This course is now available at £2,050 + vat per person. Discounts are available for multiple bookings from the same organisation.

Location: Online (tutor led for the duration)

Practitioner Course 16th – 19th November 2020



This BCS Practitioner Course and Exam will help any employee gain a practical understanding of EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. The BCS certificate is a recognised workplace qualification.
Knowledge of UK data protection law, and an understanding of how it is applied in practice, is important for any organisation holding personal data. The BCS Practitioner Certificate in Data Protection is designed for those with some data protection responsibilities in an organisation or who, for other reasons, wish to achieve and demonstrate a broad understanding of the law, including the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 and their practical application.

In addition to the 4 days of interactive or onsite training & exam, we also give you access to added-value products and services that allow you to start or continue your work within Data Protection:

  • Lunch and refreshments every day (classroom courses only)
  • 12 month BCS associate membership
  • DPAS branded folder (sent prior to the course)
  • Trainer with over 20 years of experience in the industry
  • All course materials via GSuite
  • Our latest GDPR Assurance Audit which you can use when you are back in the workplace to assess compliance and develop remediation plans. Within this tool is a great one-page reporting template for your board.
  • An innovative risk model which is designed for you to assess data protection risks in your organisation.
  • Access to all the latest legislation, regulations and Data Protection case studies from the UK and EU.
  • Information security audit tool based upon ISO27001 which you can use to measure 92 security controls you have in your organisation.
  • Access to our full suite of GDPR and Data Protection policies which include Data Breach, Data Protection Impact Assessments, Privacy Notices, Legitimate Interest Assessments,
  • Access to our full template suite of Individual rights policies, decision trees and template letters, everything you need to deliver Articles 12 – 22 of GDPR.
  • A detailed list of the UK Data Protection Act exemptions in a format for you to apply and associated policies in which you can use when thinking about applying for exemptions.

Context (7.5%)

Candidates will be able to:

1.1.  Explain the concepts of data protection and privacy

1.1.1.  Describe an individual’s right to private and family life.

1.1.2.  Explain the relevance of confidentiality and respect for home and family life and


1.2.  Describe the history of data protection in the UK, to include:

1.2.1.  United Nations Universal Declaration on Human Rights

1.2.2.  European Convention on Human Rights and Fundamental Freedoms (ECHR),

(Article 8 – Respect for privacy and family life, Article 10 – Freedom of Expression)

1.2.3.  Council of Europe Convention 108, 1981, its implementation by the Data Protection Act 1984, and updating of Convention 108

1.2.4.  OECD Guidelines on the Protection of Privacy and Transborder Flows of PersonalData 2013

1.2.5.  Data Protection Directive 95/46/EC

1.2.6.  Human Rights Act 1998

1.2.7.  Data Protection Act 1998

1.2.8.  Privacy and Electronic Communications Regulation 2002/58/EC (PECR) andanticipated revisions (Draft ePrivacy Regulation 2017/0003 (COD)

1.2.9.  General Data Protection Regulation 2016/679

1.2.10.  UK Data Protection Act 2018

NB Candidates are not expected to have a detailed knowledge of the content of the above, or the chronological order but should be able to explain the relationship between them and how data protection rights have evolved as a result.

1.3. Illustrate how the wider territorial scope and jurisdiction of the GDPR impacts the processing of personal data by global organisations, including those who may not have a business (legal entity) established within the EU.

1.3.1.  The concept of main establishment and the implications for global organisations, including the enterprise and group of undertakings (concept of one stop shop)

1.3.2.  Co-operation between supervisory data protection authorities

1.3.3.  When a representative of the data controller is needed


Principles of data protection and applicable terminology (5%)

Candidates will be able to:

2.1. Interpret the major definitions in the GDPR and the Data Protection Act 2018. They should also be able to explain these definitions and identify what information and processing activities are subject to the GDPR. The major definitions to be included are as follows:

