- What Is Privacy by Design?
- Domain 5 on the CIPT Exam: What You Need to Know
- The 7 Foundational Principles of Privacy by Design
- Privacy by Design vs. Privacy by Default
- Frameworks and Methodologies for Implementing PbD
- Privacy by Design Across the System Development Lifecycle
- Tackling Scenario-Based Privacy by Design Questions
- Study Strategies for Mastering Domain 5
- Common Exam Mistakes to Avoid
- Frequently Asked Questions
What Is Privacy by Design?
Privacy by Design (PbD) is a framework developed by Dr. Ann Cavoukian, former Information and Privacy Commissioner of Ontario, Canada. At its core, PbD argues that privacy cannot be an afterthought or a bolt-on compliance exercise — it must be embedded directly into the architecture of IT systems, business practices, and organizational processes from the very beginning. This concept has become one of the most influential frameworks in modern data protection, enshrined in regulations like the GDPR (Article 25) and forming the backbone of Domain 5 on the Certified Information Privacy Technologist (CIPT) exam.
For technology professionals preparing for the CIPT, understanding Privacy by Design is not optional — it is essential. Domain 5 tests your ability to apply PbD principles to real-world engineering scenarios, evaluate system designs through a privacy lens, and recommend architectures that minimize data exposure while maintaining functionality. If you are building your overall study plan, our complete IAPP certification study guide for 2026 covers all five domains in a structured approach.
Privacy by Design is not just a theoretical framework for the exam. The CIPT is the only IAPP credential specifically designed for technology and engineering professionals, which means exam questions expect you to translate PbD principles into concrete technical decisions — selecting architectures, configuring defaults, choosing storage strategies, and designing user interfaces that respect privacy.
Domain 5 on the CIPT Exam: What You Need to Know
Following the 2025–2026 Body of Knowledge restructuring, the CIPT exam was reduced from seven domains to five. Privacy by Design now sits as Domain 5 in the current BoK, and it synthesizes concepts that span across many of the other domains. This makes it both a standalone topic and an integrative capstone — expect questions that require you to combine PbD principles with knowledge from data collection practices, risk management, and privacy-enhancing technologies.
The exam uses a scaled scoring system from 100 to 500, and you need a score of 300 to pass. Of the 90 questions, only 75 are scored — the remaining 15 are unscored field-test items that IAPP uses for future exam development. You will not know which questions are unscored, so treat every question seriously. For a deeper look at how scoring works, see our guide on how the 300/500 scaled passing score really works.
The 7 Foundational Principles of Privacy by Design
Dr. Cavoukian's framework is built on seven foundational principles. For the CIPT exam, you must know these principles by name, understand their intent, and — critically — be able to apply each one to technology-focused scenarios. Memorizing the list alone is not enough. Here are the principles with their exam-relevant implications:
Privacy by Design anticipates and prevents privacy-invasive events before they happen. It does not wait for privacy risks to materialize and then offer remedies. On the exam, look for answers that emphasize prevention over detection. A system that flags a privacy violation after it occurs is reactive — a system that prevents the violation from being possible in the first place is proactive.
The default configuration of any system must protect privacy without requiring user action. If a user does nothing, privacy should be maximized. Exam questions frequently test this principle by presenting system configurations where data sharing, tracking, or public visibility is enabled by default — these violate the principle. The correct answer defaults to the most privacy-protective setting.
Privacy is built into the core architecture and design of systems — not layered on as an add-on. This principle means privacy is an essential component of the system being delivered, not a separate feature. For exam scenarios, look for architectural choices that integrate privacy protections directly into data flows, not bolt-on compliance tools that sit outside the system.
PbD rejects the idea that privacy must come at the cost of functionality or security. It is possible to have both privacy and full system capability — a positive-sum outcome. On the exam, be wary of answer choices that frame privacy as a trade-off. The correct PbD approach finds solutions that deliver both business goals and strong privacy protections simultaneously.
Data must be securely managed throughout its entire lifecycle: collection, use, storage, transfer, and destruction. This principle bridges directly into Domain 2 (Data Collection, Use, Dissemination, and Destruction) and demands encryption at rest, encryption in transit, secure deletion, and access controls at every stage.
All stakeholders must be able to verify that the system operates according to stated privacy policies. This means clear documentation, audit trails, and openness about data practices. Exam questions may present scenarios where organizations collect data with vague or hidden terms — transparency demands explicit, understandable disclosure.
Above all, Privacy by Design keeps the interests of the individual paramount. This means offering granular consent options, strong defaults, meaningful user controls, and clear communication. Technical implementations should empower users — not overwhelm them with confusing interfaces or bury privacy settings deep in menus.
