About the BCS Practitioner Certificate in Data Protection

First launched in 1999, the BCS (formerly ISEB) practitioner certificate is the leading independent professional workplace qualification for individuals with privacy or data protection responsibilities. Over the years, the BCS has shown a continued commitment to evolving the practitioner certificate. In doing so, it has become the most trusted certificated data protection training programme in the UK and is often listed by employers as a required qualification. As we usher in a new era in privacy law, the BCS has kept pace with the advances in EU and UK legislation to ensure the Practitioner Certificate in Data Protection will continue to serve as the benchmark for many years to come. The current version of the BCS Syllabus (v8.5) has recently been updated to cover the General Data Protection Regulation (GDPR), which is set to come into force on 25 May 2018.

What's included

  • Public
  • Onsite class available
  • Intermediate
  • Pre-course reading
  • Day
  • Classroom training
  • +40 hours revision
  • Exam preparation
  • 2 hour BCS examination

Course Overview

The BCS Practitioner Certificate in Data Protection confirms the ability of award holders to fulfil the mandatory appointed role of a Data Protection Officer (DPO) or to lead GDPR compliance within their organisation, department or group.

This BCS accredited GDPR training course requires participants develop a deep understanding of both EU and UK data protection laws and how to apply them in a workplace environment. Rather than focus on the rigid mechanics of regulation, the course places privacy in the context of human rights and promotes good practice within organisations.

The course concentrates on the incoming EU General Data Protection Regulation (GDPR) with its 10 chapters, 99 articles, and 173 recitals. It examines the complexity of the interactions between the GDPR and the UK Data Protection Act 2018 including its derogations and exemptions. The course also looks at the new EU ePrivacy Regulation, which is set to repeal the Privacy and Electronic Communications Regulations (PECR).

Delivered over 5-days the course follows the latest BCS Syllabus (v8.5). Participants will also receive a separate 1-day online revision course to help prepare for the BCS Practitioner Certificate in Data Protection Exam. The BCS exam is a 2-hour separate event. It consists of 3-parts made up of 20 simple multiple choice questions, 20 complex multiple choice questions, and 12 short answer written questions. The pass mark is 65% with 80% for a distinction.

Who should attend

This course is intended for:

  • Data Protection Officers 
  • Information Governance (IG), Information Assurance (IA) and other compliance professionals (all grades)
  • Freedom of Information managers
  • Solicitors advising on information law
  • Head of risk, Senior Information Risk Officers (SIRO)
  • IT security managers, Chief Information Security Officers (CISO) 
  • IT/IS managers
  • Human resources managers
  • Head of marketing, Chief Marketing Officers (CMO)
  • Company directors of businesses that handle high volumes of personal information

By obtaining the Practitioner Certificate, individuals will:

  • Hold a recognised practitioner level qualification in GDPR
  • Gain an in-depth understanding of the key changes that the GDPR and the UK Data Protection Act 2018 introduce to data protection
  • Understand the individual and organisational responsibilities, particularly the need for effective record keeping
  • Be able to apply the new rights available to data subjects and understand the implications of those rights
  • Become a champion for the existence of the Data Protection Officer role
  • Be capable of performing the tasks a Data Protection Officer is expected to undertake
  • Possess the knowledge to conduct Privacy Impact Assessments
  • Know how to adopt a Data Protection by Design/Default approach when implementing new processing systems
  • Understand the legal mechanisms available that facilitate and enable the transfer of personal data outside of the EU
  • Be able to prepare an organisation to achieve and maintain compliance with the GDPR and the UK Data Protection Act 2018

The BCS Practitioner Certificate in Data Protection aligns with the vocational qualification QCF Level 4. Note, this link is advisory and for comparison purposes only. Ofqual does not regulate BCS qualifications.

Get this BCS Practitioner Certificate in Data Protection for:

  • Receive a 15% online discount for multiple bookings onto public courses
  • If you have a team of 4 or more, we can deliver the training at your location - ask about an onsite course
Package includes:
  • 5-day BCS Accredited GDPR Training Course
  • 1-Day Exam Preparation Online Training Course
  • Entrance to the separate 2-hour, 3-part BCS Examination
Courseware: the only GDPR manual you will ever need
  • Comprehensive 191-page training manual comes in an A4 bound folder + an editable electronic version
  • Includes free lifetime updates (electronic version), which means it will never go out of date
  • Copy of the General Data Protection Regulation & Data Protection Act 2018
  • Electronic copy of the full course PowerPoint
  • Exercises & Revision materials
  • Prep day course materials with sample exam questions

You will also receive access to our free professional advisory service, potentially reducing the need for legal advice or consultation fees by supplying the right advice when you need it most




The BCS Practitioner Certificate in Data Protection is a GDPR training course conducted over 5 consecutive days.

