1.5 Study Plan & Test Strategy
Key Takeaways
- Use the IAPP textbook and the GDPR text together so you can apply articles, not just read summaries.
- Budget roughly 100 seconds per question to finish 90 items in 2.5 hours with time to review.
- A realistic plan is 6-8 weeks, front-loading Domains II and III, then drilling specific-context scenarios.
- Practice mixed, timed question sets so you can tell similar GDPR obligations apart under pressure.
- Flag uncertain items, answer everything (no penalty for guessing), and use the scheduled midpoint break to reset.
Study Plan and Test Strategy
Quick Answer: Most candidates pass with a 6-8 week plan that front-loads Domains II and III, uses the IAPP study materials alongside the GDPR text, and finishes with mixed, timed practice. On test day, pace at about 100 seconds per question (90 items in 150 minutes), answer everything (there is no guessing penalty), and flag uncertain items to revisit.
Depth beats breadth: knowing the high-weight domains cold is worth more than thin coverage of everything. The IAPP suggests at least 30 hours of preparation, but candidates new to EU law typically need 40-60 hours. The biggest predictor of failure is reading passively — skimming the textbook without testing application — so build active recall and timed drilling into the plan from week one.
What to Study With
- IAPP study materials — the European Data Protection: Law and Practice textbook and the official practice exam are the closest match to exam scope and tone. The practice exam is worth buying because it calibrates your sense of the scenario style.
- The GDPR text itself — read the high-yield articles so you can apply them, not just recognize them:
| Article(s) | Topic |
|---|---|
| 3, 4 | Territorial scope and key definitions |
| 5 | Principles (lawfulness, fairness, transparency, purpose limitation, minimization, accuracy, storage limitation, integrity, accountability) |
| 6, 7, 9 | Lawful bases, consent conditions, special categories |
| 12-22 | Transparency and data subject rights |
| 24, 28 | Controller responsibility and processor contracts |
| 32-35 | Security, breach notification, DPIAs |
| 37-39 | DPO appointment, position, tasks |
| 44-49 | International transfers |
| 83 | Two-tier administrative fines |
- ePrivacy Directive — cookies, e-marketing consent, and the GDPR-vs-ePrivacy distinction (Domain V).
- OpenExamPrep practice questions — free CIPP/E questions mapped to the five-domain blueprint, with AI-powered review to drill weak areas.
A Realistic 6-8 Week Plan
| Week(s) | Focus | Goal |
|---|---|---|
| Week 1 | Domain I + orientation | Learn EU institutions, the EDPB, Convention 108+, the Charter, and the legislative framework |
| Weeks 2-3 | Domain II (core GDPR) | Concepts, controller/processor roles, security (Art. 32), data subject rights (Art. 15-22) |
| Weeks 4-5 | Domain III (processing) | The six lawful bases, special categories, transparency (Art. 13-14), international transfers (Chapter V) |
| Week 6 | Domains IV + V | Scope (Art. 3), accountability, DPIAs, DPOs, fines; then employment, cookies, marketing, surveillance |
| Weeks 7-8 | Mixed timed review | Full-length, timed practice; rework every missed item and the reasoning behind it |
If EU privacy law is new to you, stretch the middle weeks rather than skipping the timed review. Never cut the week 7-8 timed phase — that is where you learn to tell near-identical obligations apart at speed.
Active-recall tactics
- After each domain, write the rule and one scenario that would trigger it from memory.
- Build a one-page comparison of the six lawful bases with a tell-tale fact pattern for each.
- Keep an error log: tag every miss as role / basis / timing / transfer / scope so you can see your weakest pivot.
Test-Day Strategy
- Pace: 90 questions in 150 minutes is about 100 seconds each. Do a quick pace check at item 30 (you should be near the 50-minute mark) and item 60. Do not stall on any single item.
- No guessing penalty: Scoring counts correct answers only, so never leave a question blank. An educated guess can only help, and eliminating even one distractor lifts your odds.
- Flag and move: Mark hard items, keep moving, and return with leftover time. The interface allows review and changing answers within the window.
- Use the break: A scheduled break is offered near the midpoint; use it to reset focus, hydrate, and shake off a tricky run of questions. Confirm whether the section clock pauses under the current policy before you rely on it.
- Trust the facts: When two answers feel close, re-read the scenario stem and pick the one that fits the specific facts, not the most familiar rule. Resist changing a first instinct unless you find a concrete fact you missed.
Final Readiness Check
Before booking, you should be:
- Scoring consistently above the cut on timed, mixed practice (aim for a comfortable 75-80%+ margin).
- Assigning controller vs. processor vs. joint controller roles quickly and correctly.
- Selecting a lawful basis with a clear reason why the alternatives fail.
- Reciting the 72-hour breach clock, the DPIA triggers, and the 2% / 4% fine tiers from memory.
- Distinguishing the GDPR from the ePrivacy Directive on cookies and e-marketing.
When those are automatic, schedule the exam — confidence under time pressure is the last gate to clear.
Common preparation mistakes to avoid
- Memorizing article numbers instead of fact patterns. The exam asks you to apply a rule to a scenario, not to cite "Article 17."
- Skipping the ePrivacy and specific-context material (Domain V), which is easy points if you study it and easy losses if you do not.
- Studying only from a pre-September-2025 resource, which will miss the EU AI Act, Data Act, and EU-U.S. Data Privacy Framework additions in Version 1.3.3.
- Doing untimed practice only. Accuracy without speed fails on test day; always practice against the clock in the final two weeks.
- Over-investing in Domain I. Its 7-13 range is the smallest; cap your time there and reallocate to Domains II and III.
With 90 questions and a 2.5-hour limit, roughly how much time can you spend per question, and what should you do with items you are unsure about?
Which study approach best matches how CIPP/E items are scored and written?