End of 2024 20% Discount Promotion
Only 1 day
Classroom
11/02/2025 (Tuesday)
Overview
This accelerated BCS Practitioner Certificate in Data Protection course, is aimed at experienced Data Protection professionals, and those candidates that want to build on the BCS Foundation Certificate, you can gain a broader and deeper understanding of current laws, including the EU GDPR, UK GDPR and the UK Data Protection Act 2018, and how they need to be applied in your organisation.
In just 1 day, you’ll gain an understanding of the key changes and the associated implications that the GDPR and the UK Data Protection Act 2018 introduce to data protection. You’ll also:
- Gain an understanding of individual and organisational responsibilities under the GDPR and the UK Data Protection Act, particularly the need for effective record keeping.
- Be able to apply the new rights available to data subjects and understand the implications of those rights.
- Be able to demonstrate an understanding of the designation, position and role / tasks of a data protection officer.
- Be able to prepare organisations to manage and handle personal data in compliance with the GDPR and the UK Data Protection Act.
At the end of this course, you’ll sit the BCS exam, and achieve your BCS Practitioner Certificate in Data Protection certification.
Through Firebrand’s Lecture | Lab | Review methodology, you’ll get certified at twice the speed of the traditional training and get access to courseware, learn from certified instructors, and train in a distraction-free environment.
Audience
This course is ideal for:
- People who have existing responsibility for data protection within their organisation.
- People who want to broaden their basic understanding in this area and fully understand the practical applications of data protection laws.
Curriculum
Module 1: Context (7.5%)
- Explain the concepts of data protection and privacy
- Describe an individual’s right to private and family life.
- Explain the relevance of confidentiality and respect for home and family life and correspondence.
- Describe the history of data protection in the UK, to include:
- United Nations Universal Declaration on Human Rights
- European Convention on Human Rights and Fundamental Freedoms (ECHR), (Article 8 – Respect for privacy and family life, Article 10 – Freedom of Expression)
- Council of Europe Convention 108, 1981, its implementation by the Data Protection Act 1984, and updating of Convention 108
- OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data 2013
- Data Protection Directive 95/46/EC
- Human Rights Act 1998
- Data Protection Act 1998
- Privacy and Electronic Communications Regulation 2003 and subsequent amendments to 2021
- General Data Protection Regulation 2016/679
- UK Data Protection Act 2018
- The purpose of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019
- UK GDPR
- Illustrate how the wider territorial scope and jurisdiction of the EU GDPR and UK GDPR impacts on the processing of personal data by global organisations, including those who may not have a business (legal entity) established within the EU or the UK.
- Co-operation between independent supervisory authorities
- When a representative of the data controller is needed
Module 2: Principles of data protection and applicable terminology (5%)
- Interpret the major definitions in the UK GDPR and the Data Protection Act 2018. They should also be able to explain these definitions and identify what information and processing activities are subject to the UK GDPR. The major definitions to be included are as follows:
- Personal data and Special category personal data
- Pseudonymisation
- Criminal Offence Data (Article 10 GDPR /Sections 10 & 11 DPA 18)
- Biometric Data
- Processing
- Profiling
- Controller
- Processor
- Data Subject
- Filing system
- Recipients and third parties
- Purely personal or household purposes
- The special purposes
- Demonstrate how the following UK GDPR principles regulate the processing of Personal Data and how they are applied:
- Lawfulness, Fairness and Transparency - Article 5 (1)(a)
- Purpose Limitation - Article 5 (1)(b)
- Data minimisation – Article 5(1)(c)
- Accuracy – Article 5 (1)(d)
- Storage limitation – Article 5 (1)(e)
- Integrity and confidentiality – Article 5(1)(f)
- Responsibility for accountability with the above principles (referred to as Accountability Principle) - Article 5 (2)
Module 3: Lawful bases for processing Personal Data (5%)
Illustrate the lawful bases to process personal data listed under (Article 6) of the UK GDPR and as displayed below:
- Consent
- Contract
- Legal obligation
- Vital interests
- Public interest task
- Legitimate interests
- Describe the conditions for processing special category data and the associated conditions (DPA 2018, Part 1, Schedule 1)
- Explain what needs to be considered when existing personal data is processed for a new purpose
Module 4: Governance and accountability of data protection within organisations (20%)
- Identify the accountability and data governance obligation (Article 5 (2)
