First launched in 1998, the BCS (formerly ISEB) Practitioner Certificate is the leading independent professional workplace qualification for individuals with privacy or data protection responsibilities. Through the years, BCS has shown a continued commitment to evolving the practitioner certificate. In doing so, it has become the most trusted certificated data protection training programme in the UK and is often listed by employers as a required qualification. The latest version of the BCS Syllabus (v8.5), which this accredited training course is based, has recently been updated to cover the General Data Protection Regulation (GDPR), the Data Protection Bill and the e-Privacy Regulation.

What's included

  • Public
  • Onsite class available
  • Intermediate
  • Pre-course reading
  • Day
  • Classroom training
  • +40 hours revision
  • Exam preparation
  • 2 hour BCS examination

Course Overview

The BCS Practitioner Certificate in Data Protection confirms the ability of award holders to fulfil the mandatory appointed role of a Data Protection Officer (DPO) or to lead GDPR compliance within their organisation, department or group.

This BCS accredited course requires participants develop a deep understanding of both EU and UK data protection laws and how to apply them in a workplace environment. Rather than focus on the rigid mechanics of regulation, the course places privacy in the context of human rights and promotes good practice within organisations.

The course concentrates on the incoming EU General Data Protection Regulation (GDPR) and associated legislation. Specifically examining the complexity of the interactions between the UK Data Protection Bill along with the new EU ePrivacy Regulation, which is set to repeal the Privacy and Electronic Communications Regulations (PECR).

Delivered over 5-days the course follows the latest BCS Syllabus (v8.5). Participants will also receive a separate 1-day online revision course to help prepare for the BCS Practitioner Exam. The BCS exam consists of a 2hr, 3-part separate exam made up of 20 simple multiple choice questions, 20 complex multiple choice questions, and 12 short answer written questions. The pass mark is now 65% with 80% for a distinction.

Who should attend

This course is intended for:

  • Data Protection officers working in larger business, corporations and the public sector
  • Information Governance (IG) and Information Assurance (IA) professionals (all grades)
  • Freedom of Information Managers
  • Head of Risk, Senior Information Risk Officers
  • Solicitors advising on information law
  • It is also beneficial for IT Security Managers in larger organisations and the public sector

By obtaining the Practitioner Certificate, individuals will:

  • Hold the leading practitioner level accredited qualification in data protection
  • Possess in-depth practical knowledge of DPA & PECR and the major differences to GDPR
  • Understand the legal requirements of the 8 Data Protection Principles
  • Have the confidence to lead organisational compliance for data protection
  • Be able to give advice and support on relevant information handling standards and frameworks
  • Be equipped to develop data protection policies and implement procedures that continually address compliance obligations

The BCS Practitioner Certificate in Data Protection aligns with the vocational qualification QCF Level 4. Note, this link is advisory and for comparison purposes only. Ofqual does not regulate BCS qualifications.


The BCS Practitioner Certificate in Data Protection course is conducted over 5 consecutive days.

The following schedule is intended as a guide:

Day 1 9:30 Course administration
9:45 Exam details and techniques
10:15 Why the Data Protection Act?
10:30 Morning refreshments
10:45 Why the Data Protection Act? Cont.
11:15 Data Protection Act - Context
12:00 Data Protection Act - Definitions
12:30 Lunch
12:45 Data Protection Act - Definitions cont.
13:30 Afternoon tea
12:45 Data Protection Act - Definitions cont.
Homework Read Code of Practice CCTV
Day 2 9:00 Review and questions
9:15 DPA Principles
10:30 Morning refreshments
10:45 DPA Principles
12:30 Lunch
13:15 DPA Principles
14:45 Afternoon tea
15:00 DPA Principles (stop at Principle 5)
Homework Prepare questions for Q&A
Day 3 9:00 Review and questions
9:30 DPA Principles (Principle 6 onwards)
10:30 Morning refreshments
10:45 DPA Principles
12:30 Lunch
13:15 DPA Principles
14:45 Afternoon tea
15:00 DPA Principles
Homework Prepare for recap exercises
Day 4 9:00 Review and questions
9:15 Exercise and review
10:00 Notification
10:30 Morning refreshments
10:45 Notifications and exercise
12:30 Lunch
13:15 Exemptions
14:45 Afternoon tea
15:00 Role of the Information Commissioner 
Homework Prepare questions for Q&A
Day 5 9:00 Review and questions
9:30 Offences
10:30 Morning refreshments
10:45 Privacy & Electronic Communications Regulations
12:30 Lunch
13:15 Exercise
13:45 Associated legislation

