A GDPR & DPA18 Foundation Certificate from BCS for anyone involved
in the acquisition, use and protection of personal information

About this Course

The Foundation Certificate in Data Protection is intended for a broad audience. Since its introduction in 2014, the BCS has issued over 1500 certifications across IT, HR, marketing, customer support and other service delivery departments alongside those new to traditional compliance or information security roles. With new privacy laws transforming the way in which organisations approach data protection, frontline employees who come into contact with personal information must ensure compliance is continually addressed. To this end, the BCS has signified its commitment to this foundation level qualification. The current version of the BCS Syllabus (v2.5) has been updated to cover the General Data Protection Regulation (GDPR), which came into force on 25 May 2018.

What's included

  • Pre-course
  • 3.5-hour
    online sessions
  • Flexible live
    interactive training
  • In course
    exam preparation
  • 1-hour online
    BCS examination

Course Overview

The BCS Foundation Certificate in Data Protection will benefit any employee whose role requires they take active measures to ensure the protection of an individual's personal information and that their rights to privacy are upheld.

Participants attending this BCS accredited GDPR training course will develop a practical understanding of EU and UK data protection laws and how to apply them in everyday workplace situations. The focus is on the incoming EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. The course also looks at the new EU ePrivacy Regulation, which is set to repeal the Privacy and Electronic Communications Regulations (PECR).

Delivered over 3-days, the GDPR Foundation Certificate is a recognised workplace qualification. The course follows the latest BCS Syllabus (v2.4) and prepares participants for the 1-hour multiple-choice BCS Foundation Exam that concludes the course.

Course Rationale

Choosing the BCS Foundation Certificate in Data Protection to develop the skills of select personnel within departments that process high volumes of personal information will be viewed as a positive step. One that outwardly demonstrates a strong commitment to building deeper, more trusting relationships with customers, service users, stakeholders and employees alike.

Investing in the BCS Foundation to train operational employees will also help to reduce unnecessary human errors that can lead to a devastating and costly data breach, potentially resulting in a cut to cyber-insurance premiums. Ultimately, however, it means maintaining a constant state of compliance with the GDPR will become a more realistic objective.


The BCS Foundation Certificate in Data Protection course is GDPR training course conducted over 3 consecutive days.

The following schedule is intended as a guide:

Day 1 9:00 Introductions, Course objectives, Exam details & techniques
9:30 Multiple-choice questions based on pre-course reading
10:00 Privacy, History and Associated legislation
10:15 Morning refreshments
10:30 Moving into a new era of data protection
10:45 Data Protection / GDPR Definitions
12:00 DP Principles (GDPR) Lawful Processing
12:30 Lunch
13:00 DP Principles (GDPR) Lawful Processing cont.
14:30 Afternoon tea
14:45 DP Principles (GDPR) Special Processing
Homework Revision reading and multiple-choice sample questions
Day 2 8:45 Review and questions
9:10 Rights of the Data Subject
10:30 Morning refreshments
10:45 Rights of the Data Subject cont.
11:45 Transfers to third countries
12:30 Lunch
13:00 Registration
13:15 Exemptions - National Derogations
14:15 Afternoon tea
14:30 Data Controllers and Data Processors
Homework Revision reading and multiple-choice sample questions
Day 3 8:45 Review and questions
9:10 Data Controllers and Data Processors - DPO
10:15 Morning refreshments
10:30 Supervisory Authority
11:15 Offences
12:00 Lunch
12:30 e-Privacy - PECR
14:00 BCS 1 hour multiple-choice examination

Who should attend?

This course is intended for:

  • New team members in data protection, compliance or privacy roles 
  • Information Governance (IG) and Information Assurance (IA) teams
  • IT Security and Information Security specialists
  • Corporate IT and HR teams along with project managers
  • Marketing and sales professionals
  • Customer support and service delivery team members
  • It also benefits senior managers or directors of small and medium size businesses

By obtaining the Foundation Certificate, individuals will:

  • Hold a recognised foundation level qualification in GDPR
  • Understand the significant changes that the GDPR and the UK Data Protection Act 2018 introduce to data protection
  • Appreciate both the individual and organisational responsibilities faced by data controllers and data processors
  • Recognise the importance of keeping accurate internal records of personal data being processed
  • Be familiar with the 6 lawful bases for processing and know which to apply to specific purposes
  • Understand the reasons for and implications of the new rights made available to data subjects  
  • Contribute towards the ongoing commitment to maintain compliance with the GDPR and the UK Data Protection Act 2018.

