Already BCS Certified? Accelerate your professional
development with this fast-track BCS GDPR Update

About this Course

The new GDPR Update Practitioner Certificate from the BCS was introduced to enable legacy holders of the BCS Practitioner Certificate in Data Protection a direct path to refresh their qualification. This add-on certificate is available to any current holder who passed the practitioner level data protection BCS exam before 31 January 2018.

What's included

  • Pre-course
    reading
  • Day
    course
  • Classroom
    training
  • +40 hours
    self-study
  • 1 hour BCS
    examination

Course Overview

The BCS GDPR Update Practitioner Certificate in Data Protection provides a comprehensive revision of UK and EU privacy laws for existing BCS Practitioner Certificate holders who are looking to advance their knowledge of the GDPR.

Building on an existing base, this accredited course examines the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 along with the changes that they will bring in the processing of personal data. The course asks participants to compare, evaluate, and understand the concepts of the GDPR. In doing so, the aim is to equip attendees with the skills required to develop, implement and maintain a relevant sector-specific GDPR compliance programme.

Delivered over 3-days, this BCS GDPR Update Practitioner Certificate in Data Protection follows the latest BCS Syllabus (v1.3) and prepares participants for the separate 1-hour multiple-choice BCS Examination. The exam consists of 2-parts made up of 15-multiple choice questions, and 6-short answer written questions. The pass mark is 65%.

Itinerary

Itinerary

The BCS GDPR Update Practitioner Certificate in Data Protection is conducted over 3 consecutive days.

The following schedule is intended as a guide:

Day 1 9:00 Course administration & Exam details
9:30 A new era in data protection - Introduction
10:00 Morning refreshments
10:15 General Provisions - Definitions 
11:15 Group Discussion
12:00 Lunch
12:30 Principle 1 – Articles 6 - 11
14:30 Afternoon tea
14:45 Principles 2, 3, 4, 5, 6
15:30 Group Discussion
16:00 1 Hr exercise
Homework  
Day 2 9:00 Recap – any questions
9:30 Rights of the Data Subject
10:30 Morning refreshments
10:45 Rights of the Data Subject
12:30 Lunch
13:00 Group Discussion
13:00 1 Hr exercise
14:00 Afternoon Tea
14:30 Transfers of personal data to 3rd countries
15:45 Restrictions of the Rights of the Data Subject
16:15 Controller & Processor Responsibilities
Homework  
Day 3 9:00 Recap – any questions
9:30 Data Protection Officer, Codes of Conduct & Certification
10:45 Morning refreshments
11:00 ICO, Remedies, Liabilities, penalties
12:30 Lunch
13:00 Group Discussion
13:45 Exercise
14:30 Afternoon tea
14:45 Exercise

Who should attend?

This course is intended for Data Protection Officers and other compliance professionals who have already obtained the BCS Practitioner Certificate in Data Protection prior to the 31st January 2018.

You should attend if it is vital to possess an understanding of the GDPR to do your job or where your effectiveness in your role would be enhanced by being able to apply the new requirements practically.

By obtaining the GDPR Update Practitioner Certificate in Data Protection, individuals will:

  • Hold an up to date recognised qualification in data protection
  • Gain an understanding of the key changes and associated implications that the GDPR introduces for their organisations
  • Be prepared for the UK adoption of the GDPR with the enactment of the Data Protection Act 2018
  • Gain an understanding of the practical application of the new requirements of the GDPR and Data Protection Act 2018 associated with the role of the data protection officer (DPO), restrictions of data subject rights, data protection by design and by default and data breach notifications.
  • For comparison purposes, this course aligns with the vocational qualification QCF Level 4.

BCS Syllabus

BCS Syllabus GDPR Update Practitioner Certificate in Data Protection (GDPR-PC)
Extracted from syllabus version 1.3
November 2017

This professional certification is not regulated by the following United Kingdom Regulators - Ofqual, Qualification in Wales, CCEA or SQA.

1. General Data Protection Regulation (GDPR) background

(5% - .05 hours of coursework)

The candidate will be expected to define the wider scope and jurisdiction of the GDPR, its relationship to the UK Data Protection Bill 2017 (DPB) and other overlapping new or emerging legislation including the following:

  1. 1.1 Wider scope of the GDPR – EU Directive 2016/679

  2. 1.2 Main establishment and when EU representation is needed

  3. 1.3 Cooperation between supervisory authorities (concept of the one-stop shop)

  4. 1.4 UK Data Protection Bill 2017 (implementing the GDPR in the UK) structure and status

  5. 1.5 EU Directive 2016/680 The Law Enforcement Directive (LED)

  6. 1.6 The Digital Economy Act 2017

  7. 1.7 The Directive on Security of Network and Information Systems (NIS Directive) ((EU) 2016/1148)

  8. 1.8 Telecommunications Directive 97/66/EC, Privacy and Electronic Communications Directive 20002/58/EC, and anticipated revisions (ePrivacy Regulation 2017/0003 (COD)

  9. NB The candidate will be expected to summarise the above legal instruments and how they relate to or influence the requirements of the GDPR. Candidates are not expected to have a detailed knowledge of their provisions.