CIPT exam questions may reference these principles by their number, their full name, or their shorthand description. Be comfortable recognizing each principle in all three forms. For example, "Principle 4" equals "Full Functionality" equals "Positive-Sum, Not Zero-Sum." Practice mapping between these representations quickly, especially under time pressure during the 150-minute exam window.
Privacy by Design vs. Privacy by Default
One of the most frequently tested distinctions on the CIPT exam is the difference between Privacy by Design and Privacy by Default. While related, they are distinct concepts, and the exam expects you to differentiate them clearly.
| Aspect | Privacy by Design | Privacy by Default |
|---|---|---|
| Scope | Encompasses the entire system architecture, business processes, and organizational culture | Focuses specifically on the default settings and configurations of a system |
| When Applied | From the earliest design phase through the entire lifecycle | At the point of deployment and initial user interaction |
| User Action Required | No — privacy is embedded regardless of user behavior | No — the most privacy-protective settings apply automatically |
| GDPR Reference | Article 25(1) — Data protection by design | Article 25(2) — Data protection by default |
| Example | Architecting a system that minimizes data collection at every stage | Setting a social media profile to "private" rather than "public" by default |
| Relationship | The broader framework that encompasses Privacy by Default | A specific implementation principle within Privacy by Design (Principle 2) |
Privacy by Default is actually Principle 2 within the broader Privacy by Design framework. Think of Privacy by Design as the comprehensive philosophy, and Privacy by Default as one critical implementation requirement within that philosophy. On the exam, if a question asks about the relationship between the two, the answer is that Privacy by Default is a subset of Privacy by Design.
Frameworks and Methodologies for Implementing PbD
The CIPT exam does not just test whether you know what Privacy by Design is — it tests whether you know how to implement it. Several frameworks and methodologies translate PbD principles into actionable engineering guidance.
Privacy Design Strategies (Hoepman's Strategies)
Jaap-Henk Hoepman's eight privacy design strategies are a critical study topic for Domain 5. These strategies bridge the gap between abstract PbD principles and concrete technical implementations. They are divided into two categories:
Data-Oriented Strategies:
- Minimize — Limit the processing of personal data to the smallest amount necessary. Collect only what you need, when you need it.
- Separate — Process personal data in a distributed fashion, preventing linkability. Use separate databases or systems for different data types.
- Abstract — Limit the detail of personal data being processed. Use aggregation, generalization, and perturbation techniques.
- Hide — Prevent personal data from becoming public or being accessed by unauthorized parties. Encrypt, hash, or otherwise obscure data.
Process-Oriented Strategies:
- Inform — Provide data subjects with adequate information about data processing activities.
- Control — Provide data subjects with mechanisms to control the processing of their personal data.
- Enforce — Commit to processing personal data in a privacy-compatible way and enforce this commitment through technical and organizational measures.
- Demonstrate — Be able to demonstrate compliance with privacy policies and applicable regulations through auditing and accountability measures.
Hoepman's strategies map directly to privacy-enhancing technologies (PETs) covered in Domain 4. For example, the "Hide" strategy connects to encryption and anonymization, while the "Abstract" strategy connects to k-anonymity and differential privacy. Study these connections, as the exam frequently asks you to match a strategy to its implementing technology. Our guide on CIPT Privacy-Enhancing Technologies explores these PETs in depth.
Data Protection Impact Assessments (DPIAs)
A DPIA is a formal process for evaluating the impact of a data processing activity on the privacy of individuals. Under GDPR, DPIAs are mandatory when processing is "likely to result in a high risk" to individuals' rights and freedoms. For the CIPT exam, understand that DPIAs are a practical mechanism for operationalizing Privacy by Design — they force organizations to evaluate privacy risks before a system goes live. DPIAs connect directly to Domain 3 concepts, so review our privacy risk management and LINDDUN exam prep guide for the risk assessment angle.
Privacy Patterns and Anti-Patterns
Just as software engineering has design patterns, privacy engineering recognizes recurring solutions to common privacy challenges. The exam may present scenarios that describe a system design and ask whether it follows a privacy pattern or an anti-pattern. Key patterns to know include:
- Sticky Policies — Privacy policies that travel with the data, ensuring protections are maintained regardless of where data is transferred.
- Data Minimization at Collection — Collecting only the fields strictly necessary for the stated purpose, not "just in case" fields.
- Progressive Disclosure — Asking for more data only as trust increases or when it becomes genuinely necessary for a new function.
- Anonymization Pipelines — Stripping identifying information before data enters analytics or research environments.
