🎯 Domain 2 Overview
What This Domain Tests: Your ability to build organizational structures, accountability mechanisms, policies, and procedures that enable effective privacy management. This includes establishing roles and responsibilities, creating governance committees, developing policies, implementing Privacy Impact Assessments (PIAs), and planning for breach response.
Weight: 15-20% of the CIPM exam (approximately 14-18 questions)
Key Focus: Creating the infrastructure and processes for privacy governance—the "how" of accountability and organizational structure. Domain 1 established the framework; Domain 2 builds the governance mechanisms to execute it.
Why Domain 2 Is Critical
Even the best privacy framework (Domain 1) fails without proper governance. Domain 2 is where strategy becomes structure—where you translate high-level privacy goals into organizational accountability, clear roles, documented processes, and operational readiness.
Think of governance as the operating system for your privacy program. It determines who makes decisions, how processes work, what policies guide behavior, and how the organization responds when things go wrong. Without solid governance, privacy programs become reactive, inconsistent, and ineffective.
What Makes Domain 2 Challenging
- Organizational Politics: Understanding how to navigate reporting structures and establish authority
- Policy Development: Knowing the difference between policies, standards, procedures, and guidelines
- PIA Process: Mastering when, how, and by whom Privacy Impact Assessments should be conducted
- Breach Response: Understanding detailed incident management workflows and regulatory timelines
- Role Clarity: Distinguishing responsibilities among CPO, DPO, legal, IT, and business units
Core Topics in Domain 2
1. Privacy Governance Structures
Governance structures define how privacy decisions are made and who has authority to make them.
Governance Models
Centralized Model:
- Single privacy team makes all privacy decisions
- Provides consistency and control
- Can become bottleneck as organization scales
- Best for: Smaller organizations, heavily regulated industries
Decentralized Model:
- Privacy decisions made by individual business units
- Enables speed and local context
- Risk of inconsistency and gaps
- Best for: Highly autonomous divisions, diverse business lines
Federated Model (Hybrid):
- Central privacy team sets policy and standards
- Business unit privacy champions implement locally
- Balances consistency with flexibility
- Best for: Large, complex organizations (most common in practice)
📘 Exam Scenario: Governance Model Selection
Question: "A multinational corporation with diverse business units in different industries wants to maintain consistent privacy standards while allowing operational flexibility. Which governance model would be MOST appropriate?"
Answer: Federated/Hybrid model. The key words are "consistent privacy standards" (requires central oversight) combined with "operational flexibility" (requires local implementation). This scenario describes the exact use case for federated governance.
Key Lesson: Match governance models to organizational characteristics. Don't default to what seems "best"—choose what fits the scenario.
2. Privacy Governance Committees
Committees provide cross-functional oversight, decision-making authority, and escalation paths for privacy issues.
Typical Privacy Committee Structure
Privacy Steering Committee (Strategic Level):
- Composition: Senior executives (C-suite, VPs)
- Frequency: Quarterly or semi-annually
- Role: Set strategic direction, approve major initiatives, allocate resources
- Decisions: Privacy program strategy, budget approvals, major policy changes
Privacy Working Group (Operational Level):
- Composition: Privacy team, IT, legal, security, business unit representatives
- Frequency: Monthly or bi-monthly
- Role: Implement strategy, resolve cross-functional issues, coordinate activities
- Decisions: Implementation approaches, risk assessments, policy interpretations
Data Governance Committee (Related but Distinct):
- Focus: Broader data management (quality, lifecycle, architecture)
- Relationship to Privacy: Privacy is subset of data governance
- Coordination: Privacy committee should have representation on data governance committee
3. Roles and Responsibilities
Clear role definitions prevent gaps in accountability and ensure privacy responsibilities are properly distributed.
