, security (Art. 32), data subject rights (Art. 15-22)
Weeks 4-5Domain III (processing)The six lawful bases, special categories, transparency (Art. 13-14), international transfers (Chapter V)
Week 6Domains IV + VScope (Art. 3), accountability, DPIAs, DPOs, fines; then employment, cookies, marketing, surveillance
Weeks 7-8Mixed timed reviewFull-length, timed practice; rework every missed item and the reasoning behind it

If EU privacy law is new to you, stretch the middle weeks rather than skipping the timed review. Never cut the week 7-8 timed phase — that is where you learn to tell near-identical obligations apart at speed.

Active-recall tactics

  • After each domain, write the rule and one scenario that would trigger it from memory.
  • Build a one-page comparison of the six lawful bases with a tell-tale fact pattern for each.
  • Keep an error log: tag every miss as role / basis / timing / transfer / scope so you can see your weakest pivot.

Test-Day Strategy

  • Pace: 90 questions in 150 minutes is about 100 seconds each. Do a quick pace check at item 30 (you should be near the 50-minute mark) and item 60. Do not stall on any single item.
  • No guessing penalty: Scoring counts correct answers only, so never leave a question blank. An educated guess can only help, and eliminating even one distractor lifts your odds.
  • Flag and move: Mark hard items, keep moving, and return with leftover time. The interface allows review and changing answers within the window.
  • Use the break: A scheduled break is offered near the midpoint; use it to reset focus, hydrate, and shake off a tricky run of questions. Confirm whether the section clock pauses under the current policy before you rely on it.
  • Trust the facts: When two answers feel close, re-read the scenario stem and pick the one that fits the specific facts, not the most familiar rule. Resist changing a first instinct unless you find a concrete fact you missed.

Final Readiness Check

Before booking, you should be:

  • Scoring consistently above the cut on timed, mixed practice (aim for a comfortable 75-80%+ margin).
  • Assigning controller vs. processor vs. joint controller roles quickly and correctly.
  • Selecting a lawful basis with a clear reason why the alternatives fail.
  • Reciting the 72-hour breach clock, the DPIA triggers, and the 2% / 4% fine tiers from memory.
  • Distinguishing the GDPR from the ePrivacy Directive on cookies and e-marketing.

When those are automatic, schedule the exam — confidence under time pressure is the last gate to clear.

Common preparation mistakes to avoid

  • Memorizing article numbers instead of fact patterns. The exam asks you to apply a rule to a scenario, not to cite "Article 17."
  • Skipping the ePrivacy and specific-context material (Domain V), which is easy points if you study it and easy losses if you do not.
  • Studying only from a pre-September-2025 resource, which will miss the EU AI Act, Data Act, and EU-U.S. Data Privacy Framework additions in Version 1.3.3.
  • Doing untimed practice only. Accuracy without speed fails on test day; always practice against the clock in the final two weeks.
  • Over-investing in Domain I. Its 7-13 range is the smallest; cap your time there and reallocate to Domains II and III.
Test Your Knowledge

With 90 questions and a 2.5-hour limit, roughly how much time can you spend per question, and what should you do with items you are unsure about?

A
B
C
D
Test Your Knowledge

Which study approach best matches how CIPP/E items are scored and written?

A
B
C
D