- Describe the purpose of a Data Protection Impact Assessment (DPIA) and when risks arising from one may need prior consultation with the supervisory authority/ICO (Article 36)
- Demonstrate the process of conducting a DPIA (Article 35)
- Explain what a record of processing activity (RoPA) is, the information it should contain and why this is important (Article 30)
- Outline the interplay with privacy notices (Article 13 & 14)
- Demonstrate how to adopt a data protection by design and by default approach (Article 25)
- Identify suitable information security measures (Article 32)
- Explain the designation, position and tasks of the Data Protection Officer (DPO) (Article 37 to 39)
Module 5: Interaction between controller and processor, and role of third parties (10%)
- Explain controller and processor obligations and identify principles (Article 24 & 28)
- Describe the concept of joint controllership (Article 26)
- Describe the act of processing under the authority of a controller or processor (Article 29)
- Explain what a Data Processing Agreement is and when it would be necessary in a controller-processor arrangement
- Identify who would be considered as a recipient or a third party and how this works in practice
Module 6: Transfers of personal data to third countries or international organisations (2.5%)
- Recognise the general principles for transferring personal data to third countries in both the UK and the EU, and illustrate what issues might arise from each of the following mechanisms:
- Adequacy decisions
- Post-Brexit adequacy regarding transfers under EU GDPR
- Post-Brexit adequacy regarding transfers under the Law Enforcement Directive
- Appropriate safeguards
- Standard Contractual Clauses
- Binding Corporate Rules
- Derogations (Article 49)
Module 7: Data subject rights (5%)
- Demonstrate a detailed knowledge of the key rights granted to individuals (Articles 12 to 17 and 21 to 22). Specifically, the candidate will be required to explain data subject rights in relation to:
- Being informed (transparency), including of further processing compatibility (Article 13 and Article 14)
- Subject access (Article 15)
- Prohibition against enforced subject access requests (Section 184 of DPA 18)
- Void contractual terms relating to health records (Section 185 of DPA 18)
- Rectification (Article 16)
- Erasure (Right to be forgotten) (Article 17)
- Objection (Article 21)
- Automated individual decision making and profiling (Article 22)
- Express awareness of the following rights in addition to the above. However, these will not be examined in the Practitioner Certificate.
- Restriction of processing (Article 18)
- Obligation to notify the rectification, erasure or restriction to recipients and the data subject (Article 19)
- Portability (Article 20)
- Demonstrate knowledge of the restrictions and exemptions that may affect data subject rights
- Restrictions (Article 23)
- Exemptions (Schedule 2 - Parts 1 to 4 of DPA 18)
Module 8: The role of independent supervisory authorities (ISAs) and the ICO (7.5%)
- Explain the role and importance of supervisory authorities
- Independence
- Competence and powers (Article 58 (1) & 58 (2))
- Consistency
- Review of DPIAs in cases of unmitigated high risk (Article 35 & 36)
- Explain the Role of the Information Commissioner’s Office (ICO)
- As a regulator 8.2.1.1. Investigation and correction (Article 58)
- Enforcement of regulations
- Data protection audits by the ICO
- As a body that creates guidance and codes of practice
- Driving forward good privacy practice in their own jurisdictions and also internationally
- Promotion of approved privacy seals, certification schemes and availability of commonly used standards
- Advice and reporting to Parliament, the UK Government and other bodies
Module 9: Breaches, Enforcement and Liability (12.5%)
- Explain what constitutes a personal data breach
- Explain when the obligation arises to report breaches of personal data (Articles 33 & 34)
- To the supervisory authority
- Data subject
- Explain how a data protection complaint should be handled (Article 57 (1)(f))
- Describe the sanctions that could be imposed as a result of a personal data breach or data protection complaint:
- Information notices and assessments (Sections 145 and 146 DPA 18)
- Undertakings
- Enforcement notices (Section 149 DPA 18)
- Administrative fines and their levels (Article 83)
- Tier 1 fines (up to 2% (£8.7m under the UK GDPR))
- Tier 2 fines (up to 4% (£17.5m under the UK GDPR))
- Availability of multiple tiers of fines
- Describe the following liabilities:
- Compensation towards the data subject
- Liability between controller and processor
- Awareness of the existence of criminal liability regarding breaches under the Data Protection Act 2018
- Offences under the Computer Misuse Act 1990
- Identify the role of tribunal and judicial courts
- Appeals against decisions of the ICO
- Adjudication and enforcement of legal claims for data protection breaches
Module 10: Processing of personal data in relation to children (2.5%)
- Explain how data protection legislation applies to children:
- Explain the differences between the definitions of “child” within the UK GDPR (Article 8) and EU GDPR (Article 8)