The BCS Foundation Certificate in Data Protection aligns with the vocational qualification QCF Level 2. Note, this link is advisory and for comparison purposes only. Ofqual does not regulate BCS qualifications.

BCS Syllabus

Foundation Certificate in Data Protection (FC-DP)
Extracted from syllabus version 2.4
December 2017

This professional certification is not regulated by the following United Kingdom Regulators - Ofqual, Qualification in Wales, CCEA or SQA.

(6% - 1 hour of coursework)

The objective is to ensure the candidate has a basic understanding of the evolution of data protection law in the UK and the relationship with the EU General Data Protection Regulation (GDPR). The syllabus reflects the legal provisions of the UK Data Protection Bill 2017 and will be updated should there be any changes once it is enacted as the new UK Data Protection Act.

  1. 1.1 Context of data protection law

    The objective is to ensure that the candidate is able to summarise the revised structure, legal context and wider scope of GDPR and its positioning in relation to the current UK Data Protection Act 1998 and the status of the UK Data Protection Bill, including the following:

    1. 1.1.1

      EU Directive 2016/680, the Data Protection Law Enforcement Directive (DPLED)

    2. 1.1.2

      The Privacy and Electronic Communications (EC Directive 2002/58/EC) Regulations 2003

    3. 1.1.3

      UK Human Rights Act 1998

    4. 1.1.4

      EU Charter of fundamental rights and freedoms (Article 8)

    5. 1.1.5

      UK Data Protection Bill, Part 2, Chapters 1 to 3

    6. NB

      The candidate is expected to have a basic knowledge of the existence of the above and how UK data protection has evolved. The candidate is not expected to have a detailed knowledge of the provisions.

  2. 1.2 The role of the Supervisory Authority (Information Commissioners Office [ICO])

    Specifically, the candidate will be expected to be able to identify:

    1. 1.2.1

      Registration (Notification) scheme

    2. 1.2.2

      Information Fee (Section 108, Digital Economy Act 2017)

    3. 1.2.3

      Provision of guidance

    4. 1.2.4

      Codes of practice

    5. 1.2.5


    6. 1.2.6

      Co-operation between supervisory authorities

    7. 1.2.7

      European Data Protection Board

    8. NB

      Details of enforcement provisions and specific codes are covered elsewhere in the syllabus.

  3. 1.3 Territorial scope and jurisdiction of the GDPR (Articles 2 and 3)

    Specifically, the candidate will need to recognise the following:

    1. 1.3.1

      Main establishment and the one-stop shop

    2. 1.3.2

      When EU representative is needed

  4. 1.4 Transfers of personal data outside the EU

    Specifically, the candidate will be required to recognise the general principles for transferring personal data to third countries, on the basis of:

    1. 1.4.1

      An adequacy decision by the EU

    2. 1.4.2

      Binding Corporate Rules:

    3. -

      Contractual Clauses

    4. -

      Binding Corporate Rules

    5. 1.4.3

      Derogations for Special circumstances

2 Identification of processing that must comply with the data protection law

(13% - 2 hours of coursework)

  1. 2.1 Definitions

    Specifically, the candidate will be expected to identify the following UK definitions that support the application of the GDPR and the lawfulness of processing:

    1. 2.1.1

      Personal data

    2. 2.1.2

      Special category personal data

    3. 2.1.3


    4. 2.1.4

      Filing system

    5. 2.1.5

      Data controller

    6. 2.1.6

      Data processor

    7. 2.1.7

      Data subject

    8. 2.1.8

      Public authority, Scottish public authority and public body, (including Crown and Parliament)

    9. 2.1.9

      Manual unstructured data held by a FOIA/FOISA public authority

    10. 2.1.10


    11. 2.1.11


    12. 2.1.12


    13. 2.1.13

      Child’s consent in relation to information society services

    14. 2.1.14

      Personal data breach

    15. 2.1.15

      Processing for purely personal or household purposes exemption

3 Understanding the data protection principles

(31% - 5 hours of coursework)

The objective is to ensure that the candidate can identify how the six fundamental principles of data protection set out in Article 5(1) of the GDPR regulate the processing of personal data, as well as an understanding of the differences between them. The candidate will also be expected to understand data controller and data processor accountability established in Article 5(2).