Chief Privacy Officer (CPO)
Primary Responsibilities:
- Set overall privacy strategy and vision
- Report to executive leadership and board
- Oversee privacy program development and execution
- Manage privacy team and resources
- Serve as primary external spokesperson for privacy
- Balance business objectives with privacy compliance
Data Protection Officer (DPO)
Primary Responsibilities (under GDPR):
- Monitor compliance with data protection regulations
- Provide advice on Data Protection Impact Assessments (DPIAs)
- Cooperate with supervisory authorities
- Act as contact point for data subjects
- Key Distinction: DPO must be independent, cannot be instructed on how to perform tasks
- Note: In smaller organizations, CPO and DPO may be same person (where allowed)
Privacy Champions/Liaisons
Primary Responsibilities:
- Serve as privacy point of contact within business units
- Implement privacy policies and procedures locally
- Escalate privacy issues to central privacy team
- Promote privacy awareness in their departments
- Often part-time role, not dedicated privacy staff
Legal/Compliance Teams
Primary Responsibilities:
- Interpret privacy regulations and legal requirements
- Review and approve privacy policies
- Handle regulatory inquiries and investigations
- Manage litigation related to privacy
- Key Relationship: Collaborate with privacy team, but privacy leads operational implementation
IT/Security Teams
Primary Responsibilities:
- Implement technical privacy controls
- Manage data security and encryption
- Support breach detection and response
- Enable data subject rights fulfillment (access, deletion)
- Key Relationship: Privacy sets requirements, IT/Security implements solutions
4. Privacy Policies and Procedures
Understanding the hierarchy and purpose of different policy documents is critical for Domain 2.
| Document Type | Purpose | Audience | Example |
|---|---|---|---|
| Privacy Policy | Public statement of privacy practices | External (customers, users) | "How we collect, use, and protect your data" |
| Privacy Notice | Specific information about data processing | Data subjects at collection point | "Employee data processing notice" |
| Privacy Standards | Mandatory requirements for compliance | Internal (all employees) | "Data must be encrypted at rest and in transit" |
| Privacy Procedures | Step-by-step instructions for tasks | Internal (specific roles) | "How to process a DSAR in 5 steps" |
| Privacy Guidelines | Best practice recommendations | Internal (advisory, not mandatory) | "Recommended practices for data minimization" |
Essential Elements of Privacy Policies
Comprehensive privacy policies should address:
- What data is collected: Types of personal information
- Why data is collected: Purposes and legal bases
- How data is used: Processing activities
- Who has access: Internal parties and third parties
- How data is protected: Security measures
- How long data is retained: Retention periods
- Individual rights: How to exercise rights (access, deletion, etc.)
- Contact information: How to reach privacy team/DPO
- Changes to policy: How updates are communicated
5. Privacy Impact Assessments (PIAs)
PIAs (also called Data Protection Impact Assessments or DPIAs under GDPR) are systematic processes for identifying and mitigating privacy risks in projects or systems.
When PIAs Are Required
Conduct a PIA when you're:
- Launching new products or services that process personal data
- Implementing new technologies (AI, biometrics, tracking systems)
- Making significant changes to existing data processing
- Processing sensitive/special category data
- Processing data on a large scale
- Conducting systematic monitoring (e.g., CCTV, behavioral tracking)
- Making automated decisions with legal or significant effects
- Processing children's data
- Combining datasets from multiple sources
PIA Process Steps
1Describe the Processing
- What data is being collected?
- What is the purpose of processing?
- Who will have access to data?
- How will data flow through systems?
2Assess Necessity and Proportionality
- Is the processing necessary to achieve the purpose?
- Is the data collection proportionate to the need?
- Can you achieve the same goal with less data?
- What is the legal basis for processing?
3Identify Privacy Risks
- What could go wrong (unauthorized access, breach, misuse)?
- What harm could result to individuals?
- What is the likelihood and severity of each risk?
- Are there compliance risks (regulatory violations)?
4Identify Mitigation Measures
- What controls can reduce identified risks?
- Technical measures (encryption, access controls)
- Organizational measures (policies, training)
- Assign responsibility for implementing each measure
5Sign Off and Integrate
- Document assessment results
- Obtain approval from privacy lead/DPO
- Integrate mitigation measures into project plan
- Set review timeline for reassessment
6. Breach Response and Incident Management
Having a documented breach response plan is not just best practice—it's legally required in many jurisdictions. Domain 2 tests your understanding of the complete incident lifecycle.
