Privacy and Compliance Certifications: CISA and CDPSE Explained

The proliferation of data-driven technology and business culture has spurred serious growth in the emerging data privacy and compliance industry.

Data privacy and compliance includes measures, technology, and legal frameworks to manage and protect personal information, ensure data is managed responsibly and conforms to legal regulations.

Increased awareness of data privacy risks, emerging technologies including artificial intelligence (AI), and the proliferation of laws like Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have brought about opportunities for IT professionals who'd like to specialize in that area.

• GDPR has influenced how companies collect, store and process personal information from EU citizens. Businesses now must obtain explicit consent, provide data subject rights and report data breaches. Violating GDPR rules can mean rather hefty fines.

• CCPA and its supplement, the California Privacy Rights Act, has given consumers the right to access, remove and opt-out of having their personal information sold without their consent. In turn, businesses now must update their privacy policies, implement new processes for handling customer requests and implement data management and security practices.
Before GDPR and CCPA came the Health Insurance Portability and Accountability Act (HIPAA), which went into effect in 2003. HIPAA keeps the confidentiality, integrity and availability of protected health information by limiting its use.
If the idea of specializing in data privacy and compliance appeals to you, the Information Systems Audit and Control Association (ISACA), an Information Systems and IT organization, offers two certification tracks to consider: Certified Information Systems Auditor (CISA) and Certified Data Privacy Solutions Engineer (CDPSE).

• CISA certification is considered the gold standard for IT auditors. You must have five years of relevant work experience in information systems auditing, control or security. The work experience requirement ensures IT pros can show what they’ve learned in real-world situations. CISA certification can help you qualify for roles such as IT auditor, risk analyst, compliance manager and data protection manager.

• CDPSE certification demonstrates the ability to assess, build and implement comprehensive data privacy solutions for a business. You must have a minimum of three years of work experience in the data privacy lifecycle, privacy architecture and privacy governance to earn certification. CDPSE certification can help qualify you for a role as a privacy engineer, information security engineer, data privacy manager, and IT security consultant.

Companies that violate CCPA or GDPR laws can face harsh penalties. Below are some examples.

Enforcing CCPA: Sephora and Healthline Media
The dubious honor of being the CCPA’s first major enforcement action goes to beauty retailer Sephora in 2022. The company didn’t disclose that it was selling customer information collected on its website to third parties and didn’t honor opt-out requests through Global Privacy Control, a tool that lets users let websites know their privacy preferences. The violation cost Sephora a pretty penny – $1.2 million.

Another case, the largest settlement to date from California, Healthline Media had to pay $1.55 million in July 2025. The health and wellness company, which owns Healthline.com and MedicalNewsToday.com, allegedly didn’t allow consumers to opt-out of targeted advertising, and used online trackers such as cookies to share data from their readers with third parties without adequate privacy protections, and misled consumers with their consent banners (the banners did not disable tracking cookies).

GDPR: Meta (Facebook’s Parent) has Been Mega Fined
Ireland’s been levying fines on for GDPR violations. In September 2024, the Irish Data Protection Commission (DPC) fined Meta Platforms Ireland 91 million Euros (about $106.4 million) for a 2019 data breach in which user passwords were not encrypted; rather, they were in plain text. Meta did report the breach, which involved social media passwords. The DPC had found that Meta did not notify them of the breach, the breach had been inadequately documented, and its security measures were not sufficient for protecting user data. This is not the first time Meta’s found itself in hot water for GDPR violations.

• A 2018 data breach led to a 251 million Euro fine (about $291.36 million). The breach –unauthorized access to names, contact information, and sensitive information, e.g., religious and political beliefs – affected 29 million Facebook users around the world, with 3 million in the European Union/European Economic Area.
• A 2021 investigation found reports claiming Facebook’s data set with personal information was on a hacking platform. The leak resulted in 533 million users disclosing personal data to third parties without permission. Meta was fined 265 million Euros (about $307.45 million).
• The biggest fine against Meta from Ireland’s DPC came about in May 2023. Meta received a 1.2 billion Euro fine (about $1.392 billion) for transferring European users’ personal data to the U.S. without adequate data protection mechanisms in place.

The emergence of artificial intelligence has brought about the interest of data protection experts, who wonder if AI models can be compatible with GDPR requirements. Artificial intelligence companies are not immune to GDPR standards, even though some AI platforms can enhance a user’s privacy.

Companies like Open AI (ChatGPT’s parent), have raised concerns related to GDPR. Italy’s Data Protection Authority in 2023 ordered Open AI to temporarily stop processing personal data about people in Italy. A DPA investigation into a data security issue had prompted the order. In response, Open AI temporarily restricted access to ChatGPT in Italy and worked on a compliance plan.

After Open AI and the DPA met, Open AI received extra time to bring Chat GPT into GDPR compliance with a list of requirements to meet. Open AI added new features to bring the company closer to GDPR compliance, including a new privacy notice and an opt-out feature for users to not have their chat histories reused.

Computer Coach can help you get relevant IT and business certifications skills for today’s job market. We can make sure you’re prepared for your next opportunity.

Whether you're looking to switch careers or take the next step in your current career, our certified career coaches & strategists can help you explore a wide range of possibilities and learn how our training courses can help you reach your career goals. 

5005 N. Hesperides Street
Tampa, Florida 33614

(813) 947-0552

Copyright © Your Company.  All Rights Reserved.