Course contents

The topics covered in this course include:

  • Preliminary
    • Course Aims
    • Exam Technique and format
    • Course syllabus and reading the Act
    • The Commissioners around the British Isles
  • Introduction
  • Looking at Privacy in the UK
  • The history of Data Protection from the Declaration of Human Rights to now
  • Further legislation
    • Human Rights Act 1998
    • Freedom of Information Act 2000
    • Criminal Justice and Immigration Act 2008
    • Coroners and Justice Act 2009
    • The General Data Protection Regulations (GDPR)
  • Long and short title of the ’89 Act
  • Definitions
    • Types of processing data under the Act
    • Personal and Sensitive personal data
    • Relevant filing and processing
    • Data Matching
    • Data Protection Act’98 characters
      • Data Subject
      • Data Controller
      • Data Processor
      • Recipient
      • 3rd Parties
  • Data Protection Principles
    1. Processing Fairly and Lawfully
      • Schedules 2 and 3
    2. Specified and lawful processing
    3. Adequate, relevant and not excessive
    4. Accurate and where necessary up-to-date
    5. Retention – not held for longer than necessary
    6. The rights of the Data Subject
      • Including further qualified rights
    7. Security
    8. Overseas transfers
      • Including Schedule 4
  • Notification
  • Introduction
    • Who would need to notify
    • Offences and Fees
  • Requirements of Notification
    • Registrable particulars
    • Security statement
  • Exemptions for notification
  • Exemptions
    • Exemption Provisions
      • Subject Assess provision
      • Subject Information Provision
      • Non-disclosure Provision
    • Exemptions within the syllabus
      • Domestic Purposes
      • Crime and taxation
      • Disclosures required by law to be made public
      • Disclosures required by law and in connection with legal proceedings
      • Special purposes – Journalism, Literature and Artistic
      • Research, History, and Statistics
      • Miscellaneous exemptions
  • Role of the Information Commissioner
    • The office of the ICO
      • Functions of the Commissioner
      • Role of the ICO
    • The Codes of Practice
    • Enforcement
      • Undertakings
      • Notices
      • Entry and inspection
  • The General Regulatory Chamber
    • About Information Rights Tribunal
    • The appeal process
  • Offences
    • Liability
    • Penalties
    • The offences
    • The defences in law
    • The Privacy and Electronic Communication Regulations 2003 (PECR)
  • Further regulations and codes of practice affecting marketing 2009
  • Traffic and location data
  • Calling or called line identification (CLI)
  • Direct Marketing by Electronic Means
    • Solicited and unsolicited marketing
    • Individual subscribers
    • Corporate subscribers
    • Market research and sugging
    • Lead generation
  • Consent
    • Implied
    • Indirect
    • Proof of consent
  • Direct marketing by telephone
  • Direct marketing faxes
    • Preference Services
  • Direct marketing by electronic mail
    • Soft-opt-in

Practitioner Certificate in Data Protection (PC-DP) Syllabus

This professional certification is not regulated by the following United Kingdom Regulators - Ofqual, Qualification in Wales, CCEA or SQA.

1. Context (2.5% - 1.0 hours of course work)

The objective is to ensure a basic appreciation of the context of data protection law and in particular that privacy is wider than data protection.

1.1 What is privacy?

1.1.1 The right to private and family life and the relevance of confidentiality.

European Convention on Human Rights and Fundamental Freedoms, UK Human Rights Act

1.2.1 OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data 2013
1.2.2 Council of Europe Convention 108, 1981
1.2.3 Data Protection Act 1998
1.2.4 Data Protection Directive 95/46/EC
1.2.5 Telecommunications Directive 97/66/EC, Privacy and Electronic Communications Directive 20002/58/EC, and subsequent revisions of the latter.

NB Candidates are not expected to have a detailed knowledge of the above.