2.1.1. Personal data and Special category personal data

2.1.2.  Processing Profiling

2.1.3.  Controller

2.1.4.  Processor

2.1.5.  Data Subject

2.1.6.  Filing system

2.1.7.  Recipients and third parties

2.1.8.  Purely personal or household purposes

2.1.9.  The special purposes

2.2. Demonstrate how the following GDPR principles regulate the processing of personal data and how they are applied:

2.2.1.  Lawfulness, Fairness and Transparency – Article 5 (1)(a)

2.2.2.  Purpose Limitation – Article 5 (1)(b)

2.2.3.  Data minimisation – Article 5(1)(c)

2.2.4.  Accuracy – Article 5 (1)(d)

2.2.5.  Storage limitation – Article 5 (1)(e)

2.2.6.  Integrity and confidentiality – Article 5(1)(f)

2.2.7.  Responsibility for accountability with the above principles (referred to as Accountability Principle) – Article 5 (2)

2.2.8. Pseudonymisation

2.2.9. Criminal Offence Data (Article 10/Section 10 & 11 – recitals in relation to)

2.2.10. Biometric Data


Lawful bases for processing of personal data (5%)

Candidates will be able to:

3.1.  Illustrate the lawful bases to process personal data listed under (Article 6) of the GDPR and as displayed below:

3.1.1.  Consent

3.1.2.  Contract

3.1.3.  Legal obligation

3.1.4.  Vital interests

3.1.5.  Public interest task

3.1.6.  Legitimate interests

3.2.  Describe the conditions for processing special category data and the exemptions (Article 9)


Governance and accountability of data protection within organisations (20%)

Candidates will be able to:

4.1.  Identify the accountability and data governance obligation (Article 5 (2))

4.2.  Describe the purpose of a Data Protection Impact Assessment (DPIA)

4.3.  Demonstrate the process of conducting a DPIA

4.4.  Explain what a record of processing activity is, the information it should contain and why this is important (Article 30)

4.5.  Outline the interplay with privacy notices (Article 13 & 14)

4.6.  Demonstrate how to adopt a data protection by design and by default approach (Article 25)

4.7.  Identify suitable information security measures (Article 32)

4.8.  Explain the designation, position and tasks of the Data Protection Officer (DPO) (Article 37 to 39)


Interaction between controller and processor, and role of third parties (10%)

Candidates will be able to:

5.1.  Explain controller and processor obligations and identify principles raised under key case law (Article 24 & 28)

5.2.  Describe the concept of joint controllership (Article 26)

5.3.  Describe the act of processing under the authority of a controller or processor (Article 29)

5.4.  Explain what a Data Processing Agreement is and when it would be necessary in a controller-processor arrangement

5.5. Identify who would be considered as a recipient or a third party and how this works in practice


Transfers of personal data to third countries or international organisations (2.5%)

Candidates will be able to:

6.1. Recognise the general principles for transferring personal data to third countries and illustrate what issues might arise from each of the following mechanisms:

6.1.1.  An adequacy decision by the EU6.1.1.1. List of countries deemed adequate by the European Commission Privacy Shield

6.1.2.  Appropriate safeguards Standard Contractual Clause Binding Corporate Rules Derogations (Article 49) and other exemptions (DPA 18 Sections 72-78)


Data subject rights (5%)

Candidates will be able to:

7.1.  Demonstrate a detailed knowledge of the key rights granted to individuals (Articles 12 to 17 and 21 to 22). Specifically, the candidate will be required to explain data subject rights in relation to:

7.1.1.  Being informed (transparency), including of further processing compatibility (Article 13 and Article 14)

7.1.2.  Subject access (Article 15) Prohibition against enforced subject access requests (Section 184 of DPA 18) Void contractual terms relating to health records (Section 185 of DPA 18)

7.1.3.  Rectification (Article 16)

7.1.4.  Erasure (Right to be forgotten) (Article 17)

7.1.5.  Objection (Article 21)

7.1.6.  Automated individual decision making and profiling (Article 22)

7.2.  Express awareness of the following rights in addition to the above. However, these will not be examined in the Practitioner Certificate.