- Describe the reasons outlined in Recital 38 of the UK GDPR as to why children’s data requires special protection when being processed
- Explain the concept of erasure (and the right to be forgotten) where it relates to children
- Explain what Information Society Services means
- Age-Appropriate Design – a code of practice for online services 2021 (as published by the ICO under Section 123) (Scope and awareness of principles)
Module 11: Specific provisions in data protection legislation of particular relevance to public authorities (7.5%)
- Define the meanings of public authority and public body and how it relates to both DPA 18 and the GDPR (Section 7 of DPA 18)
- Lawful basis – public interest task (Article 6 (1)(e))
- Interplay between availability of legitimate interests (Article 6 (1)(f) and Section 7 (2))
- Explain the provisions relating to Data Protection Officers (DPOs) for public authorities
- Mandatory requirement to appoint a DPO (Article 37 (1)(a))
- Explain awareness of the existence of the exemptions for health social work and education (Schedule 3, DPA 18)
- Health data
- Social work data
- Education data, examination scripts and marks
- Child abuse data
Module 12: Privacy and Electronic Communications (EC Directive) Regulations (PECR) 2003 and subsequent amendments to 2021 (5%)
- Explain the relationship between PECR and the GDPR, including PECR’s:
- Objective and broad scope (email, phone, SMS, in-app messaging, push notifications)
- Provisions relating to electronic marketing communications (excluding fax)
- Role of the ICO in relation to PECR
- Investigating complaints
- Issuing codes of practice
- Application to service providers as outlined under Article 95 of UK GDPR.
Module 13: Application of data protection legislation in key areas of industry (10%)
- Recognise the data protection implications of the Employment Practices Code
- Describe how the use of CCTV (Data Protection Code of Practice for surveillance cameras and personal information) is governed by data protection law
- Identify how the use of cookies and digital technologies is governed by data protection law
- Explain how data sharing practices are governed by data protection law (ICO Data Sharing Code of Practice)
Exam Track
At the end of this accelerated course, you’ll sit the following exam at the Firebrand Training centre, covered by your Certification Guarantee:
BCS Practitioner Certificate in Data Protection exam
- Duration: 90 minutes
- Format: Open book, Multiple Choice
- Number of questions: 40 Multiple Choice questions
- Passing score: Passmark 26/40 (65%)
Prerequisites
Before attending this accelerated course, you should have:
The BCS Foundation Certificate in Data Protection, though this is not mandatory. We strongly recommended that candidates attend an accredited training course and are fully familiar with GDPR and the syllabus and any recommended reading outlined in the syllabus.
What's Included
Your accelerated course includes:
- Accommodation *
- Meals, unlimited snacks, beverages, tea and coffee *
- On-site exams **
- Exam vouchers **
- Practice tests **
- Certification Guarantee ***
- Courseware
- Up-to 12 hours of instructor-led training each day
- 24-hour lab access
- Digital courseware **
* For residential training only. Accommodation is included from the night before the course starts. This doesn't apply for online courses.
** Some exceptions apply. Please refer to the Exam Track or speak with our experts.
*** Pass first time or train again free as many times as it takes, unlimited for 1 year. Just pay for accommodation, exams, and incidental costs.
Benefits
Seven reasons why you should sit your course with Firebrand Training
- Two options of training. Choose between residential classroom-based, or online courses
- You'll be certified fast. With us, you’ll be trained in record time
- Our course is all-inclusive. A one-off fee covers all course materials, exams**, accommodation* and meals*. No hidden extras.
- Pass the first time or train again for free. This is our guarantee. We’re confident you’ll pass your course the first time. But if not, come back within a year and only pay for accommodation, exams and incidental costs
- You’ll learn more. A day with a traditional training provider generally runs from 9 am – 5 pm, with a nice long break for lunch. With Firebrand Training you’ll get at least 12 hours/day of quality learning time, with your instructor
- You’ll learn faster. Chances are, you’ll have a different learning style to those around you. We combine visual, auditory and tactile styles to deliver the material in a way that ensures you will learn faster and more easily
- You’ll be studying with the best. We’ve been named in the Training Industry’s “Top 20 IT Training Companies of the Year” every year since 2010. As well as winning many more awards, we’ve trained and certified over 135,000 professionals
*For residential training only. Doesn't apply for online courses
**Some exceptions apply. Please refer to the Exam Track or speak with our experts
Think you are ready for the course? Take a FREE practice test to assess your knowledge! Free Practice Test