The DPA to GDPR Practitioner Certificate provides expert knowledge in data protection law and practices for mandatory DPOs and other privacy professionals.

What's included

  • Public
  • Onsite class
  • Practitioner
  • Pre-course
  • Day
  • Classroom

Course Overview

This course is intended for Data Protection Officers holding a practitioner level qualification, such as the BCS Certificate, or similar. Those new to the subject are advised to gain a solid grounding in DPA, PECR and the EU Data Protection Directive before looking to advance their knowledge of GDPR.

Building on an existing base, our 3-day DPA to GDPR Practitioner Certificate offers a detailed examination of the fundamental differences between the Data Protection Act and the General Data Protection Regulations. The course asks participants to compare, evaluate, and understand the concepts of GDPR. In doing so, the aim is to equip attendees with the skills required to develop, implement and maintain a relevant sector-specific GDPR compliance programme.

The course demonstrates award holders are suitably qualified to fulfil the role of mandatory Data Protection Officers (DPO) within public bodies and commercial organisations under GDPR. If you're unsure about appointing a mandatory DPO under GDPR, take a look at our FAQs.

Freevacy is an approved training centre under the Innovate Awarding, Quality Endorsement Scheme. Innovate Awarding will issue attendees with a Certificate of Achievement on successful completion of the course.

Who should attend

This course is intended for:

  • Data Protection Officers working in larger business, corporations and the public sector
  • Information Governance (IG) and Information Assurance (IA) professionals (all grades)
  • Freedom of Information Managers
  • Head of Risk, Senior Information Risk Officers
  • Solicitors advising on information law
  • It is also beneficial for IT Security Managers in larger organisations and the public sector

By obtaining the Practitioner Certificate, individuals will be able to:

  • Understand the variations in the terminology between DPA, PECR and GDPR
  • Identify the definitions, criteria and methodologies of GDPR
  • Explain the GDPR Principles and the Rights of Data Subjects
  • Fulfil the responsibilities of mandatory appointed Data Protection Officers
  • Conduct DP Audits and Data Protection Impact Assessments
  • Develop data protection policies and implement procedures for
    • Consent
    • Complaint handling
    • Data breach notification to the Supervisory Authority and individuals affected
    • Overseas Data Transfers
    • Data processing contracts
  • Continually address compliance obligations during the transition from DPA to GDPR

For comparison purposes, this course aligns with the vocational qualification QCF Level 4.


The DPA to GDPR Practitioner Certificate is conducted over 3 consecutive days.

The following schedule is intended as a guide:

Day 1 9:30 Course administration
9:45 DP to GDPR Introduction
10:00 ICO First Steps
10:30 Tea break
10:45 General Provisions - Definitions
12:15 Lunch
13:00 Character Definitions
13:30 Principle 1
14:30 Tea break
14:45 Principles 2, 3, 4, 5, 7
Day 2 9:15 Recap – any questions
9:30 Principle 7 continued
10:00 Rights of the Data Subject
10:30 Tea break
10:45 Rights of the Data Subject cont.
12:15 Lunch
13:00 Right to object and Restrictions
13:45 Controller & Processor Responsibilities
14:30 Tea break
14:45 DPO and Codes of Conduct and Certification
Day 3 9:15 Re-cap, any questions
9:30 Transfers to 3rd countries
10:45 Tea break
11:00 Independent Supervisory Authorities
12:15 Lunch
13:00 Cooperation and consistency
13:30 Remedies, liabilities and penalties
14:45 Discussion over coffee