Privacy by Design Across the System Development Lifecycle
One of the most practical areas tested in Domain 5 is the integration of PbD into the system development lifecycle (SDLC). The exam expects you to know where and how privacy considerations enter each phase of development.
| SDLC Phase | Privacy by Design Activities | Key Deliverables |
|---|---|---|
| Requirements | Identify privacy requirements, define data minimization goals, document consent mechanisms | Privacy requirements specification, data flow diagrams |
| Design | Select privacy-preserving architectures, apply Hoepman's strategies, conduct threat modeling | Privacy architecture document, DPIA |
| Implementation | Use secure coding practices, implement access controls, apply encryption standards | Code reviews with privacy checklist, security controls |
| Testing | Perform privacy testing, validate consent flows, verify data minimization | Privacy test results, penetration test reports |
| Deployment | Verify default settings, confirm privacy notices, enable user controls | Deployment privacy checklist, privacy by default verification |
| Maintenance | Monitor for privacy incidents, update DPIAs, manage data retention and deletion | Incident response logs, updated privacy documentation |
For exam questions about the SDLC, remember that PbD is not confined to the design phase. It touches every phase, from requirements gathering through ongoing maintenance. A system that had a perfect privacy design but fails to properly delete data at end-of-life violates Principle 5 (End-to-End Security).
Tackling Scenario-Based Privacy by Design Questions
The CIPT exam is known for its scenario-based format. Rather than asking you to recite definitions, questions present a business or technology scenario and ask you to identify the best privacy approach. Here is how to break down PbD scenario questions:
Step-by-Step Approach to PbD Scenarios
- Identify the data flows. Before evaluating privacy, understand what personal data is being collected, where it goes, who processes it, and how long it is retained.
- Map to PbD principles. Determine which of the seven principles are most relevant to the scenario. Most questions focus on one or two principles, not all seven.
- Evaluate the answer choices against positive-sum outcomes. Eliminate any answer that frames privacy as a trade-off against functionality. The correct PbD answer achieves both.
- Check the defaults. If the scenario describes system configuration, verify that the correct answer sets privacy-protective defaults — not settings that require users to opt out.
- Look for proactive measures. The correct answer almost always describes a preventive action, not a reactive response to a privacy problem.
The best way to get comfortable with scenario-based PbD questions is through repeated practice. Work through CIPT practice test questions that specifically target Domain 5 scenarios. Focus on understanding why each correct answer aligns with PbD principles, not just memorizing the answer. For additional study strategies, check out our free sample questions and study strategies.
Sample Scenario Walkthrough
Scenario: A mobile health app collects user location data, biometric readings, and dietary logs. The product team wants to share aggregated health trends with third-party researchers. The app currently requires users to navigate through five menu levels to disable location tracking.
Analysis: This scenario raises multiple PbD concerns. First, the deeply buried location setting violates Principle 2 (Privacy as the Default) — location tracking should be off by default, not hidden behind five menus. Second, sharing data with third-party researchers requires examination under Principle 6 (Visibility and Transparency) — users must be clearly informed about this sharing. Third, Principle 7 (Respect for User Privacy) demands that user controls be accessible and meaningful, not buried. The correct exam answer would address the default settings first, since that is the most direct PbD violation in the scenario.
Study Strategies for Mastering Domain 5
Domain 5 requires a different study approach than more technical domains. While Domains 2 through 4 test specific technologies and processes, Domain 5 tests your ability to think like a privacy architect. Here are targeted strategies:
Build a Principle-to-Practice Matrix
Create a study sheet that maps each of the seven PbD principles to at least three real-world technology examples. For instance, under Principle 1 (Proactive Not Reactive), list specific proactive measures like privacy threat modeling during design, automated data classification at ingestion, and scheduled data deletion jobs. This exercise forces you to move beyond memorization into application — exactly what the exam demands.
Study the Official Textbook Thoroughly
The IAPP's official textbook, An Introduction to Privacy for Technology Professionals (2nd Edition), is the primary source material for all five CIPT domains. The PbD chapter is especially important because Domain 5 integrates concepts from across the entire book. Invest time in reading this chapter carefully, noting how the textbook connects PbD to topics covered elsewhere. For a discussion of all study materials and their costs, refer to our breakdown of CIPT certification costs for 2026.
Practice with Timed Conditions
The CIPT gives you 150 minutes (including an optional 15-minute break) for 90 questions. That works out to roughly 1.5 minutes per question. PbD scenario questions tend to be longer and require more reading time than straightforward knowledge questions. Practice Domain 5 questions under timed conditions using our practice test platform to build speed without sacrificing comprehension.
Cross-Reference with Other Domains
Privacy by Design does not exist in isolation on the exam. Questions may test PbD in the context of:
- Domain 1 — The privacy technologist's role in embedding PbD within organizational culture
- Domain 2 — Applying data minimization (PbD Principle 1 and 2) during collection and destruction
- Domain 3 — Using DPIAs and threat models as PbD implementation tools
- Domain 4 — Selecting PETs that fulfill PbD strategies like Hide, Separate, and Abstract
Common Exam Mistakes to Avoid
Based on common candidate experiences and IAPP guidance, here are the most frequent mistakes CIPT candidates make on Privacy by Design questions:
When a scenario describes a privacy problem, candidates often choose answers that address the symptoms (like sending breach notifications or adding monitoring) rather than answers that prevent the problem entirely (like redesigning the data flow or changing defaults). Always prioritize prevention. If the scenario asks for the best approach, the proactive answer is almost always correct.