7.2.1.  Restriction of processing (Article 18)

7.2.2.  Obligation to notify the rectification, erasure or restriction to recipients and the data subject (Article 19)

7.2.3.  Portability (Article 20)

7.3.  Demonstrate knowledge of the restrictions and exemptions that may affect data subject rights

7.3.1.  Restrictions (Article 23)

7.3.2.  Exemptions (Schedule 2 – Parts 1 to 4 of DPA 18)


The role of supervisory authorities (SAs) (7.5%)

Candidates will be able to:

8.1.  Explain the role and importance of supervisory authorities

8.1.1.  Independence

8.1.2.  Competence and powers (Article 58 (1) & 58 (2))

8.1.3.  Co-operation with other supervisory authorities (Articles 60 to 62)

8.1.4.  Consistency

8.1.5.  Review of DPIAs in cases of unmitigated high risk (Article 35 & 36)

8.2.  Explain the Role of the Information Commissioner’s Office (ICO) as the UK SA

8.2.1.  As a regulator Investigation and correction (Article 58) Enforcement of regulations Data protection audits by the supervisory authority

8.2.2.  As a body that creates guidance and codes of practice

8.2.3.  In co-operation with other supervisory authorities

8.2.4.  Driving forward good privacy practice in their own jurisdictions and also internationally

8.2.5.  Promotion of approved privacy seals, certification schemes and availability of commonly used standards

8.2.6.  Advice and reporting to Parliament, the UK Government and other bodies

8.3.  Describe the Role of the European Data Protection Board (EDPB) (Articles 64, 65 & 70)

NB Candidates are expected to have knowledge of the Role of the EDPB however they will not be expected to list the individual tasks in Article 70.


Breaches, Enforcement and Liability (12.5%) Candidates will be able to:

9.1.  Explain what constitutes a personal data breach

9.2.  Explain when the obligation arises to report breaches of personal data (Articles 33 & 34)

9.2.1.  To the supervisory authority

9.2.2.  Data subject

9.2.3.  Overlap with the NIS Directive in relation to breach reporting

9.3.  Explain how a data protection complaint arises (Article 57 (1)(f))

9.4.  Describe the sanctions that could be imposed as a result of a personal data breach or data protection complaint:

9.4.1.  Information notices and assessments

9.4.2.  Undertakings

9.4.3.  Enforcement notices (Section 149 DPA 18)

9.4.4.  Administrative fines and their levels (Article 83 and 84) Tier 1 fines (upto 2% or 10 million euros) Tier 2 fines (upto 4% or 20 million euros) Availability of multiple tiers of fines

9.5. Describe the following liabilities:


Compensation towards the data subject

Liability between controller and processor

Awareness of the existence of criminal liability regarding breaches under: Data Protection Act 2018 (Sections 170 to 173) Computer Misuse Act (Sections, 1, 2, 3A and 3ZA)

the role of tribunal and judicial courts

Appeals against decisions of the ISA

Adjudication and enforcement of legal claims for data protection breaches


10. Processing of personal data in relation to children (2.5%)

Candidates will be able to:

10.1. Explain how data protection legislation applies to children:

10.1.1.  Explain the differences between the definitions of “child” within the GDPR (Article 8) and DPA 18 (Section 9)

10.1.2.  Explain the concept of erasure (and the right to be forgotten) where it relates to children

10.1.3.  Explain what Information Society Services means Age Appropriate Design Code (as published by the ICO under Section 123) (Scope and awareness of principles)


Specific provisions in data protection legislation of particular relevance to public authorities (7.5%)

Candidates will be able to:

11.1.  Define the meanings of public authority and public body and how it relates to both DPA 18 and the GDPR (Section 7 of DPA 18)

11.1.1. Lawful basis – public interest task (Article 6 (1)(e))

11.1.2. Interplay between availability of legitimate interests (Article 6 (1)(f) and Section 7

11.2.  Explain the provisions relating to Data Protection Officers (DPOs) for public authorities

11.2.1. Mandatory requirement to appoint a DPO (Article 37 (1)(a))

11.3.  Explain awareness of the existence of the exemptions for health social work and education (Schedule 3, DPA 18)

11.3.1. Health data 11.3.2. Social work data

11.3.3. Education data, examination scripts and marks 11.3.4. Child abuse data

NB Candidates are expected to have an awareness of the existence of the exemptions but they will not be expected to list or detail the individual exemptions in Schedule 3