Course Contents

  • Data Protection Act to GDPR
    • Introduction – Purpose of the Regulations
    • Steps 1 & 2 from the ICO’s 12 steps to take now
      • Awareness
      • Information Asset List
  • General Provisions
    • Subject matter and objectives Article 1
    • Material scope Article 2
    • GDPR Definitions Article 4
    • GDPR Characters
  • GDPR Principles
    • Principles relating to processing personal data Article 5(1)
    • Accountability requirement Article 5(2)
    • Principles 1 Lawfully, fairly and transparent Article 5(1)(a)
      • Lawfulness of processing
      • Consent
      • Special categories
      • Processing of criminal convictions and offences
    • Principle 2 – Purpose limitation
    • Principle 3 – Data Minimisation
    • Principle 4 – Accuracy
    • Principle 5 – Storage Limitations
    • Principle 7 – Integrity and confidentiality
  • Rights of the Data Subject (Principle 6 DPA)
    • Right to be informed
    • Right of Access
    • Rectification and erasure
      • Right to Data Portability
    • Right to object and automated decision-making
    • National derogations
  • Controller and Processor
    • General responsibilities
    • Data Protection by design and default
    • Security of personal data
      • Notification of data breach to Supervisory Authority
      • Notification of breach to data subject
      • Data Protection Impact Assessment PDIA
    • Data Protection Officer
    • Codes of conduct and Certification
  • Transfer of personal data to third countries (DPA Principle 8)
    • General principle for transfers
    • Assessing adequacy
    • Transfers with appropriate safeguards
    • Binding Corporate Rules
    • Derogations
  • Independent supervisory authorities
  • Cooperation and consistency
    • Mutual assistance
    • Joint operations
  • Remedies, liabilities and penalties
    • Right to lodge a complaint with the supervisory authority
    • Right to judicial remedy against Supervisory Authority
    • Right to judicial remedy against a controller or processor
    • Right to compensation and liability
    • Imposing administrative fines


The information outlined below follows the latest guidelines published by the EU's Article 29 Working Party on the Role of Data Protection Officers (DPOs) under the General Data Protection Regulation (GDPR) - dated 13th December 2016.

What is GDPR?

EU General Data Protection Regulation (GDPR) is the new legal framework that specifies how companies and public bodies must protect information relating to an identifiable natural person.

It replaces the 1995 EU Data Protection Directive and will supersede the UK Data Protection Act 1998 once it comes into effect.

Will GDPR impact businesses more than under the current legal framework?

Yes, it will. Due to the rapid advancement of technology, current data protection legislation is no longer fit for purpose. The new regulation aims to strengthen EU citizens’ rights to privacy in the digital age, regardless of the location of the processing activities.

Do we need GDPR?

Yes, we do. GDPR places much tighter controls on the activities of commercial organisations operating within or accessing the European Single Market.

Companies will need to consider privacy risks from the outset (privacy by design) and implement appropriate technical and organisational measures to mitigate against those risks. It’s about taking a holistic approach. For example, implementing technical controls, such as pseudonymisation of personal data, or encryption of data rows within a database (in addition to the encryption of the database as a whole) might form part of a potential solution. However, thinking about what data to collect, with the onus being only to collect the data that is needed to do the job (data minimisation) is equally important.

Under GDPR, data protection is a much more hands-on role for commercial organisations, particularly with the introduction of mandatory Data Protection Officers (DPOs).

GDPR also aims to reduce the financial cost of compliance for international businesses by providing a simplified set of rules that apply to all 28 Member States.

When does the GDPR come into effect?

GDPR became law on 27 April 2016, triggering a two-year implementation period before it takes effect on 25 May 2018.

Unlike the EU Data Protection Directive it replaces, GDPR does not require any national legislation to be passed by the Member States.

If the UK is leaving the EU, is GDPR still relevant?

Yes, it is. On 24th October 2016, the UK government confirmed it would be implementing GDPR.

Data controllers and processors alike should, therefore, begin preparing to meet the requirements of the GDPR ahead of May 2018 and beyond.

What type of organisations will GDPR affect?

Once GDPR comes into effect, it will apply to:

  • Public bodies across the EU and including the UK
  • Commercial organisations (both data controllers and processors) operating within EU member states. This includes UK businesses and will continue to do so after the UK leaves the EU.
  • GDPR applies to data controllers and processors anywhere in the world who process personal data that relates to EU citizens.
How big are the fines under GDPR?