Breach Response Lifecycle
Phase 1: Detection and Analysis
- Identify potential breach through monitoring, reports, or alerts
- Gather initial facts (what happened, what data, how many people)
- Assess whether incident qualifies as a "breach" under applicable laws
- Determine severity and scope
Phase 2: Containment
- Stop ongoing data exposure immediately
- Isolate affected systems
- Prevent further unauthorized access
- Preserve evidence for investigation
Phase 3: Assessment and Notification Decision
- Determine if breach must be reported to regulators
- Assess risk of harm to individuals
- Evaluate notification obligations under multiple laws
- Consult with legal, privacy, and executive teams
Phase 4: Regulatory Notification
- GDPR: Notify supervisory authority within 72 hours (if high risk to rights)
- State laws: Vary widely (some "without unreasonable delay," others specify days)
- Provide required information: nature of breach, categories of data, approximate number affected, contact details, likely consequences, measures taken
Phase 5: Individual Notification
- Notify affected individuals if high risk to their rights and freedoms
- Provide clear, plain language description of breach
- Explain consequences and protective measures taken
- Advise on steps individuals can take (monitor accounts, change passwords)
Phase 6: Remediation and Recovery
- Fix vulnerabilities that enabled the breach
- Restore normal operations securely
- Implement additional controls to prevent recurrence
Phase 7: Post-Incident Review
- Conduct lessons-learned analysis
- Document what worked and what didn't
- Update breach response plan based on experience
- Implement systemic improvements
📘 Exam Scenario: Notification Timeline
Question: "An organization subject to GDPR discovers a breach affecting 10,000 customers' email addresses and purchase histories. What is the FIRST notification deadline the organization must meet?"
Answer: 72 hours to notify the supervisory authority (regulators). Individual notification comes after and only if there's high risk. The 72-hour clock starts from when the organization becomes "aware" of the breach, not when it's fully investigated.
Key Lesson: Know specific regulatory timelines. GDPR's 72-hour rule is heavily tested. Don't confuse regulatory notification (supervisory authority) with individual notification (affected people).
7. Third-Party and Vendor Management
Organizations remain accountable for data even when third parties process it. Proper vendor governance is essential.
Vendor Privacy Governance Requirements
Pre-Engagement Due Diligence:
- Assess vendor's privacy and security practices
- Review certifications (ISO 27001, SOC 2, etc.)
- Evaluate data handling procedures
- Check vendor's incident history
Contractual Requirements:
- Data Processing Agreement (DPA) or similar contract
- Define roles: controller vs. processor
- Specify permitted processing activities
- Require security measures
- Include audit rights
- Establish breach notification obligations
- Address sub-processor management
- Include data return/deletion provisions at termination
Ongoing Oversight:
- Conduct periodic vendor reviews
- Verify compliance through audits or assessments
- Monitor for changes in vendor practices
- Maintain vendor inventory/registry
Cross-Border Considerations:
- Implement transfer mechanisms (Standard Contractual Clauses, etc.)
- Assess adequacy of destination country protections
- Document transfer basis in records of processing
8. Data Subject Rights Management
Establishing processes to handle individual rights requests is a core governance requirement.
Key Data Subject Rights (GDPR Framework)
- Right of Access: Request copy of their personal data
- Right to Rectification: Correct inaccurate data
- Right to Erasure ("Right to be Forgotten"): Delete data under certain conditions
- Right to Restrict Processing: Limit how data is used
- Right to Data Portability: Receive data in machine-readable format
- Right to Object: Object to processing based on legitimate interest or direct marketing
- Rights Related to Automated Decision-Making: Not be subject to solely automated decisions with significant effects
Note: Rights vary by jurisdiction. CCPA has different rights (right to know, delete, opt-out of sale). Know the general categories and principles.
DSAR (Data Subject Access Request) Handling Process
- Receive and Log Request: Track in request management system
- Verify Identity: Ensure requester is who they claim to be
- Clarify Scope: Understand what information is being requested
- Search for Data: Locate all relevant personal data across systems
- Review for Exemptions: Check if any exemptions apply (e.g., legal privilege)
- Redact Third-Party Data: Remove others' personal information
- Prepare Response: Compile data in accessible format
- Deliver Within Deadline: GDPR: 1 month (extendable to 3 months for complex requests)
- Document Process: Maintain records of all requests and responses
Common Domain 2 Exam Question Types
Question Pattern: Role Distinction
Format: "Who should have PRIMARY responsibility for [specific activity]?"
What They're Testing: Whether you understand role boundaries (CPO vs. DPO vs. IT vs. Legal)
How to Approach: Ask yourself: Who has the authority, expertise, and day-to-day involvement? Remember DPO independence requirements.
Question Pattern: Policy Hierarchy
Format: "What type of document should be used to [accomplish specific goal]?"
What They're Testing: Understanding difference between policies, procedures, standards, and guidelines
How to Approach: External communication = policy/notice. Mandatory requirements = standards. Step-by-step = procedures. Recommendations = guidelines.
Question Pattern: PIA Triggers
Format: "Which scenario would MOST likely require a Privacy Impact Assessment?"
What They're Testing: Recognizing high-risk processing that triggers PIA requirements
How to Approach: Look for: new technology, large-scale processing, sensitive data, automated decisions, systematic monitoring, children's data, or significant changes to existing processing.
