BCS FOUNDATION COURSE IN DATA PROTECTION (3 DAYS)

£1,050.00

This course is now available at £1,050 + vat per person. Discounts are available for multiple bookings from the same organisation.

Location: Swansea – The Dragon Hotel

Foundation Course 9th – 11th November 2020

If you would like to do this course virtually, please contact us.


OVERVIEW

This BCS Foundation Course and Exam will help any employee gain a practical understanding of EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. The BCS certificate is a recognised workplace qualification.
Knowledge of UK data protection law, including the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018, along with an understanding of how they are applied in practice, is important for any organisation processing personal information. The BCS Foundation Certificate in Data Protection is designed for those who wish to acquire a sound grounding in the key elements of the law and its practical application.
 

In addition to the 2 days of interactive or onsite training & exam, we also give you access to added-value products and services that allow you to start or continue your work within Data Protection:

  • Lunch and refreshments every day (classroom courses only)
  • 12 month BCS associate membership
  • DPAS branded folder (sent prior to the course)
  • Trainer with over 20 years of experience in the industry
  • All course materials via GSuite
  • Our latest GDPR Assurance Audit which you can use when you are back in the workplace to assess compliance and develop remediation plans. Within this tool is a great one-page reporting template for your board.
  • An innovative risk model which is designed for you to assess data protection risks in your organisation.
  • Access to all the latest legislation, regulations and Data Protection case studies from the UK and EU.
  • Information security audit tool based upon ISO27001 which you can use to measure 92 security controls you have in your organisation.
  • Access to our full suite of GDPR and Data Protection policies which include Data Breach, Data Protection Impact Assessments, Privacy Notices, Legitimate Interest Assessments,
  • Access to our full template suite of Individual rights policies, decision trees and template letters, everything you need to deliver Articles 12 – 22 of GDPR.
  • A detailed list of the UK Data Protection Act exemptions in a format for you to apply and associated policies in which you can use when thinking about applying for exemptions.

An Introduction to the History of Data Protection in the U.K. (5%)

Candidates will be able to:

1.1. Demonstrate an awareness around personal data rights in the EU and the UK:

1.1.1.  Background to the Rights to Protect Personal Data in the EU and the U.K.

1.1.2.  The Privacy and Electronic Communications (EC Directive) Regulations 2003

(Sections 5-26)

  1. 1.1.3.  UK Data Protection Act 2018, Part 2, Chapters 1 to 3, Part 5 & 6

NB: The candidate is expected to have a basic knowledge of the existence of the above and how UK data protection has evolved, but the candidate is not expected to have a detailed knowledge of the provisions.

1.2. Recognise the territorial scope and jurisdiction of the GDPR (Articles 2 and 3): specifically, the following:

1.2.1.  Main establishment and the one stop shop

1.2.2.  When an EU representative is needed

 

Principles of Data Protection and Applicable Terminology (15%)

Candidates will be able to:

2.1. Define the following key items of terminology:
2.1.1. Personal data and Special category personal data

2.1.1.1. Pseudonymisation

2.1.1.2. Criminal Offence Data (Article 10/Section 10 & 11 – recitals in relation to)

2.1.1.3. Biometric Data

2.1.2.  Processing

2.1.3.  Controller

2.1.4.  Processor

2.1.5.  Data Subject

2.1.6.  Profiling

2.2. Describe the following Data Protection Principles:

2.2.1.  Lawfulness, Fairness and Transparency – Article 5 (1)(a)

2.2.2.  Purpose Limitation – Article 5 (1)(b)

2.2.3.  Data minimisation – Article 5(1)(c)

2.2.4.  Accuracy – Article 5(1)(d)

2.2.5.  Storage limitation – Article 5 (1)(e)

2.2.6.  Integrity and confidentiality – Article 5 (1)(f)

2.2.7.  Responsibility for Accountability with the above principles (referred to as Accountability Principle) – Article 5 (2)

 

Lawful bases for processing of Personal Data (12.5%)

Candidates will be able to:

3.1.  Explain the lawful basis to process Personal Data listed under (Article 6) of the GDPR and as displayed below:

3.1.1.  Consent

3.1.2.  Contract

3.1.3.  Legal obligation

3.1.4.  Vital interests

3.1.5.  Public interest task

3.1.6.  Legitimate interests

3.2.  Describe the conditions for processing special category data and the exemptions (Article 9)

 

Governance and Accountability of Data Protection within organisations (20%)

Candidates will be able to:

4.1.  Identify the accountability obligations (Article 5 (2) and Article 24)

4.2.  Describe the purpose of a Data Protection Impact Assessment (DPIA)

4.3.  Explain the process of conducting a DPIA

4.4.  Identify the importance of keeping a record of processing activity (Article 30)

4.5.  Outline the interplay with privacy notices (Article 13 & 14)

4.6.  Demonstrate how to adopt a data protection by design and by default approach (Article 25)

4.7.  Identify suitable information security measures (Article 32)

4.8.  Explain the designation, position and tasks of the Data Protection Officer (DPO) (Article 37

to 39)

Interaction between Controller and Processor (7.5%)

Candidates will be able to:

5.1 Identify the following controller and processor obligations

5.1.1.  Controller obligations (Article 24)

5.1.2.  Joint controllers (Article 26)

5.1.3.  Processor obligations (Article 28)

5.1.4.  Processing under the authority of a Controller or Processor (Article 29)

 