2 The Law (52.5% - 21 hours of course work)

As this is a certificate course and only 21 hours are allocated for instruction on this part of the syllabus, knowledge and understanding of the whole Act is not expected.

2.1 Data Protection Act (45% 18 hours course work)

2.1.1 The definitions

The objective is to ensure that candidates know, and understand the major definitions in the Act and how to apply them in order to identify what information and processing activities are subject to the Act.

  • Data (including relevant filing system, accessible records and category (e) unstructured data)
  • Personal data
  • Processing
  • Data Subject
  • Data controller
  • Data Processor
  • Recipient - Third Party
  • Sensitive Personal Data
  • The Special Purposes

Though candidates are expected to be aware that the Freedom of Information Act (FOI) 2000 created a new category of data, category (e) data, they are not expected to understand the implications of this in respect of the Section 7 right of subject access and are not expected to cover s33A(1) and s33A (2).

2.1.2 The Role of the Commissioner

The objective is to ensure an understanding of the role and main powers of the Information Commissioner. The following are to be covered. Enforcement (including roles of the First-tier Tribunal and the Courts)
  • Information and Enforcement Notices
  • Prosecution - Warrants (entry/inspection) (Schedule 9,1(1) & 12 only – that is a basic understanding of grounds for issuing and nature of offences)
  • Assessment Notices (s41A-s41C) including effect of s55 (3) added by the Coroners and Justice Act 2009 which provides that the Information Commissioner may not issue a monetary penalty notice in respect of anything found in pursuance of an assessment notice or an assessment under s51 (7).
  • Monetary penalties (s55A-55E) including the effect of the s55 (3A) provision. Carrying out s42 assessments Codes of Practice

(including s52A-52E Code of Practice on data sharing) and all current ICO issued Codes but not any codes issued by other bodies. Candidates will be expected to have a broad understanding of s52A-E, to appreciate the distinction between a statutory code and other ICO issued codes and have a broad understanding (but not a detailed knowledge) of ICO issued codes.

2.1.3 Notification

The objective is to ensure a broad, but not detailed, understanding of the notification scheme and a grasp of how to apply the notification exemptions.

  • Information to be notified and the public register (NB candidates need to know that public authorities have to register this fact but not the definition of a “public authority”).
  • The exemptions from notification.
  • A basic understanding of the two tier fee regime.
2.1.4 The Data Protection Principles (20% 8/9 hours NB this is part of the 18 hours for 2.1 the Data Protection Act)

The objective is to ensure an understanding of how the principles regulate the processing of personal data and how they are enforced, as well as an understanding of the individual principles in the light of guidance on their interpretation found in Part II of Schedule 1. Candidates will be required to show an understanding of the need to interpret and apply the principles in context.

  • Introduction: how the principles regulate and how they are enforced including Information and Enforcement Notices.
  • First Principle, including transparency and Schedules 2 and 3
  • Second Principle
  • Third Principle
  • Fourth Principle
  • Fifth Principle
  • Sixth Principle
  • Seventh Principle
  • Eighth Principle, including paragraph 13 of Part II of Schedule 1 and Schedule 4

NB First Principle above - Candidates should appreciate the distinction between the grounds for processing in Schedules 2 and 3 and the non-disclosure exemptions. They should also have basic understanding of the law of confidence and the potential interaction with the First Principle.

2.1.5 Individual Rights

The objective is to ensure an understanding of the rights conferred by the Act and how they can be applied and enforced.

  • Right of subject access
  • Right to attempt to prevent processing likely to cause damage or distress
  • Right to prevent processing for the purpose of direct marketing
  • Rights in relation to automated decision taking
  • Right to compensation
  • Right to rectification, blocking, erasure and destruction
  • Right to request s42 assessment of processing

NB Re. subject access fees: Candidates are only expected to know that the standard fee is £10 and are not expected to know, for example, the fee regime in respect of educational records.