The following schedule is intended as a guide:

Day 1 9:00 Introductions, Course Objectives + BCS Exam details & techniques
9:30 Multiple-choice questions based on pre-course reading
10:00 Privacy, History & Associated legislation
10:15 Morning refreshments
10:30 Privacy, History & Associated legislation cont.
11:45 Moving into a new era of data protection
12:00 Data Protection / GDPR - Definitions
12:45 Lunch
13:00 Data Protection / GDPR - Definitions cont.
14:30 Afternoon tea
14:45 Data Protection Principles - GDPR - Lawful Processing
Homework Prepare questions for Q&A
Day 2 8:45 Review and questions
9:10 Principles - GDPR - Special Processing
10:30 Morning refreshments
10:45 Principles - GDPR - cont.
12:30 Lunch
13:00 Rights of the Data Subject
14:30 Afternoon tea
14:45 Rights of the Data Subject cont.
Homework Prepare questions for Q&A
Day 3 8:45 Review and questions
9:10 Rights of the Data Subject cont.
9:45 Transfers to third countries
10:30 Morning refreshments
10:45 Transfers to third countries cont.
11:30 Registration
12:30 Lunch
13:00 Exemptions - National Derogations
14:15 Afternoon tea
14:30 Exemptions - National Derogations cont.
Homework Prepare for recap exercises
Day 4 8:45 Review and questions
9:10 Controller and Processor - Data Protection by Design/Default
10:30 Morning refreshments
10:45 Controller and Processor - Security/Data Protection Impact Assessments
11:30 Data Protection Officer
12:30 Lunch
13:00 Supervisory Authority - ICO and EDPB
14:30 Afternoon tea
14:45 Enforcement - Liabilities and Penalties
Homework Prepare questions for Q&A
Day 5 8:45 Ask your questions
9:10 Remedies, Liabilities and Penalties
9:30 Appeals - Tribunal - Offences
10:30 Morning refreshments
10:45 Offences
11:15 e-Privacy / Privacy & Electronic Communications Regulations
12:15 Lunch
12:45 e-Privacy / Privacy & Electronic Communications Regulations cont.
13:30 Data Protection Law Enforcement Directive (DPLED)
14:15 Intelligence Services

BCS Syllabus

Practitioner Certificate in Data Protection (PC-DP)
Extracted from syllabus version 8.5
December 2017

This professional certification is not regulated by the following United Kingdom Regulators - Ofqual, Qualification in Wales, CCEA or SQA.

  1. 1 Context (5% - 2 hours of course work)

    The objective is to ensure the candidate can summarise the evolution of data protection law in the UK and the relationship with the EU General Data Protection Regulation GDPR. The syllabus reflects the legal provisions of the new UK Data Protection Bill 2017 which (once debated and approved by Parliament) is due to be enacted in 2018 as well as reflecting the role of the Information Commissioner’s Office (ICO), the UK’s Supervisory Authority.

    1. 1.1 What is privacy?

      The candidate will be expected to demonstrate an understanding of an individual’s right to private and family life and will be able to explain the relevance of confidentiality and respect for home and family life and correspondence.

    2. 1.2 History of data protection legislation in the UK

      The candidate will be expected to describe the history of data protection in relation to the European Convention for the Protection of Human Rights and Fundamental Freedoms and will be able to explain the rights to freedom of expression, to include:

      1. 1.2.1

        European Convention on Human Rights and Fundamental Freedoms (ECHR), Article 8 – Respect for privacy and family life

      2. 1.2.2

        Council of Europe Convention 108, 1981, its implementation by the Data Protection Act 1984, and updating of Convention 108

      3. 1.2.3

        OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data 2013

      4. 1.2.4

        Data Protection Directive 95/46/EC

      5. 1.2.5

        Human Rights Act 1998

      6. 1.2.6

        Data Protection Act 1998

      7. 1.2.7

        Telecommunications Directive 97/66/EC, Privacy and Electronic Communications and any revisions (ePrivacy Regulation 2017/0003 (COD)

      8. 1.2.8

        Directive 20002/58/EC, and subsequent revisions of the latter

      9. 1.2.9

        The need for the General Data Protection Regulation 2016/679

      10. 1.2.10

        UK Data Protection Bill 2017 (implementing the GDPR in the UK)

      11. 1.2.11

        EU Directive 2016/680 The Law Enforcement Directive (LED)

      12. 1.2.12

        UK’s Freedom of Information Act and Freedom of Information (Scotland Act) and the ability to access any recorded personal information held by a public body)

      13. NB

        Candidates are not expected to have a detailed knowledge of the content of the above, or the chronological order but should be able to explain the relationship between them and how data protection rights have evolved as a result.