Under GDPR, there is a substantial increase in the size of monetary penalties organisations can be fined for a breach of the regulation.

GDPR operates a two-tiered system:

  • For the most severe offences fines can reach up to £17m (€20m) or 4% of global annual turnover, whichever is the greater
  • Other infringements of GDPR can result in fines of up to £8.5m (€10m) or 2% of global annual turnover, whichever is the greater
What is the new definition of a DPO under GDPR?

Under GDPR, a Data Protection Officer (DPO) is the person given formal responsibility for compliance with data protection within a business or public body.

Do I need to appoint a mandatory DPO under GDPR?

Not necessarily. Although GDPR introduces new obligations that require many businesses to designate a mandatory DPO, not all will need to do so.

What are the criteria for appointing a mandatory DPO under GDPR?

A mandatory DPO must be appointed where:

  • the data processing activity is carried out by a public body
  • the core activities of a business involve regular and systematic monitoring of individuals personal data on a large scale
  • the core activities of a business include large scale processing of sensitive personal data (or other categories of data; including data relating to criminal convictions)
  • Note – an early draft of GDPR placed a threshold of 250 employees for companies appointing a mandatory DPO. The final version contains no such limit.

What constitutes ‘large scale’ processing under GDPR?

While GDPR does not set a precise limit, some activities are clearly large scale, such as processing at a regional, national or international level.

What does ‘regular and systemic monitoring’ mean under GDPR?

Amongst other things the definition of ‘Regular and Systemic Monitoring’ includes:

  • Internet tracking and profiling such as the use of cookies for behavioural marketing
  • Profiling or scoring for the purpose of risk assessment, such as credit scoring, fraud detection or to establish insurance premiums
  • Location tracking by mobile apps or health data derived from wearable fitness devices
  • CCTV, connected devices, smart meters, home automation
  • Loyalty programmes
Does it matter who is appointed DPO under GDPR?

Yes it does. The role of the DPO must be independent and able to carry out their functions without instruction or obstruction from the rest of the organisation.

C-suite executives (Incl. CEO, CFO, COO) and heads of department (Incl. marketing/HR/IT) are considered a conflict of interest and not suitable.

Can a DPO be a part time role under GDPR?

Yes, it can. If the data processing activities of an organisation require the appointment of a DPO, but those duties do not amount to a full-time position, then a part-time role will be sufficient.

Note - The role must be autonomous and independent. There must be no conflict of interest, and the DPO should be given the same support to carry out their responsibilities as if it were a full-time position.

Can I appoint an external DPO under GDPR?

Yes, you can. Employees and external contractors can perform the role of DPO.

It is imperative that the DPO has (or can gain) sufficient knowledge of the organisation and the data processing activities to fulfil their obligations.

Can I appoint a DPO team under GDPR?

Yes, you can. Large commercial or public organisations may find it necessary to select a team to support the DPO.

Can I appoint a group DPO under GDPR?

Yes, you can. A group of companies can appoint either a single DPO or a DPO team, providing the DPO is readily available for each business location. Contact information should be easily accessible.

Note – The DPO will need to communicate in the language of any territory they are appointed.

Can I appoint a voluntary DPO under GDPR?

Yes, you can. A company may choose to voluntarily appoint a DPO even if it is not legally required to do so. It is important to note, however, this action will bind the business into adhering to the full range of DPO compliance obligations as if it had been a mandatory appointment.

What is the role of the DPO under GDPR?

The DPO should be involved with any data protection compliance related matter from the outset. The role will include any and all situations, discussions, or meetings where decisions regarding data processing activities take place.

What tasks is the DPO responsible for under GDPR?

The DPO is responsible for ensuring compliance with GDPR (and other data protection legislation such as PECR).