2.1.6 Exemptions

The objective is to ensure awareness of the fact that there are exemptions from certain provisions of the Act, and knowledge and understanding of some of these and how to apply them in practice. Candidates are not expected to have a detailed knowledge of all the exemptions. The following are expected to be covered in some detail:

  • Domestic Purposes
  • Crime and Taxation (s29 (1), (2), and (3) only)
  • Information required to be made public
  • Disclosures required by law or made in connection with legal proceedings
  • Confidential references
  • Management forecasts and planning
  • Negotiations
  • Research, history and statistics
  • Special purposes (s32 (1), (2) & (6) only) and not how these provisions have been interpreted by the courts
  • Legal professional privilege (a basic understanding of the circumstances in which this might apply only)
2.1.7 Offences

The objective is to ensure an awareness of the fact that there are a range of offences under the Act and of the role of the Courts as well as an appreciation of how certain specified offences apply in practice. It is not intended that candidates should have a detailed knowledge of all the offences. The candidates will be expected to cover:

  • Unlawful obtaining and disclosure of personal data
  • Unlawful selling of personal data
  • Processing without notification
  • Failure to notify changes in processing
  • Failure to comply with an Enforcement Notice, an Information Notice or Special Information Notice.
  • Warrant offences (Schedule 9,12)

2.2 Privacy and Electronic Communications (EC Directive) Regulations 2003 (5% 2 hours course work)

The objective is to ensure an awareness of the relationship between the above Regulations and the Act, an awareness of the broad scope of the Regulations and a detailed understanding of the practical application of the main provisions relating to unsolicited marketing.

  • Objective and broad scope
  • Provisions relating to unsolicited marketing calls
  • Provisions relating to unsolicited marketing faxes
  • Provisions relating to unsolicited marketing emails (including SMS)

2.3 Associated legislation (2.5% 1 hour course work)

The objective is to ensure a basic awareness of some other legislation which is relevant and an appreciation that data protection legislation must be considered in the context of other law.

  • Computer Misuse Act 1990 – awareness of broad scope.
  • Freedom of Information Act 2000 – awareness of broad scope and inter-relationship with Data Protection Act 1998
  • Regulation of Investigatory Powers Act 2000 and The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 – awareness of law regarding monitoring communication
  • Crime and Disorder Act 1998 – awareness of power to share information
  • Anti-Terrorism Crime and Security Act 2001 – awareness of power to use information without consent
3 Application (45% - 18 hours of course work)

The objective is to ensure an understanding of the practical application of the Act in a range of circumstances. This will include detailed analysis of sometimes complex scenarios, and deciding how the Act applies in particular circumstances and explaining and justifying a decision taken or advice given.

3.1 How to comply with the Act

  • Identification of processing subject to the Act
  • Notification in practice
  • Using Privacy Impact Assessments
  • Adopting a Privacy by Design approach
  • Policies and practice to adopt to comply with the 7th Principle including when to notify a data loss –
  • Policies and practice to adopt for data subject access

3.2 Addressing scenarios in specific areas

  • Marketing
  • Financial services
  • Local Government
  • Central Government
  • Human Resource management
  • Health sector

3.3 Data processing topics

  • Monitoring – internet, email, telephone calls and CCTV
  • Use of the internet (including Electronic Commerce)
  • Data matching
  • Disclosure and Data sharing

The focus here is on the practical application of the Act, particularly in circumstances where this might not be clear-cut as will often be the case in real life. It is strongly recommended that case studies/scenarios and practical examples are used so that candidates become familiar with the practicalities of compliance. Compliance advice on particular topics and for specific sectors is published by the Information Commissioner. It is strongly recommended that human resource management related issues are addressed.

The full BCS PC-DP Syllabus can be viewed here syllabus on the BCS website.

Exam Preparation Day

The topics covered in this session include:

Part 1. Online discussion and presentation

  • Exam technique
  • Timing
  • Completing the exam paperwork
  • How to break down BCS exam questions
    • Reading questions properly
    • Answering questions correctly
  • Exercises
  • Group discussion, 3 example questions

Part 2. Mock exam

  • 1 1/2 hour mock exam (50% of the exam paper)

Part 3. Discussion, Q&A, review of the mock exam

  • Group discussion, mock exam answers

Following the examination prep day, the instructor will evaluate each student’s mock paper and provide individual feedback. This will include direct comments on the answers, exam technique and offer guidance for further study areas.