    3. 1.3 Territorial scope and jurisdiction of the GDPR

      The candidate will need to be able to describe how the wider scope of the GDPR impacts the processing of personal data by global organisations, including those who may not have a business (legal entity) established within the EU.

      1. -

        The concept of the main establishment and the implications for global organisations, including the enterprise and group of undertakings (concept of one-stop shop)

      2. -

        Co-operation between supervisory data protection authorities

      3. -

        When a representative of the data controller is needed

      4. 1.3.1 General principles for transfers of personal data to third countries

        The candidate will be required to describe the measures required under the GDPR to safeguard the rights and freedoms of individuals when personal data is transferred outside of the EU.

      5. -

        General principles for transfers

      6. -

        Transfers on the basis of an adequacy decision by the EU

      7. -

        Transfers subject to appropriate safeguards

      8. -

        Binding Corporate Rules

      9. -

        Derogations for specific situations

  2. 2 GDPR and Data Protection Bill definitions and terminology (1.5 hours, 3.75%)

    The objective is to ensure that the candidate is able to interpret the major definitions in the GDPR and the Data Protection Bill. The candidate should also be able to explain these definitions and identify what information and processing activities are subject to the GDPR. The major definitions to be included are as follows:

    1. 2.1 Personal data

    2. 2.2 Special category personal data and criminal records

    3. 2.3 Processing

    4. 2.4 Data controller, joint data controllers

    5. 2.5 Data processor

    6. 2.6 Public authority, Scottish public authority and public body, (including Crown and Parliament)

    7. 2.7 Manual unstructured data held by a FOIA/FOISA public authority

    8. 2.8 Filing system

    9. 2.9 Recipient

    10. 2.10 Third party

    11. 2.11 Profiling

    12. 2.12 Pseudonymisation

    13. 2.13 Consent

    14. 2.14 Child’s consent in relation to information society services

    15. 2.15 Personal data breach

    16. 2.16 Derogations and recitals

    17. 2.17 Purely personal or household purposes

    18. 2.18 The special purposes

    The candidate will also be able to describe why the special purposes set out in the Data Protection Bill (Schedule 2, Part 5) provide for an appropriate balance between freedom of expression and privacy.

  3. 3 Structure of the UK Data Protection Bill in relation to the GDPR (0.5 hours,1.25%, K2)

    Specifically, the candidate will be expected to understand and explain the high-level structure of the Data Protection Bill (to be enacted as the revised UK Data Protection Act), to include:

    1. 3.1 The Data Protection Bill structure

    2. 3.2 Part 1 – Preliminary Overview and Terminology

    3. 3.3 Part 2 – General Processing

    4. 3.4 Part 2, Chapter 1 – Scope and Definitions

    5. 3.5 Part 2, Chapter 2 – The GDPR

    6. 3.6 Part 2, Chapter 3 – Other General Process

    7. 3.7 Part 3, Law Enforcement Processing

    8. 3.8 Part 4, Intelligence Services Processing

    9. 3.9 Part 5, The Information Commissioner

    10. 3.10 Part 6, Enforcement

    11. 3.11 Part 7, Supplementary Provisions

    12. 3.12 Schedules 1 to 18

    The candidate will be required to identify where the GDPR will be adopted within that structure and demonstrate the importance of Part 2, Chapters 1 to 3. The candidate is not required to know the detailed content of any Part, Chapter or Schedule until enacted.