Transfers of personal data to third countries or international organisations (5%)

Candidates will be able to:

6.1. Recognise the general principles for transferring personal data to third countries, based on the most common forms:

6.1.1.  An adequacy decision by the EU

6.1.1.1. Privacy Shield

6.1.2.  Appropriate safeguards

6.1.2.1. Standard Contractual Clauses 6.1.2.2. Binding Corporate Rules

 

Data Subject Rights (12.5%)

Candidates will be able to:

7.1. Explain the key rights granted to individuals (Articles 12 to 17 and 21 to 22). Specifically, the candidate will be required to explain data subject rights in relation to:

7.1.1.  Beinginformed(transparency),includingoffurtherprocessingcompatibility(Article13 and Article 14)

7.1.2.  Subject access (Article 15)

7.1.3.  Rectification (Article 16)

7.1.4.  Erasure (Right to be forgotten) (Article 17)

7.1.5.  Objection (Article 21)

7.1.6.  Automated individual decision making and profiling (Article 22)

7.2. Express awareness of the following rights in addition to the above. However, these will not be examined in the Foundation Certificate.

7.2.1.  Restriction of processing (Article 18)

7.2.2.  Obligation to notify the rectification, erasure or restriction to recipients and the datasubject (Article 19)

7.2.3.  Portability (Article 20)

7.3. Define restrictions that may affect data subject rights however they are not expected to have a detailed knowledge of these restrictions (Article 23).

 

Independent Supervisory Authority (ICO) (10%)

Candidates will be able to:

8.1. Explain the Role of the ICO

8.1.1.  As a regulator

8.1.1.1. Investigation and correction (Article 58)

8.1.1.2. Enforcement of regulations

  1. 8.1.2.  As a body that creates guidance and codes of practice
  2. 8.1.3.  In co-operation with other supervisory authorities
  3. 8.1.4.  Driving forward good privacy practice in their own jurisdictions and also internationally

 

Breaches, Enforcement and Liability (10%)

Candidates will be able to:

9.1. Explain when the obligation arises to report breaches of personal data (Articles 33 & 34)

9.1.1.  To the Supervisory Authority

9.1.2.  Data subject

9.2. Identify the sanctions that could be imposed as a result of a personal data breach or data protection complaint:

9.2.1.  Information notices (Section 142 DPA18) and assessment notices (Section 146 DPA18)

9.2.2.  Undertakings

9.2.3.  Enforcement notices

9.2.4.  Administrative fines and their levels (Article 83 and 84)

9.2.5.  Data protection audits by the supervisory authority (Article 58)

9.3. Describe the following liabilities:

9.3.1.  Compensation towards the data subject

9.3.2.  Liability between controller and processor

9.3.3.  Awareness of the existence of criminal liability regarding breaches under:

9.3.3.1. Data Protection Act 2018

9.3.3.2. Computer Misuse Act (Section 3ZA)

 

Privacy and Electronic Communications (EC Directive) Regulations (PECR) 2003 (2.5%)

Candidates will be able to:

10.1. Identify the relationship between the PECR and the GDPR, including the PECR’s:

10.1.1. Objective and broad scope (email, phone, SMS, in-app messaging, push notifications)

Provisions relating to electronic marketing communications

Role of the ICO in relation to PECR

10.1.3.1. Investigating complaints

The course takes 3 days to complete. The course will be held virtually or in a classroom.

There will be 60 minute exam on day 3 of the training course, this is a 40 question multiple choice exam with a pass mark of 65%. Exams will either be online or paper based, depending on which option is chosen. The cost of the exam is included within the course.

All candidates will be required to have access to their own laptop.

 

Day 1

  • History of Data Protection
  • Principles of Data Protection & Applicable Terminology
  • Lawful bases for processing Personal Data

Day 2

  • Governance & Accountability
  • Interaction between Controller and Processor
  • Transfers of Personal Data to third countries

Day 3

  • Data Subject Rights
  • Independent Supervisory Authority
  • Breaches, Enforcement and Liability
  • Privacy & Electronic Communications Regulations 2003 (PECR)

 

Candidates will be able to demonstrate knowledge and understanding of key provisions of Data Protection legislation in the following areas:

  1. An Introduction to the History of Data Protection in the U.K.
  2. Principles of Data Protection and Applicable Terminology
  3. Lawful bases for processing of Personal Data
  4. Governance and Accountability of Data Protection within organisations
  5. Controller and Processor obligations
  6. Transfers of personal data to third countries or international organisations
  7. Data Subject Rights
  8. Independent Supervisory Authority (ICO)
  9. Breaches, Enforcement and Liability
  10. Privacy and Electronic Communications (EC Directive) Regulations (PECR) 2003

This qualification is primarily aimed at those who need to have an understanding of data protection, and the GDPR in particular, to do their job; or those whose effectiveness in their role would be enhanced by knowledge of the law in this area.

The Foundation Certificate will also provide a stepping stone for those who have, or who will have, some responsibility for data protection within an organisation and who intend in due course to gain the BCS Practitioner Certificate in Data Protection.

This qualification is likely to be of particular benefit to those working in the following areas:

  • Data Protection and Privacy
  • Information Governance, risk and compliance
  • Data Management
  • Project Management
  • Directors/Senior Managers with Data Protection responsibilities
  • Legal and procurement
  • Marketing and Sales professionals
  • Information Security and IT
  • Human Resources