Duration and Format of the Examination

The examination is a three-hour closed-book examination comprising three sections. The format is as follows with a balance of questions across the syllabus.

Section A:

20 multiple choice questions (1 mark each). All questions to be attempted.

Section B:

8 short answer bullet point questions (5 marks each). All questions to be attempted.

Section C:

6 essay style questions (10 marks each). 4 questions should be attempted. Longer more detailed responses are required. While some questions will require a detailed explanation of provisions of the law, others will require discursive answers covering the practical application of the law in particular circumstances.

The examination is held independently of the accredited course.

Pass Mark

The pass mark is 50/100. This equates to 50%


Distinctions will be awarded to candidates who achieve 80 or more.

Format of the Examination

  • 20% multiple choice
  • 40% short bullet point answers
  • 40% discursive essays
Duration 3 Hours. An additional 45 minutes will be allowed for candidates sitting the examination in a language that is not their native language
Invigilated Yes
Open Book No
Pass Mark 50/100 (50%)
Distinction Mark 80/100 (80%)
Calculators Calculators cannot be used during this examination
Delivery Paper based examination only

Additional time for candidates requiring Reasonable Adjustments

Candidates may request additional time if they require reasonable adjustments. Please refer to the reasonable adjustments policy for detailed information on how and when to apply.

Additional time for candidates whose language is not the language of the exam

An additional 25% (45 minutes) will be allowed for candidates sitting the examination in a language that is not their mother tongue. If the examination is taken in a language that is not the candidate’s native/official language, then they are entitled to use their own paper language dictionary (whose purpose is translation between the examination language and another national language) during the examination. Electronic versions of dictionaries will not be allowed into the examination room.

The full BCS PC-DP Syllabus can be viewed here syllabus on the BCS website.

Course dates

Code Course Start Duration Location Booking
PC-DP BCS Practitioner Certificate in Data Protection 15 Jan 18 5 days Bedford Book now
19 Mar 18 5 days Bedford Book now
30 Apr 18 5 days Bedford Book now
18 Jun 18 5 days Bedford Book now
16 Jul 18 5 days Bedford Book now
10 Sep 18 5 days Bedford Book now
5 Nov 18 5 days Bedford Book now

Examination Events

When booking onto one of the above course dates, you will be asked to select the dates for your examination events.

Exam preparation day Date Duration Format
We recommend choosing a date 4-8 weeks after attending the course. 4 Jan 18 1 day online
15 Feb 18 1 day online
10 May 18 1 day online
7 Jun 18 1 day online
30 Jul 18 1 day online
29 Aug 18 1 day online
11 Oct 18 1 day online
13 Dec 18 1 day online
BCS exam Date Duration Location
We recommend booking onto a BCS Exam 4 to 6 weeks after preparation day. 25 Jan 18 ½ day Bedford
28 Mar 18 ½ day Bedford
24 May 18 ½ day Bedford
28 Jun 18 ½ day Bedford
30 Aug 18 ½ day Bedford
27 Sep 18 ½ day Bedford
25 Oct 18 ½ day Bedford
17 Jan 19 ½ day Bedford

Onsite option

If you have a team of 3 or more, we can deliver the training at your location.

Let us know when you have in mind and the size of your group.

Ask about an Onsite Course

What our customers have to say

  • Good overall structure, well paced and easy going and personable tutor.

    Thoroughly enjoyable

    Prakash Mistry
  • Joyce is a fantastic tutor who thoroughly knows her subject and made a very dry course incredibly enjoyable. The delivery and materials are excellent and I will be recommending Freevacy for future use.

    Caroline Higton
  • Joyce made the course very interesting and will help me a lot with my job.

    Diane Ahearn
  • Joyce is very knowledgeable and patient when dealing with all our queries and questions. Very good course.

    Christine Elliott
  • The tutor made the course very interesting.

    Lorna Geach
  • Thank you Joyce @ Freevacy - Excellent knowledge and delivery.

    Pete Cokell
  • We needed in-house DP and FOI training for the whole team – both the “old hands” and the new learners. Freevacy offered us sessions on-site, plus supported revision up to the exam. The trainer directed learning at the right level for each person, with 100% success.

    Robert Beane, Veritau Ltd