  4. 4 The role of the ICO as the UK Supervisory Authority (0.5 hours, 1.25%)

    The objective is to ensure the candidate can describe the role and general powers and obligations of the UK Information Commissioner’s Office (ICO) as the UK Supervisory Authority, including co-operation between Supervisory Authorities, the role of the European Data Protection Board (EDPB). This will include:

    1. 4.1 Monitoring and enforcement

    2. 4.2 Promotion of public awareness and understanding

    3. 4.3 Promotion of awareness to controllers and processors of their obligations Promotion or production of Codes of Practice

    4. 4.4 Promotion of approved privacy seals, certification schemes and availability of commonly used standards (including BS 10012:2017)

    5. 4.5 Providing information to data subjects on the exercise of their rights and cooperate with the LED and another supervisory authority to provide such information

    6. 4.6 Co-operation with the LED and other data protection Supervisory Authorities including provision of mutual assistance

    7. 4.7 Conducting investigations on the application of the GDPR and LED on behalf of a supervisory authority from another state

    8. 4.8 Monitoring developments in relation to information and communications technologies and contribute to the activities of the EDPB

    9. 4.9 Advice and reporting to Parliament, the UK Government and other bodies Dispute resolution between Supervisory Authorities by the EDPB

  5. 5 Enforcement (including roles of the first-tier tribunal and the courts) (0.5 hours, 1.25%)

    The candidate will be expected to describe the following supervisory functions and powers:

    1. 5.1 Requests for assessments, Assessment Notices and carrying out assessments

    2. 5.2 When the ICO can issue an information notice

    3. 5.3 How the ICO uses ‘undertakings’

    4. 5.4 When the ICO can issue an Enforcement notice

    5. 5.5 When and who can prosecute offences under the DPA

    6. 5.6 When the ICO can serve a monetary penalty

    7. 5.7 The role of appeals and tribunals

  6. 6 Notification and record keeping obligations (0.5 hours, 1.25%)

    Specifically, the candidate will need to be able to explain why notification to the Commissioner will remain under the current scheme until May 2018, when it will be replaced. To include:

    1. 6.1 Notification under the Data Protection Act 1998

    2. 6.2 Exemptions from notification under the Data Protection Act 1998

    3. 6.3 The impact of the Data Protection Bill repeal of Section 108 of the Digital Economy Act 2017

    4. 6.4 The UK notification scheme replacement

    5. 6.5 Record keeping requirements of controllers and processors (Article 30)

    6. 6.6 Record keeping with respect to the Accountability Principle

  7. 7 The data protection principles (4 hours, 10%)

    The objective is to ensure the candidate understands and can demonstrate how the six GDPR principles set out in Article 5(1) regulate the processing of personal data and how they are enforced. The candidate will also be expected to understand data controller and data processor accountability established in Article 5(2). Equally, the candidate will be expected to know how each principle applies to the processing of personal data. The candidate will be required to demonstrate an understanding of the need to interpret and apply the principles in practice including:

    1. 7.1 The application of the right to be informed (transparency) and assessment of compatibility of further processing as part of Principle 1 of the GDPR

    2. 7.2 The link to GDPR Article 6 (4)(c) and in the case of special category personal data the link to Article 9 and 10

    3. 7.3 The practical requirements that are a consequence of compliance with each Principle in Article 5 (1)

    4. 7.4 The obligations to demonstrate the accountability principle established in Article 5 (2)

  8. 8 Lawfulness of processing – how to comply (4 hours, 10%)

    Specifically, the candidate will be required to select and apply the lawful conditions (grounds) that must be satisfied in order to legitimise the processing of personal data including:

    1. 8.1 Consideration of the GDPR’s Article 6 grounds for processing personal data and Article 9 grounds for processing special categories of personal data

    2. 8.2 Conditions for consent (transparency, communication and modalities; recitals 32, 42 and 43 are included)

    3. 8.3 Information to be provided where personal data is obtained from the data subject

    4. 8.4 Information to be provided where personal data has not been obtained from the data subject

    5. 8.5 Consent in the context of a child’s personal data, specifically in relation to information society services (to include children in Scotland)

    6. 8.6 Data minimisation and pseudonymisation (role in Data Protection by design)

    7. 8.7 Processing:

    8. - Relating to criminal convictions and offences

    9. - Which does not require identification

    10. - Using national identifiers

    11. - In the context of employment

    12. - Processing by a controller bound by legal, professional or other binding obligation of secrecy (common law duty of confidentiality)

    13. - Note: Reference the expectation of privacy by a data subject in relation to further processing (Recital 50)

    14. - For the purpose of archiving in the public interest, scientific or historical research or statistical purposes

  9. 9 Individual rights (3 hours, 7.5%)