  1. 3.1 Lawfulness of processing

    Specifically, the candidate will need to be able to identify the lawful conditions (grounds) that must be satisfied in order to lawfully process personal data and special categories of personal data described in Article 6 and 9 of the GDPR, including:

    1. 3.1.1

      Conditions for consent (Article 7 and Recitals 32, 42 and 43)

    2. 3.1.2

      Consent of a child in relation to information society services (Article 8)

    3. 3.1.3

      Processing of special category data by a controller bound by legal, professional or other binding obligations of secrecy (common law duty of confidentiality):

    4. -

      We are not talking about the Information Commissioner’s obligations of secrecy

    5. -

      Note: refer to Recital 50 “expectations of privacy” by a data subject in relation to further processing and Schedule 1, para 2 (3) and Chapter 2, Part 2 – the GDPR, Section 10, para (1) of the DP Bill

    6. 3.1.4

      Personal data relating to criminal convictions and alleged offences (Article 10)

    7. 3.1.5

      Processing which does not require identification (Article 11)

4 Rights of the Data Subject

(13% - 2 hours of coursework)

  1. 4.1 Lawfulness of processing

    The objective is to ensure the candidate is able to identify the rights granted to individuals (Articles 12–22). Specifically, the candidate will be required to explain data subject rights in relation to:

    1. 4.1.1

      Confirmation of processing

    2. 4.1.2

      Being informed (transparency), including of further processing compatibility (Article 13 and Article 14)

    3. 4.1.3

      Access to personal data (Article 15)

    4. 4.1.4

      Rectification (Article 16)

    5. 4.1.5

      Erasure (Right to be forgotten) (Article 17)

    6. 4.1.6

      Restriction of processing (Article 18)

    7. 4.1.7

      Obligation to notify the rectification, erasure or restriction to recipients and the data subject (Article 19)

    8. 4.1.8

      Portability (Article 20)

    9. 4.1.9

      Objection and rights in relation to direct marketing (Article 21)

    10. 4.1.10

      Automated individual decision making and profiling (Article 22)

    11. 4.1.11

      Lodging a complaint (Article 77)

    12. 4.1.12

      Effective judicial remedy (Article 78 and 79)

    13. 4.1.13

      Compensation (Article 82)

  2. 4.2 Restriction on Data Subject Rights

    The candidate is not expected to have a detailed knowledge of restrictions on data subject’s rights (Article 23) but will be expected to identify restrictions that may affect data subject rights of access (Article 15), to include:

    1. 4.2.1

      Protection of the rights of others

    2. 4.2.2

      Crime and taxation

    3. 4.2.3

      Prevention or detection of crime:

    4. -

      Apprehension or prosecution of offenders, self-incrimination

    5. -

      Processing (e.g. disclosures) likely to prejudice crime and taxation

    6. -

      Assessment or collection of a tax, duty or similar imposition

    7. -

      Border control

    8. -


    9. -

      Disclosures prohibited by law

    10. -

      National Security

    11. 4.2.4

      Processing in connection with legal proceedings, seeking legal advice or exercising or defending legal rights and legal professional privilege

    12. 4.2.5

      Processing likely to prejudice the discharge of statutory functions designed to protect the public (e.g. regulatory functions, ministers of the Crown)

    13. 4.2.6

      Corporate finance

    14. 4.2.7

      Courts and judiciary

    15. 4.2.8

      Management forecasts

    16. 4.2.9

      Negotiations with the data subject

    17. 4.2.10

      Confidential references

    18. 4.2.11

      Health, social work, education:

    19. -

      Child abuse data

    20. -

      Education data, exam scripts and marks

    21. 4.2.12

      Research and statistics

    22. 4.2.13

      Archiving in the public interest

5 Privacy and Electronic Communications (EC Directive) Regulations (PECR) 2003

(6% - 1 hour of coursework)

The objective is to ensure the candidate can identify the relationship between the PECR and the GDPR, including the PECR’s:

  1. 5.1 Objective and broad scope (email, phone, SMS, automated calls, robocalls)

  2. 5.2 Provisions relating to electronic marketing communications

  3. 5.3 ICO Guidance on Direct Marketing and Direct Marketing Commission Code:

  4. - DMA telephone preference services

  5. 5.4 ICO services to the public – Reporting complaints and concerns

6 Data controller and data processor obligations

(19% - 3 hour of coursework)

The objective is to ensure that the candidate can identify the following controller and processor obligations:

  1. 6.1 Accountability and data governance (Article 5 (2))

  2. 6.2 Controller obligations (Article 24)

  3. 6.3 Data protection by design and by default (Article 25)

  4. 6.4 Joint controllers (Article 26)

  5. 6.5 Processor obligations (Article 28)

  6. 6.6 Processing under the authority of a Controller or Processor (Article 29)

  7. 6.7 Records of processing activities (Article 30)