2 GDPR definitions and terminology

(5% - 0.5 hours of coursework)

The objective is to ensure that the candidate is able to distinguish the important definitions in the GDPR where the terminology is new or differs from previous data protection legislation, including:

  1. 2.1 Special category personal data

  2. 2.2 Main establishment

  3. 2.3 Data minimisation

  4. 2.4 Data Protection Officer

  5. 2.5 Data Protection Impact Assessment

  6. 2.6 Codes of Conduct (Codes of Practice in DPB)

  7. 2.7 Transparency

  8. 2.8 Profiling

  11. 2.11 Competent authority in relation to the LED

3. The data protection principles

(5% - .05 hours of coursework)

The objective is to ensure that the candidate can identify how the enhancements to the data protection principles established in the GDPR (Article 5) differ from the UK Data Protection Act 1998 principles, i.e. the 6 principles detailed within Article 5(1) and the accountability requirement from Article 5(2). The candidate will be expected to explain the importance of data processing, specifically:

  1. 3.1 Transparency requirements in relation to being ‘fair and lawful’

  2. 3.2 Explicit and compatible in relation to ‘specified purposes’

  3. 3.3 Limited to what is ‘accurate and relevant’

  4. 3.4 Pseudonymisation in relation to ‘retention’

  5. NB The candidate will also be expected to also explain the importance of data controllers and processors being accountable for compliance with data processing principles.

4. Special categories of personal data

(5% - .05 hours of coursework)

The objective is to ensure that the candidate recognises that the GDPR introduces new special categories of personal data and separates the processing of personal data relating to criminal convictions and alleged criminal offences, specifically:

  1. 4.1 Genetic and biometric data

  2. 4.2 Processing personal information relating to crime as a ‘competent authority’

  3. 4.3 Processing criminal records and alleged offences information in the employment context

5 Lawfulness of processing

(14% - 1.5 hours of coursework)

The objective is to ensure that the candidate can identify the lawful conditions (grounds) that must be satisfied in order to legitimise the processing of personal data including:

  1. 5.1 Conditions for consent (Article 7, Recitals 32, 42, 43)

  2. 5.2 Consent of a child in relation to information society services (Article 8)

  3. 5.3 Special categories of personal data (Article 9 and 10)

  4. 5.4 Obligations of professional secrecy

  5. 5.5 Processing that does not require identification (Article 11)

6 Data Subject Rights

(14% - 1.5 hours of coursework)

The objective is to ensure the candidate is able to identify data subject rights granted under the GDPR, how they relate to the fundamental data processing principles and how they are applied in practice:

  1. 6.1 Confirmation of processing (Article 12)

  2. 6.2 Right to be informed (transparency), including of further processing (Article 12, 13 and 14)

  3. 6.3 Right of access to personal data (Article 15), including timescales

  4. 6.4 Right to rectification (Article 16)

  5. 6.5 Right to erasure (to be forgotten) (Article 17)

  6. 6.6 Right to restriction of processing (Article 18)

  7. 6.7 Obligation to notify the rectification, erasure or restriction to recipients and the data subject (Article 19)

  8. 6.8 Right to portability (Article 20)

  9. 6.9 Right to object and rights in relation to direct marketing (Article 21)

  10. - Consent rules and the proposed alignment of Privacy In Electronic Communications Regulations (PECR)

  11. 6.10 Rights in relation to automated decision making and profiling (Article 22)

  12. 6.11 Right to lodge a complaint (Article 77)

  13. 6.12 Right to effective judicial remedy (Article 78 and 79)

  14. 6.13 Right to compensation including non-material damage (Article 82)

7 Data controller and data processor obligations

(9% - 1 hour of coursework)

The candidate will be required to identify the obligations that are placed upon data controllers and processors under the GDPR, including:

  1. 7.1 General obligations of a controller and processor (Article 5(2))

  2. 7.2 Data controller/data processor and joint controller relationships (Article 5(2))

  3. 7.3 Accountability and governance (Article 5(2))

  4. 7.4 Controller specific obligations (Article 24)

  5. - Joint controller obligations (Article 26)

  6. - Data protection by design and by default (Article 25)

  7. 7.5 Processor specific obligations (Article 28)

  8. - Records of processing activities (Article 30)

  9. 7.6 Information security (Article 32)

  10. 7.7 Data breach notification (Articles 33 and 34)

  11. - To the Supervisory Authority including when to notify to the data subject

  12. - Overlap with the NIS Directive in relation to breach reporting

  13. 7.8 Data protection impact assessment (Article 35)

  14. 7.9 Co-operation with the Supervisory Authority (Article 31) and consultation on high-risk processing (Article 36)

  15. 7.10 Data Protection Officer appointment (Article 37 to 39)

  16. 7.11 Status and use of Codes of Conduct (Article 40)