    The candidate will be expected to demonstrate how rights and freedoms of data subjects conferred by the Data Protection Bill can be applied and enforced. Specifically, the candidate will need to be able to apply data subject rights in relation to:

    1. 9.1 Confirmation of processing

    2. 9.2 The right to be informed (transparency, compatibility of further processing and modalities)

    3. 9.3 Access to personal data including:

    4. - Unstructured data held by a FOI/FOISA public authority controller

    5. - The process to deal with a request

    6. - Timescales

    7. 9.4 Protecting the rights of another (third party individual)

    8. 9.5 Rectification

    9. 9.6 Erasure (and the right to be forgotten including the provisions that relate to children)

    10. 9.7 Restriction of processing

    11. 9.8 Obligation to notify the rectification, erasure or restriction to recipients and the data subject

    12. 9.9 Portability

    13. 9.10 Objection and rights in relation to direct marketing

    14. 9.11 Automated individual decision making and profiling

    15. 9.12 Lodging a complaint

    16. 9.13 Effective judicial remedy

    17. 9.14 Compensation

  10. 10 Restriction on data subject rights (3 hours, 7.5%)

    The objective is to ensure the candidate can describe and apply the exemptions from data subject rights. The candidate will not be expected to have a detailed knowledge of all the derogations set out in the GDPR but will be expected to demonstrate a broad understanding of the exemptions established under Article 23 and Schedule 2 of the DP Bill, and be able to interpret how the following can be applied in practice:

    1. 10.1 The importance of the GDPR recitals and how they will be used by the courts

    2. 10.2 Protection of the rights of others

    3. 10.3 Crime and taxation, including:

    4. - Prevention or detection of crime

    5. - Apprehension or prosecution of offenders and self-incrimination

    6. - Disclosures likely to prejudice crime, taxation and the proper discharge of a function designed to protect the public

    7. 10.4 Assessment or collection of a tax, duty, or similar imposition

    8. 10.5 Border Control

    9. 10.6 Immigration

    10. 10.7 Disclosures prohibited by law:

    11. - Human fertilisation and embryology

    12. - Adoption records

    13. 10.8 Processing in connection with legal proceedings, seeking legal advice or exercising or defending legal rights and legal professional privilege

    14. 10.9 Corporate finance

    15. 10.10 Courts and judiciary

    16. 10.11 Management forecasts

    17. 10.12 Negotiations with the data subject

    18. 10.13 Confidential references

    19. 10.14 Health, social work and education (reasonableness test):

    20. - Child abuse data

    21. - Education data, examination scripts and mark

    22. 10.15 Scientific or historical research and statistics

    23. 10.16 Freedom of expression

    24. 10.17 Archiving in the public interest

  11. 11 Offences (0.5 hours, 1.25%)

    The objective is for the candidate to be able to describe the range of offences under UK data protection legislation which are dealt with by the courts. The candidate will need to explain:

    1. 11.1 How specific offences currently apply in practice

    2. 11.2 The difference between offences and administrative fines

    3. 11.3 "The interpretation of ‘effective, proportionate and dissuasive’ and where the UK intends to legislate for new infringements

    The candidate will be expected to demonstrate what constitutes an offence including:

    1. 11.4 Failure to comply with an information notice

    2. 11.5 Falsely or recklessly responding to an information notice

    3. 11.6 Unlawfully obtaining personal data, knowingly or recklessly to:

    4. - Obtain or disclose personal data without the consent of the controller(s)

    5. - Procure the disclosure of personal data to another person without the consent of the controller, or, subsequently retaining or processing the data, without the consent of the person who was the controller when it was obtained

    6. 11.7 Alteration, defacing, blocking, concealing, erasure or destruction of personal data to prevent disclosure under a subject access request

    7. 11.8 Re-identification or use of anonymised/pseudonymised data without the consent of the controller

    8. 11.9 Enforced Subject Access offences (i.e. Prohibition of requirement to produce relevant records in connection with employment and provision of services etc.)