  8. 6.8 Co-operation with the ICO (Article 31)

  9. 6.9 Information security (Article 32)

  10. 6.10 Data breach notification obligations (Articles 33 and 34) to the:

  11. - ICO

  12. - Data Subject

  13. 6.11 Data protection impact assessment (Article 35)

  14. 6.12 Consultation with the ICO on high-risk processing (Article 36)

  15. 6.13 Data Protection Officer appointment, competency and independence (Article 37 to 39)

7 Enforcement

(3% - 0.5 hours of coursework)

  1. 7.1 Information notices and assessments

  2. 7.2 Undertakings

  3. 7.3 Enforcement notices

  4. 7.4 Monetary penalty notices (Article 83 and 84)

  5. 7.5 Data protection audits by the supervisory authority

  6. 7.6 Offences

  7. NB Candidates will need to understand where enforcement powers apply under the GDPR and be aware of potential changes as the Data Protection Bill is enacted.

8 Codes of Conduct and Best Practice Standards

(9% - 1.5 hours of coursework)

The candidate will be expected to be aware of the existence of published Codes of Conduct and official guidelines published by the ICO, the importance of using them and the existence of recognised standards that support data protection laws in the UK, including BS10012:2017. The candidate will be expected to recall what Codes of Conduct are available and the value of using them, but are not expected to know the detailed content. Specifically, the candidate will need to be able to identify:

  1. 8.1 The status and use of Codes of Conduct

  2. 8.2 Published codes in the following key areas:

  3. - Privacy notices

  4. - Subject access

  5. - Employment practices

  6. - CCTV

  7. - Data protection impact assessment

  8. - Business sector codes

  9. - Proposed codes of practice (Data Sharing Code and Direct Marketing Code)

  10. - Useful standards


Duration and Format of the Examination

The BCS Foundation Certificate in Data Protection exam format is a one-hour multiple-choice examination. The exam is closed book i.e. no materials can be taken into the examination room.

The BCS Examination for the Foundation Certificate in Data Protection is held on the last afternoon of the accredited training course.

Pass Mark

The pass mark is 26/40.

This equates to 65%

Format of the Examination

Type Multiple-choice, 40 Questions (1 mark each)
Duration 1 Hour. An additional 15 minutes will be allowed for candidates sitting the examination in a language that is not their native language
Supervised Yes
Open Book No
Pass Mark 26/40 (65%)
Distinction Mark None
Calculators No, calculators cannot be used during this examination
Delivery Paper based examination

Additional time for candidates requiring Reasonable Adjustments

Candidates may request additional time if they require reasonable adjustments. Please refer to the reasonable adjustments policy for detailed information on how and when to apply.

Additional time for candidates whose language is not the language of the exam

An additional 25% (15 minutes) will be allowed for candidates sitting the examination in a language that is not their mother tongue. If the examination is taken in a language that is not the candidate’s native/official language, then they are entitled to use their own paper language dictionary (whose purpose is translation between the examination language and another national language) during the examination. Electronic versions of dictionaries will not be allowed into the examination room.

Course Cost

Get this BCS Foundation Certificate in Data Protection for:

  • Receive a 15% online discount for multiple bookings onto public courses
  • If you have a team of 4 or more, we can deliver the training at your location - ask about an onsite course
Package includes:
  • 3-day BCS Accredited GDPR Training Course
  • Entrance to the 1-hour, multiple-choice BCS Examination held at the end of the course
Courseware: a complete foundation level GDPR manual
  • Detailed 132-page training manual comes in an A4 bound folder + an editable electronic version
  • Includes free lifetime updates (electronic version), which means it will never go out of date
  • Copy of the General Data Protection Regulation & Data Protection Act 2018
  • Electronic copy of the full course PowerPoint
  • Exercises & Revision materials
  • Sample exam questions

You will also receive access to our free professional advisory service, potentially reducing the need for legal advice or consultation fees by supplying the right advice when you need it most.


View our privacy information

Course dates

Code Course Start Duration Location Booking
FC-DP BCS Foundation Certificate in Data Protection 7 Sep 20 5 X 3.5hr Sessions Online Book now

BCS Foundation Certificate in Data Protection (FC-DP)

Starts: 7 Sep 20

Duration: 5 X 3.5hr Sessions

Location: Online

Book now

Freevacy work hard to secure our IT systems and your data against cyber attack. We have been awarded Cyber Essentials certification by The National Cyber Security Centre, part of GCHQ and have signed up to the ICO's "Your Data Matters" campaign.