CIPM Exam Glossary - 39 Terms

Search the terminology pack for Certified Information Privacy Manager. Use these definitions with the study guide and practice questions.

Download App Study Guide Free Practice Exam

A

Automation: The use of systems or tools to perform privacy-related tasks consistently and reduce manual error.

C

Change velocity: The speed at which systems, processes, or business activities change, affecting privacy risk exposure.
Compensating controls: Alternative safeguards implemented to reduce risk when a primary control cannot be fully applied.
Control owner: The person or function accountable for operating, maintaining, and remediating a specific privacy control.

D

Data inventory: A catalog of personal data assets, systems, flows, and uses maintained to support privacy management.
Data sensitivity: The degree to which data requires protection based on its confidential, personal, or high-risk nature.
Decision tree: A structured logic tool used to guide privacy decisions consistently across common scenarios.
Disposal method: The approved process used to securely delete, destroy, or otherwise dispose of personal data or records.

G

Governance dashboard: A reporting tool that presents privacy metrics and trends to support oversight and decision-making.

I

Incident process: The formal workflow for identifying, assessing, escalating, containing, and documenting privacy incidents.

J

Job aids: Operational reference materials such as checklists, guides, or templates that help staff apply privacy requirements during daily work.

L

Legal basis: The lawful justification for processing personal data under applicable privacy laws.

P

Personal data lifecycle: The end-to-end stages through which personal data passes, including collection, use, sharing, retention, and deletion.
Post-incident review: An analysis conducted after incident response to determine causes, lessons learned, and needed improvements.
Privacy assessment: A structured review of a processing activity to evaluate privacy risks, controls, and compliance requirements.
Privacy audit plan: A structured schedule and scope for auditing privacy controls and activities based on risk and significance.
Privacy control: A safeguard, policy, procedure, or technical measure designed to reduce privacy risk and support compliance.
Privacy exception: An approved deviation from a privacy requirement, typically documented, limited in scope, and subject to review.
Privacy review: A formal evaluation of projects, systems, or processes to identify and address privacy risks before implementation or change.
Processing activity: Any operation performed on personal data, such as collection, use, sharing, storage, or deletion.

R

Record of Processing Activities (ROPA): Documentation that describes an organization’s personal data processing activities, purposes, categories, and related controls.
Recurring issues analysis: The practice of reviewing repeated privacy errors or failures to identify patterns and improve operations.
Remediation: Corrective action taken to fix identified privacy control gaps, incidents, or compliance weaknesses.
Residual risk: The level of risk that remains after existing controls and safeguards have been applied.
Retention policy: A high-level rule establishing how long records or personal data should be kept.
Retention schedule: A detailed operational document specifying record categories, retention periods, trigger events, owners, and disposal methods.
Risk severity: A measure of how serious a privacy risk is, typically based on impact and likelihood.
Risk treatment: The process of selecting and implementing measures to mitigate, transfer, accept, or avoid identified privacy risks.
Risk-based approach: A method of prioritizing privacy activities according to likelihood, impact, and potential harm.
Roadmap: A planned sequence of privacy program initiatives, priorities, and milestones over a defined period.
Role-based training: Privacy training tailored to specific job functions so personnel receive guidance relevant to their responsibilities.
Root cause analysis: A method for identifying the underlying reasons a privacy issue or incident occurred.

S

Scoping: Defining the boundaries and priorities of privacy reviews, assessments, or program activities.
Sharing arrangement: The documented terms, conditions, and controls governing disclosure of personal data to other parties.

T

Trigger event: A defined event that starts a retention period or initiates disposal of records or personal data.

U

Unauthorized disclosure: The release of personal data to a person or entity not permitted to receive it.

V

Validation: The process of confirming that privacy records, controls, or documentation accurately reflect actual operations.

W

Workflow integration: Embedding privacy requirements and approvals directly into business or engineering processes to improve compliance.
Workflow update: A revision to operational processes to correct weaknesses and better enforce privacy requirements.

About These Definitions

These definitions are loaded from the shared release pack. Use them with the study guide and practice questions to connect vocabulary to exam scenarios.

Download App Read the full study guide Take the free practice exam