Privacy and Electronic Communications (EC Directive) Regulations (PECR) 2003 (5%)

Candidates will be able to:

12.1.  Explain the relationship between PECR and the GDPR, including PECR’s:

12.1.1.  Objective and broad scope (email, phone, SMS, in-app messaging, push notifications)

12.1.2.  Provisions relating to electronic marketing communications (excluding fax)

12.1.3.  Role of the ICO in relation to PECR Investigating complaints Issuing codes of practice

12.2.  Explain the current status of PECR and the likely future development of this legislation

12.2.1.  Timeline of draft e-Privacy directive

12.2.2.  Key concepts under draft e-Privacy directive Consent Online tracking and digital technologies

12.2.3.  Application of draft e-Privacy directive in the U.K.


Application of data protection legislation in key areas of industry (10%)

Candidates will be able to:

13.1.  Recognise the data protection implications of the Employment Practices Code

13.2.  Describe how the use of CCTV (Data Protection Code of Practice for surveillance cameras and personal information) is governed by data protection law

13.3.  Identify how the use of cookies and digital technologies is governed by data protection law

13.4.  Explain how data sharing practices are governed by data protection law

13.5.  Explain the exemptions for journalism and freedom of expression under data protection law


The course takes 4 days to complete. The course will be held virtually with a tutor for the duration of the course.

There will be 90 minute which is included, this is a 40 question multiple choice exam with a pass mark of 65%. Exams will either be online and remote procured by Question Mark, via BCS. The cost of the exam is included within the course. Candidates will be added to the BCS system after completing the course and will be given a range of dates that they can book their course.

All candidates will be required to have access to their own laptop with access to Teams.


Day 1

  • Context of Data Protection
  • Principles of Data Protection & Applicable Terminology
  • Lawful bases for processing Personal Data
  • Governance & Accountability
  • Interaction between Controller and Processor

Day 2

  • Transfers of Personal Data to third countries
  • Data Subject Rights
  • Independent Supervisory Authorities (ISAs)
  • Breaches, Enforcement and Liability

Day 3

  • Children’s processing
  • Public authorities
  • Privacy & Electronic Communications Regulations 2003 (PECR)
  • Industry-specific areas of data protection law


Day 4

  • Recap of topics
  • Mock exam


Candidate will be able to demonstrate knowledge and understanding of key provisions of Data Protection legislation in the following areas:

  • Context of data protection legislation.
  • Principles of data protection and applicable terminology
  • Lawful basis for processing of personal data
  • Governance and accountability of data protection within organisations
  • Interaction between Controller and Processor, and role of third parties
  • Transfers of personal data to third countries or international organisations
  • Data Subject rights
  • The role of Independent Supervisory Authorities (ISAs)
  • Breaches, enforcement and liability
  • Processing of personal data in relation to children
  • Specific provisions in data protection legislation of particular relevance to public authorities
  • Privacy and Electronic Communications (EC Directive) Regulations (PECR) 2003
  • Application of data protection legislation in key areas of industry

This qualification is aimed at those candidates who have, or wish to have, some responsibility for data protection within an organisation and need to understand the changes that the GDPR and the UK Data Protection Act 2018 will bring to data protection legislation and what needs to be done to prepare their organisations for compliance. The certificate will also be useful for others who wish to obtain and demonstrate a broad understanding and application of the UK’s data protection regime. It is ideal for those candidates who already hold the Foundation Certificate in Data Protection and who want to gain a more in-depth knowledge of interpreting and applying the principles of data protection legislation and the GDPR in particular.

This qualification is likely to be of particular benefit to those working in the following areas:

  • Data Protection and Privacy
  • Information Governance, risk and compliance
  • Data Management
  • Project Management
  • Directors/Senior Managers with Data Protection responsibilities
  • Legal and procurement
  • Marketing and Sales professionals
  • Information Security and IT
  • Human Resources