  12. 12 Privacy and Electronic Communications (EC Directive) Regulations (PECR) 2003 (1 hour, 2.50%)

    The candidate will be expected to describe the relationship between the current PECR and the broad scope of the GDPR and interpret the main provisions in relation to unsolicited marketing and consent. Apart from understanding the objective and the broad scope of PECR, the candidate will be expected to apply the provisions relating to:

    1. 12.1 Unsolicited marketing calls by telephone and role of TPS

    2. 12.2 Marketing calls using pre-recorded message (robotic call consent requirements)

    3. 12.3 Unsolicited marketing emails (including SMS and the soft opt-in)

  13. 13 Other associated legislation (1 hour, 2.50%)

    The objective is for the candidate to be able to identify UK legislation relevant to the implementation of the GDPR. The candidate will not be expected to have an in-depth knowledge but will be required to explain how UK data protection relates to the following legislation:

    1. 13.1 Computer Misuse Act 1990 (as amended by the Serious Crime Act 2015) Offences:

    2. - Unauthorised access to computer material

    3. - Unauthorised access with intent to commit or facilitate commission of further offences (e.g. theft of data)

    4. - Unauthorised modification to contents of a computer

    5. - Unauthorised acts with intent to impair operation of a computer

    6. - Causing or creating risk of serious damage

    7. 13.2 Freedom of Information Act 2000 (FOIA) and Freedom of Information (Scotland) Act 2002 (FOISA):

    8. - Information exempt from subject access rights and disclosures involving personal data

    The candidate will be expected to explain the interaction between UK data protection legislation and the FOIA/FOISA as well as the Environmental Information Regulations where the fulfilment of a disclosure request may be exempt due to the impact of data protection legislation.

  14. 14 Application of data protection legislation (18 hours, 45%, K3)

    The candidate will be expected to recognise the application of compliance in a range of circumstances. The candidate will be expected to apply their knowledge of data protection legislation across a range of detailed scenarios.

    1. 14.1 Data controller and data processor obligations

      Specifically, the candidate will be required to apply the requirements relating to Article 5(2) of the GDPR and will be expected to be able to demonstrate practical applications of the following:

      1. 14.1.1

        General obligations of a controller and processor

      2. 14.1.2

        Data controller/data processor and joint controller relationships

      3. 14.1.3

        Accountability and governance

      4. 14.1.4

        Administration and maintaining records of processing activities

      5. 14.1.5

        Notification and consultation with supervisory authorities

      6. 14.1.6

        Published codes of practice (and where applicable codes of conduct) to include:

      7. -

        Employment practices code

      8. -

        Data sharing code of practice

      9. -

        CCTV code of practice

      10. -

        Privacy information notices, transparency and control

      11. -

        Privacy impact assessment code of practice

      12. -

        ICO consent guidelines

      13. -

        The role of the WP29/European Data Protection Board in relation to publication of Codes of Conduct"

    2. 14.2 Security of processing

      The candidate will be expected to explain the obligations for securing personal data including:

      1. 14.2.1

        Organisational and technical security measures

      2. 14.2.2

        Notification of a personal data breach to the supervisory authority

      3. 14.2.3

        Overlap with the NIS Directive in relation to breach reporting

      4. 14.2.4

        Communication of a personal data breach to the data subject

      5. 14.2.5

        Using data protection impact assessments and prior consultation with the supervisory authority

      6. 14.2.6

        Data processor supervision and security in third party contracts

      7. 14.2.7

        Adopting a ‘data protection by design/data protection by default’ approach when setting security requirements for new processing systems

      8. 14.2.8

        Requirement for education and training

    3. 14.3 Data protection officer

      It is expected that the candidate will be able to describe the role of the data protection officer as defined in the GDPR and the Data Protection Bill covering the following:

      1. 14.3.1

        Data protection officer designation, position, and role/tasks

      2. 14.3.2

        WP29 Guidance on Data Protection Officers (16/EN/WP243:2017e)

    4. 14.4 Addressing scenarios in specific sectors

      The candidate will be expected to interpret how the following sectors may influence the practical implementation of the GDPR:

      1. 14.4.1


      2. 14.4.2

        Financial services

      3. 14.4.3

        Services provided by public bodies (e.g./ Local and Central Government)

      4. 14.4.4

        Human resource management

      5. 14.4.5

        Health sector

    5. 14.5 Data processing topics

      The candidate will be expected to explain how data protection concepts apply to the following business processes:

      1. 14.5.1

        Monitoring and profiling of data subjects – internet, email, telephone calls and CCTV

      2. 14.5.2

        Use of the internet (including electronic commerce)

      3. 14.5.3

        Data matching, data analytics and data warehousing (big data and profiling)

      4. 14.5.4

        Disclosure and data sharing

      The focus here is on the candidate recognising the practical issues of complying with legislation in the real world. The candidate is encouraged to understand how they would approach different scenarios to become familiar with the practicalities of compliance. Compliance advice on particular topics and for specific sectors is published by the Information Commissioner. It is strongly recommended that human resource management related issues are addressed.