8 Transfers of personal data

(5% - 0.5 hours of coursework)

The candidate will be required to identify the:

  1. 8.1 General principles for transfers

  2. 8.2 Transfers on the basis of an adequacy decision by the EU, including Privacy Shield

  3. 8.3 Transfers subject to appropriate safeguards

  4. - Contract clauses

  5. - Binding Corporate Rules

  6. 8.4 Exemptions for specific situations

9 Powers of the Supervisory Authority (ICO)

(5% - 0.5 hours of coursework)

The objective is to ensure the candidate can define the Supervisory Authority’s powers to:

  1. 9.1 Impose monetary penalties

  2. 9.2 Issue enforcement notices

  3. 9.3 Require controllers or processors to provide information

10 Data controller and data processor obligations

(33% - 4 hours of coursework)

The objective is to ensure that the Practitioner level candidates understand the practical application of the new requirements of the GDPR and the Data Protection Bill where it varies from the GDPR. Specifically, the candidate will be expected to be able to apply the following requirements to a range of scenarios:

  1. 10.1 The role of the Data Protection Officer (DPO)

  2. 10.2 Restrictions of data subject rights

  3. 10.3 Data protection by design and by default

    1. - How to perform a data protection impact assessment (DPIA)

  4. - Implications for information technology teams

  5. - Evaluation and management of third party contracts (Article 29)

  6. 10.4 Personal data breach notifications

  7. NB To assist the candidate, the workshop will include a range of practical exercises with classroom feedback.

View the full BCS GDPR Update Practitioner Certificate in Data Protection Syllabus on the BCS Website.

Exam

Eligibility

This is a practitioner level qualification, and candidates will need to hold the BCS Practitioner Certificate in Data Protection to be eligible to take the examination. It is strongly recommended that candidates complete an accredited training course, but this is not mandatory.

Duration and Format of the BCS Examination

The BCS GDPR Update Practitioner Certificate in Data Protection Exam is a one-hour closed-book examination comprising two sections. The format is as follows with a balance of questions across the syllabus.

Section A:

 15 multiple choice questions (2 marks each)

Section B:

 6 short answer questions (5 marks each)

The examination is held independently of the accredited course.

Pass Mark

The pass mark is 39/60. This equates to 65%

Distinction

None

Format of the Examination

Type

 Section A: 15 Multiple Choice Questions (2 marks each)
Section B: 6 Short Answer Questions (5 marks each)
Duration 1 hour. Candidates will be entitled to an additional 15 minutes if they are sitting the examination in a language that is not their native language.
Pre-requisites Candidates must hold the BCS Practitioner Certificate in Data Protection Accredited training is strongly recommended but is not a prerequisite
Supervised Yes
Open Book No
Pass Mark 39/60 (65 %)
Distinction Mark None
Calculators Calculators cannot be used during this examination
Learning Hours 8 hours of classroom tuition and 4 hours of practical exercises and classroom discussion
Delivery Paper based examination only

Additional time for candidates requiring Reasonable Adjustments

Candidates may request additional time if they require reasonable adjustments. Please refer to the reasonable adjustments policy for detailed information on how and when to apply.

Additional time for candidates whose language is not the language of the exam

An additional 25% (15 minutes) will be allowed for candidates sitting the examination in a language that is not their mother tongue. If the examination is taken in a language that is not the candidate’s native/official language, then they are entitled to use their own paper language dictionary (whose purpose is translation between the examination language and another national language) during the examination. Electronic versions of dictionaries will not be allowed into the examination room.

The full BCS PC-DP Syllabus can be viewed here syllabus on the BCS website.

Course Cost

Get this BCS GDPR Update Practitioner Certificate in Data Protection for:

£990+VAT
  • Receive a 15% online discount for multiple bookings onto public courses
  • If you have a team of 4 or more, we can deliver the training at your location - ask about an onsite course
Package includes:
  • 3-day BCS Accredited GDPR Training Course
  • Entrance to the separate 1-hour, 2-part BCS Examination
  • Sit BCS Exam at Freevacy training facility or at any Pearson Vue Professional Exam Centre
Courseware: the only GDPR manual you will ever need
  • 75-page training manual comes in an A4 bound folder + an editable electronic version
  • Plus our comprehensive 191-page GDPR Practitioner Certificate in Data Protection manual (electronic version)
  • Includes free lifetime updates (electronic version), which means it will never go out of date
  • Copy of the General Data Protection Regulation & Data Protection Act 2018
  • Electronic copy of the full course PowerPoint
  • Remote learning exercises, Revision materials & Mock examination

You will also receive access to our free professional advisory service, potentially reducing the need for legal advice or consultation fees by supplying the right advice when you need it most.

10%off

View our privacy information

Course dates

Sorry, there are currently no forthcoming dates for this course. Please contact us for further information.

Freevacy work hard to secure our IT systems and your data against cyber attack. We have been awarded Cyber Essentials certification by The National Cyber Security Centre, part of GCHQ and have signed up to the ICO's "Your Data Matters" campaign.