Duties will include:

  • Monitoring GDPR compliance
  • providing advice to the organisation (and its employees) of their obligations to comply with GDPR
  • day to day management of data protection activities
  • ensuring data protection staff training is up to date
  • conducting internal DP Audits
  • advising on Data Protection Impact Assessments (DPIAs)
  • working and cooperating with supervisory authorities such as the ICO on issues that involve the processing of personal data
  • being available to data subjects for issues surrounding the organisation's data protection practices, withdrawal of consent, the right to be forgotten, and other related rights
In carrying out their duties, DPO’s should be offered full support from management and given ample time, continuous training and appropriate financial resources to perform their responsibilities.
Under GDPR, what level of expertise will DPOs require?

To fulfil the role, a DPO must have expert knowledge of data protection law and practices. The level of knowledge required is dependent on the complexity of the data processing activities and sensitivity of the data.

What is the entrance criteria for GDPR DPO Certificate?

The GDPR Data Protection Officer Practitioner Certificate is intended for those who have pre-existing knowledge of data protection. The course is demanding, and participants will be expected to draw upon their knowledge of DPA, PECR and the EU Data Protection Directive.

The entrance criteria for attending the GDPR Data Protection Officer Certificate is a practitioner level qualification, such as the BCS Certificate, or similar.

Not sure about which data protection (GDPR) training path to take?

If you work in a business or public body required to appoint a mandatory DPO, we have 2 options for you:

  • For existing Data Protection professionals holding a qualification such as the BCS Practitioner Certificate take the DPA to GDPR Practitioner Certificate (this one).

    Recommended training path: DPA to GDPR Practitioner Certificate

  • For newly appointed DPOs or professionals without a practitioner level qualification in data protection, we recommend advancing your knowledge in DPA, PECR and the EU Data Protection Directive before progressing to GDPR.

    Recommended training path: BCS Practitioner Certificate in Data Protection + DPA to GDPR Practitioner Certificate

    Note – All organisations are required knowledge to maintain compliance with the current legislative framework throughout the transition and to GDPR.

If you work for an SME, or any business not required to appoint a Mandatory DPO we recommend:

  • BCS Foundation Certificate in Data Protection
  • An additional custom GDPR briefing or the DPA to GDPR Practitioner Certificate may also be chosen where data collection practices are more advanced or include EU citizens’ personal data other than UK nationals. Get in touch if you are unsure which path to take. We can help you work it out.
What happens if a business or public body fails to appoint a DPO under GDPR?

Any organisation that does not fulfil its obligations regarding the appointment and support of a DPO may face fines under the GDPR.

The UK supervising authority (the ICO) will have powers to impose fines of up to £8.5m (€10m) or 2% of global annual turnover, whichever is the greater.

Course dates

Sorry, there are currently no forthcoming dates for this course. Please contact us for further information.

Onsite option

If you have a team of 3 or more, we can deliver the training at your location.

Let us know when you have in mind and the size of your group.

Ask about an Onsite Course

What our customers have to say

  • Good overall structure, well paced and easy going and personable tutor.

    Thoroughly enjoyable

    Prakash Mistry
  • Joyce is a fantastic tutor who thoroughly knows her subject and made a very dry course incredibly enjoyable. The delivery and materials are excellent and I will be recommending Freevacy for future use.

    Caroline Higton
  • Joyce made the course very interesting and will help me a lot with my job.

    Diane Ahearn
  • Joyce is very knowledgeable and patient when dealing with all our queries and questions. Very good course.

    Christine Elliott
  • The tutor made the course very interesting.

    Lorna Geach
  • Thank you Joyce @ Freevacy - Excellent knowledge and delivery.

    Pete Cokell
  • We needed in-house DP and FOI training for the whole team – both the “old hands” and the new learners. Freevacy offered us sessions on-site, plus supported revision up to the exam. The trainer directed learning at the right level for each person, with 100% success.

    Robert Beane, Veritau Ltd