ISACA CDPSE Privacy Engineer Practice Test

Certified Data Privacy Solutions Engineer (CDPSE) is an ISACA privacy route for candidates who work with privacy governance, privacy architecture, data lifecycle controls, and implementation of privacy-by-design decisions.

Use these 12 original sample questions for initial self-assessment. The full IT Mastery route for CDPSE is not available yet; try the preview and use the Notify me form if this is your target route.

What this route should test

• matching privacy risk to design, control, and governance decisions
• reasoning through data lifecycle, purpose limitation, access, retention, and monitoring
• translating privacy requirements into implementable technology and process controls
• recognizing when legal, security, data, or governance teams must be involved

Common candidate trap

CDPSE is not only privacy-law vocabulary. Strong practice should test whether privacy requirements become real system and process controls: data minimization, purpose limitation, consent, retention, access, deletion, logging, and privacy-by-design review.

Sample Exam Questions

These questions are original IT Mastery preview items for privacy engineering and governance judgment. They are not official ISACA exam questions.

Question 1

Topic: privacy by design

A product team wants to collect additional personal data because it might be useful later. What should the privacy engineer challenge first?

• A. Whether collection is necessary, proportionate, tied to a defined purpose, and governed through the data lifecycle
• B. Whether the field label is short
• C. Whether the data can be exported quickly
• D. Whether the form has enough colours

Best answer: A

Explanation: Privacy by design starts with purpose and minimization. Collecting data just because it might be useful later creates avoidable privacy risk.

Question 2

Topic: data lifecycle

A system retains customer records indefinitely after account closure. What is the most relevant privacy concern?

• A. The database name
• B. The number of dashboard widgets
• C. The login-page image
• D. Retention rules, deletion or anonymization, legal holds, and documented lifecycle controls

Best answer: D

Explanation: Personal data should have lifecycle controls. Retention, deletion, anonymization, exceptions, and legal holds should be documented and implemented.

Question 3

Topic: consent implementation

Marketing consent is captured in one system, but campaign tools do not receive updates for several days. What should be addressed?

• A. Consent synchronization, timeliness, source of truth, and suppression behavior
• B. The campaign template colour
• C. Whether every user can edit consent manually
• D. The length of the campaign name

Best answer: A

Explanation: Consent must be operationally enforceable. Delayed synchronization can cause communications that violate user preferences or obligations.

Question 4

Topic: access control

Support agents need order history but not full government ID numbers. What control best fits the privacy requirement?

• A. Give agents full database access
• B. Remove all support access
• C. Role-based access and masking or minimization of sensitive fields not needed for support
• D. Email full records to agents

Best answer: C

Explanation: Access should match the job need. Masking, field-level controls, and minimization reduce exposure while preserving business function.

Question 5

Topic: privacy impact assessment

A new analytics feature profiles customer behavior across several sources. What should happen before launch?

• A. Skip privacy review because analytics is internal
• B. Publish the feature immediately
• C. Delete the data catalog
• D. Perform privacy risk assessment with data mapping, purpose, safeguards, stakeholder review, and mitigation

Best answer: D

Explanation: Profiling and cross-source analytics can create privacy risk. A structured assessment identifies data flows, purposes, safeguards, and mitigation.

Question 6

Topic: data inventory

A privacy team cannot answer which systems store employee addresses. What foundational capability is missing?

• A. A new website banner
• B. Data inventory or mapping that identifies systems, data categories, owners, purposes, and flows
• C. More generic policy text only
• D. A password reset workflow

Best answer: B

Explanation: Privacy programs depend on knowing where data lives, why it is processed, who owns it, and where it flows.

Question 7

Topic: deletion requests

A user requests deletion, but one system must retain transaction records for legal reasons. What is the best design response?

• A. Apply deletion where required while documenting lawful retention exceptions and limiting retained data use
• B. Delete everything without review
• C. Refuse the entire request without explanation
• D. Disable all user requests

Best answer: A

Explanation: Deletion rights may have lawful exceptions. The system should support deletion or restriction where appropriate and document justified retention.

Question 8

Topic: third-party sharing

A vendor receives personal data for support analytics. What should be confirmed before sharing?

• A. The vendor’s logo
• B. The number of vendor employees
• C. Purpose, contract terms, security and privacy controls, data minimization, transfer limits, and monitoring
• D. Whether the vendor has a public blog

Best answer: C

Explanation: Third-party privacy risk requires contractual and technical controls. Purpose, minimization, safeguards, transfers, and monitoring should be defined.

Question 9

Topic: privacy monitoring

A system logs access to sensitive records but no one reviews unusual access. What is the weakness?

• A. The records are automatically public
• B. No system can log privacy events
• C. Access review is never relevant to privacy
• D. Logging exists, but monitoring and response control is incomplete

Best answer: D

Explanation: Logging alone is incomplete if no one monitors or responds to unusual access. Privacy controls need operation and review.

Question 10

Topic: data minimization

A mobile app requests precise location continuously for a feature that only needs city-level weather. What is the best privacy design?

• A. Collect all location data forever
• B. Reduce collection to the minimum granularity and duration needed for the stated feature
• C. Hide the collection in the settings menu
• D. Share location with all partners

Best answer: B

Explanation: Data minimization applies to granularity and retention. Precise continuous location is excessive if city-level data is enough.

Question 11

Topic: privacy governance

A business team wants to launch a new data use that conflicts with the approved privacy notice. What should happen?

• A. Launch first and update notices later if someone complains
• B. Pause for privacy, legal, and governance review before changing the use or notice
• C. Ignore the notice
• D. Copy the data into an unmanaged system

Best answer: B

Explanation: New purposes must align with notices, consent, contracts, and governance expectations. Review should occur before launch.

Question 12

Topic: breach response

An internal report suggests personal data may have been exposed to unauthorized users. What should the privacy engineer support first?

• A. Delete all logs immediately
• B. Announce details before validating facts
• C. Preserve evidence, assess scope, involve privacy/security/legal stakeholders, and follow the response process
• D. Ignore the report until a customer complains

Best answer: C

Explanation: Privacy incidents need evidence preservation, scope assessment, stakeholder involvement, and controlled response. Premature deletion or disclosure can make the situation worse.

CDPSE quick checklist

Related ISACA pages

• CISM
• CRISC
• ISACA certification updates