View the full BCS Practitioner Certificate in Data Protection Syllabus on the BCS Website

Exam Preparation Day

This 1-Day online GDPR training course is intended to help participants revise for and assist in their preparations for the BCS Practitioner Certificate in Data Protection Examination. 

The topics covered in this online session include:

Part 1. Online discussion and presentation

  • Exam technique
  • Timing
  • Completing the exam paperwork
  • How to break down BCS exam questions
    • Reading questions properly
    • Answering questions correctly
  • Exercises
  • Group discussion, 3 example questions

Part 2. Mock exam

  • 1-hour mock exam (50% of the exam paper)

Part 3. Discussion, Q&A, review of the mock exam

  • Group discussion, mock exam answers

Following the examination prep day, the instructor will evaluate each student’s mock paper and provide individual feedback. This will include direct comments on the answers, exam technique and offer guidance for further study areas.

Duration and Format of the BCS Examination

The BCS Practitioner Certificate in Data Protection Exam is a two-hour closed-book examination comprising three sections. The format is as follows with a balance of questions across the syllabus.

Section A:

20 simple multiple choice questions (1 mark each). Participants should attempt all questions.

Section B:

20 complex multiple choice questions (2 marks each). Participants should attempt all questions.

Section C:

12 short answer questions (5 marks each). Participants should attempt all questions.

The examination is held independently of the accredited course.

Pass Mark

The pass mark is 78/120. This equates to 65%


Distinctions will be awarded to candidates who achieve 96 or more.

Format of the Examination

  • 17% Simple multiple choice questions
  • 33% Complex multiple choice questions
  • 50% Short answer questions
Duration 2 Hours. An additional 30 minutes will be allowed for candidates sitting the examination in a language that is not their native language
Invigilated Yes
Open Book No
Pass Mark 65/100 (50%)
Distinction Mark 80/100 (80%)
Calculators Calculators cannot be used during this examination
Delivery Paper based examination only

Additional time for candidates requiring Reasonable Adjustments

Candidates may request additional time if they require reasonable adjustments. Please refer to the reasonable adjustments policy for detailed information on how and when to apply.

Additional time for candidates whose language is not the language of the exam

An additional 25% (30 minutes) will be allowed for candidates sitting the examination in a language that is not their mother tongue. If the examination is taken in a language that is not the candidate’s native/official language, then they are entitled to use their own paper language dictionary (whose purpose is translation between the examination language and another national language) during the examination. Electronic versions of dictionaries will not be allowed into the examination room.

The full BCS PC-DP Syllabus can be viewed here syllabus on the BCS website.

Course dates

Code Course Start Duration Location Booking
PC-DP BCS Practitioner Certificate in Data Protection 7 Jan 19 5 days Bedford Book now
25 Mar 19 5 days Bedford Book now

Examination Events

When booking onto one of the above course dates, you will be asked to select the dates for your examination events.

Exam preparation day Date Duration Format
We recommend choosing a date 4-8 weeks after attending the course. 22 Nov 18 1 day online
13 Dec 18 1 day online
11 Feb 19 1 day online
24 Apr 19 1 day online
BCS exam Date Duration Location
We recommend booking onto a BCS Exam 4 to 6 weeks after preparation day. 17 Jan 19 ½ day Bedford
7 Mar 19 ½ day Bedford
23 May 19 ½ day Bedford

What our customers have to say

  • Good overall structure, well paced and easy going and personable tutor.

    Thoroughly enjoyable

    Prakash Mistry
  • Joyce is a fantastic tutor who thoroughly knows her subject and made a very dry course incredibly enjoyable. The delivery and materials are excellent and I will be recommending Freevacy for future use.

    Caroline Higton
  • Joyce made the course very interesting and will help me a lot with my job.

    Diane Ahearn
  • Joyce is very knowledgeable and patient when dealing with all our queries and questions. Very good course.

    Christine Elliott
  • The tutor made the course very interesting.

    Lorna Geach
  • Thank you Joyce @ Freevacy - Excellent knowledge and delivery.

    Pete Cokell
  • We needed in-house DP and FOI training for the whole team – both the “old hands” and the new learners. Freevacy offered us sessions on-site, plus supported revision up to the exam. The trainer directed learning at the right level for each person, with 100% success.

    Robert Beane, Veritau Ltd