Additional Pitfalls
- Confusing Privacy by Design with security. PbD encompasses security but is broader. An answer that only addresses encryption or access control without considering data minimization, transparency, or user control is incomplete from a PbD perspective.
- Accepting false trade-offs. If an answer implies that you must sacrifice privacy for functionality (or vice versa), it violates Principle 4. The correct PbD answer finds the positive-sum solution.
- Ignoring the lifecycle. PbD applies from design through destruction. Candidates who focus only on the collection or processing phase miss questions about secure deletion, retention limits, or end-of-life data handling.
- Overlooking user-centricity. Some candidates gravitate toward technically sophisticated answers that miss the human element. Principle 7 demands that systems respect and empower the individual user. If an answer is technically brilliant but confusing to users, it fails PbD.
If you are concerned about exam difficulty overall, our analysis of CIPT exam difficulty provides a realistic assessment of what to expect across all five domains and how Domain 5 compares to the rest.
Privacy by Design in the Regulatory Landscape
Understanding how PbD has been codified in law and regulation strengthens your ability to answer exam questions that reference specific legal frameworks. Key regulatory touchpoints include:
- GDPR Article 25 — Explicitly requires "data protection by design and by default," making PbD a legal obligation for organizations processing EU residents' data.
- Canadian PIPEDA — While PbD originated in Canada, PIPEDA does not explicitly mandate it. However, the Office of the Privacy Commissioner of Canada has endorsed PbD principles in guidance documents.
- US State Laws — Several US state privacy laws (including the Colorado Privacy Act and Connecticut Data Privacy Act) reference data protection assessments that operationalize PbD concepts.
- ISO 31700 — Published in 2023, this international standard provides specific requirements for consumer goods and services to implement Privacy by Design, giving the framework formal standardization status.
The CIPT exam is not a legal exam — that is the domain of the CIPP credentials. But understanding regulatory context helps you answer questions about why PbD matters organizationally and how privacy technologists justify PbD investments to leadership. If you are weighing which certification to pursue, our comparison of CIPT vs CIPP can help you decide.
Frequently Asked Questions
IAPP does not publish exact domain weightings for the CIPT exam. However, Domain 5 is one of the five tested domains in the current 2025–2026 Body of Knowledge, and its principles are cross-referenced throughout other domains. Candidates consistently report that PbD concepts appear both in dedicated Domain 5 questions and integrated into scenario questions from other domains. Allocate study time proportionally — roughly 20% of your preparation should focus on PbD, with additional review of how PbD connects to the other four domains.
You should know each principle by name, number, and be able to describe its core intent. However, the CIPT exam prioritizes application over rote memorization. You are far more likely to encounter a scenario where you must identify which principle is being violated or applied than a question that simply asks you to list the principles. Focus your study on recognizing principles in context rather than reciting exact phrasing.
Cavoukian's 7 PbD principles are high-level organizational guidelines — they describe what Privacy by Design looks like. Hoepman's 8 privacy design strategies are engineering-level guidance — they describe how to implement PbD in software systems. Think of Cavoukian's principles as the "why and what" and Hoepman's strategies as the "how." Both are tested on the CIPT exam, and you should understand how they relate to each other.
Absolutely. PbD is inherently cross-cutting. A question about implementing data minimization during collection (Domain 2) is also a PbD question. A question about selecting the right privacy-enhancing technology (Domain 4) may be framed within a PbD context. The CIPT exam frequently combines concepts from multiple domains in a single question. This is why studying domains in isolation is risky — practice with integrated scenarios using CIPT practice tests that mirror this cross-domain approach.
The CIPT tests PbD from a technology implementation perspective — how to architect systems, configure defaults, select technical controls, and integrate privacy into the SDLC. A CIPP exam tests PbD from a legal and policy perspective — what the regulations require, how to interpret Article 25 of the GDPR, and organizational compliance obligations. The CIPT expects you to be the engineer who builds privacy in, not just the advisor who recommends it. Earning both the CIPT and a CIPP credential qualifies you for the Fellow of Information Privacy (FIP) designation.
Ready to Start Practicing?
Domain 5 demands more than textbook knowledge — it requires the ability to apply Privacy by Design principles to realistic scenarios under time pressure. Our CIPT practice tests include scenario-based questions that mirror the actual exam format, with detailed explanations connecting each answer to specific PbD principles and Hoepman's strategies. Build the pattern recognition you need to pass with confidence.
Start Free Practice Test →