Question Pattern: Breach Notification Requirements
Format: "How quickly must [type of breach] be reported to [regulator/individuals]?"
What They're Testing: Knowledge of specific notification timelines and thresholds
How to Approach: Know GDPR's 72-hour rule for regulators. Distinguish between regulatory notification and individual notification. High risk determines individual notification requirement.
Study Tips for Domain 2
Domain 2 Mastery Checklist
- ✓ Memorize the difference between CPO and DPO roles and responsibilities
- ✓ Know the three governance models and when each is appropriate
- ✓ Understand policy hierarchy: policy vs. standard vs. procedure vs. guideline
- ✓ Master PIA/DPIA process steps and triggers
- ✓ Memorize GDPR's 72-hour breach notification rule
- ✓ Know all phases of breach response lifecycle
- ✓ Understand data subject rights and DSAR handling process
- ✓ Learn vendor management requirements and DPA components
- ✓ Study privacy committee structures and decision-making authority
- ✓ Practice distinguishing between regulatory and individual breach notifications
- Confusing CPO and DPO roles (especially independence requirements)
- Not understanding the difference between policies, standards, and procedures
- Memorizing only GDPR breach rules without understanding general principles
- Overlooking vendor management and third-party governance
- Not practicing PIA scenario recognition
- Missing the distinction between regulatory notification and individual notification
Practice Questions for Domain 2
Question 1: Role Responsibility
Q: Under GDPR, who has PRIMARY responsibility for determining whether a Data Protection Impact Assessment (DPIA) is required for a new project?
A) Chief Privacy Officer
B) Data Protection Officer
C) Project Manager
D) Legal Counsel
Correct Answer: B
Explanation: Under GDPR Article 35(2), the controller must seek the advice of the DPO when carrying out a DPIA. The DPO has specific responsibility for advising on DPIA requirements, even though the controller ultimately decides whether to proceed.
Question 2: Breach Notification
Q: An organization discovers unauthorized access to a database containing names and encrypted credit card numbers. What is the organization's FIRST obligation under GDPR if the breach presents high risk to individuals?
A) Notify the supervisory authority within 72 hours
B) Notify affected individuals immediately
C) Conduct a full investigation before any notification
D) Notify law enforcement
Correct Answer: A
Explanation: GDPR requires notification to supervisory authority within 72 hours of becoming aware of a breach (Article 33). Individual notification (Article 34) comes after, and only if high risk to rights and freedoms exists. Investigation happens concurrently, but the 72-hour clock still runs.
Question 3: Governance Structure
Q: A large financial services company with multiple autonomous business units wants to maintain consistent privacy standards while allowing units to make operational decisions. Which governance model is MOST appropriate?
A) Centralized governance
B) Decentralized governance
C) Federated governance
D) Compliance-based governance
Correct Answer: C
Explanation: The scenario describes the classic use case for federated governance: need for consistency ("consistent privacy standards") combined with operational flexibility ("allowing units to make operational decisions"). Central team sets standards, business units implement locally.
Master Domain 2 with Practice Questions
Test your understanding of privacy governance with 100+ Domain 2-specific practice questions covering roles, policies, PIAs, breach response, and more. Track your mastery and identify knowledge gaps.
Key Takeaways for Domain 2
- Governance = Structure: Domain 2 builds the organizational infrastructure to execute privacy strategy
- Clear Accountability: Well-defined roles prevent gaps and ensure privacy responsibilities are owned
- DPO Independence: Critical distinction—DPOs must operate independently and cannot be instructed on compliance
- Policy Hierarchy Matters: Know when to use policies vs. standards vs. procedures vs. guidelines
- PIAs Are Preventive: Conduct before starting high-risk processing, not after problems arise
- 72-Hour Rule: GDPR's most tested requirement—breach notification to supervisory authority
- Vendor Accountability: Organizations remain responsible for third-party processing
- Rights Management: Establish processes before you receive requests, not during
Connection to Other Domains
Domain 2 serves as the bridge between strategy (Domain 1) and execution (Domains 3-6):
- From Domain 1: Takes the strategic framework and creates operational accountability structures
- To Domain 3: Governance structures enable systematic data assessment and inventory processes
- To Domain 4: Policies and standards guide implementation of data protection measures
- To Domain 5: Governance committees provide oversight for performance metrics and monitoring
- To Domain 6: Incident response plans and DSAR procedures operationalize governance requirements
Master Domain 2, and you'll find the operational domains much easier because you'll understand who does what and how decisions get made.