25,000+ Courses Nationwide
0203 908 2376

BCS Foundation Certificate in Data Protection

The BCS Foundation Certificate in Data Protection will benefit any employee whose role requires they take active measures to ensure the protection of an individual's personal information and that their rights to privacy are upheld.

Participants attending this BCS accredited GDPR training course will develop a practical understanding of EU and UK data protection laws and how to apply them in everyday workplace situations. The focus is on the incoming EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. The course also looks at the new EU ePrivacy Regulation, which is set to repeal the Privacy and Electronic Communications Regulations (PECR).

Delivered over 3-days, the GDPR Foundation Certificate is a recognised workplace qualification. The course follows the latest BCS Syllabus (v2.4) and prepares participants for the 1-hour multiple-choice BCS Foundation Exam that concludes the course.

Course Rationale - Governance, Risk & Compliance

Choosing the BCS Foundation Certificate in Data Protection to develop the skills of select personnel within departments that process high volumes of personal information will be viewed as a positive step. One that outwardly demonstrates a strong commitment to building deeper, more trusting relationships with customers, service users, stakeholders and employees alike.

Who should attend

This course is intended for:

  • New team members in data protection, compliance or privacy roles 
  • Information Governance (IG) and Information Assurance (IA) teams
  • IT Security and Information Security specialists
  • Corporate IT and HR teams along with project managers
  • Marketing and sales professionals
  • Customer support and service delivery team members
  • It also benefits senior managers or directors of small and medium size businesses

Investing in the BCS Foundation to train operational employees will also help to reduce unnecessary human errors that can lead to a devastating and costly data breach, potentially resulting in a cut to cyber-insurance premiums. Ultimately, however, it means maintaining a constant state of compliance with the GDPR will become a more realistic objective. 

Select specific date to see price, venue and full details.

Learning Objectives

By obtaining the Foundation Certificate, individuals will:

  • Hold a recognised foundation level qualification in GDPR
  • Understand the significant changes that the GDPR and the UK Data Protection Act 2018 introduce to data protection
  • Appreciate both the individual and organisational responsibilities faced by data controllers and data processors
  • Recognise the importance of keeping accurate internal records of personal data being processed
  • Know the 6 lawful bases for processing (Consent, Contractual necessity, Legal compliance + Vital, Public and Legitimate interests)
  • Understand the reasons for and implications of the new rights made available to data subjects  
  • Be able to support the organisation's ongoing commitment to maintain compliance with the GDPR and the UK Data Protection Act 2018

The BCS Foundation Certificate in Data Protection aligns with the vocational qualification QCF Level 2. Note, this link is advisory and for comparison purposes only. Ofqual does not regulate BCS qualifications.

Course Content

BCS Syllabus

Foundation Certificate in Data Protection (FC-DP) Extracted from syllabus version 2.4 December 2017

This professional certification is not regulated by the following United Kingdom Regulators - Ofqual, Qualification in Wales, CCEA or SQA.

1 Legal background and positioning (6% - 1 hour of coursework)

The objective is to ensure the candidate has a basic understanding of the evolution of data protection law in the UK and the relationship with the EU General Data Protection Regulation (GDPR). The syllabus reflects the legal provisions of the UK Data Protection Bill 2017 and will be updated should there be any changes once it is enacted as the new UK Data Protection Act.

1.1 Context of data protection law

The objective is to ensure that the candidate is able to summarise the revised structure, legal context and wider scope of GDPR and its positioning in relation to the current UK Data Protection Act 1998 and the status of the UK Data Protection Bill, including the following:

1.1.1  EU Directive 2016/680, the Data Protection Law Enforcement Directive (DPLED)

1.1.2  The Privacy and Electronic Communications (EC Directive 2002/58/EC) Regulations 2003

1.1.3  UK Human Rights Act 1998

1.1.4  EU Charter of fundamental rights and freedoms (Article 8)

1.1.5  UK Data Protection Bill, Part 2, Chapters 1 to 3

NB  The candidate is expected to have a basic knowledge of the existence of the above and how UK data protection has evolved. The candidate is not expected to have a detailed knowledge of the provisions.

1.2 The role of the Supervisory Authority (Information Commissioners Office [ICO])

Specifically, the candidate will be expected to be able to identify:

1.2.1  Registration (Notification) scheme

1.2.2  Information Fee (Section 108, Digital Economy Act 2017)

1.2.3  Provision of guidance

1.2.4  Codes of practice

1.2.5  Enforcement

1.2.6  Co-operation between supervisory authorities

1.2.7  European Data Protection Board

NB  Details of enforcement provisions and specific codes are covered elsewhere in the syllabus.

1.3 Territorial scope and jurisdiction of the GDPR (Articles 2 and 3)

Specifically, the candidate will need to recognise the following:

1.3.1  Main establishment and the one-stop shop

1.3.2  When EU representative is needed

1.4 Transfers of personal data outside the EU

Specifically, the candidate will be required to recognise the general principles for transferring personal data to third countries, on the basis of:

1.4.1  An adequacy decision by the EU

1.4.2  Binding Corporate Rules:

-  Contractual Clauses

-  Binding Corporate Rules

1.4.3  Derogations for Special circumstances

2 Identification of processing that must comply with the data protection law (13% - 2 hours of coursework)

2.1 Definitions

Specifically, the candidate will be expected to identify the following UK definitions that support the application of the GDPR and the lawfulness of processing:

2.1.1  Personal data

2.1.2  Special category personal data

2.1.3  Processing

2.1.4  Filing system

2.1.5  Data controller

2.1.6  Data processor

2.1.7  Data subject

2.1.8  Public authority, Scottish public authority and public body, (including Crown and Parliament)

2.1.9  Manual unstructured data held by a FOIA/FOISA public authority

2.1.10  Profiling

2.1.11  Pseudonymisation

2.1.12  Consent

2.1.13  Child’s consent in relation to information society services

2.1.14  Personal data breach

2.1.15  Processing for purely personal or household purposes exemption

3 Understanding the data protection principles (31% - 5 hours of coursework)

The objective is to ensure that the candidate can identify how the six fundamental principles of data protection set out in Article 5(1) of the GDPR regulate the processing of personal data, as well as an understanding of the differences between them. The candidate will also be expected to understand data controller and data processor accountability established in Article 5(2).

3.1 Lawfulness of processing

Specifically, the candidate will need to be able to identify the lawful conditions (grounds) that must be satisfied in order to lawfully process personal data and special categories of personal data described in Article 6 and 9 of the GDPR, including:

3.1.1  Conditions for consent (Article 7 and Recitals 32, 42 and 43)

3.1.2  Consent of a child in relation to information society services (Article 8)

3.1.3  Processing of special category data by a controller bound by legal, professional or other binding obligations of secrecy (common law duty of confidentiality):

-  We are not talking about the Information Commissioner’s obligations of secrecy

-  Note: refer to Recital 50 “expectations of privacy” by a data subject in relation to further processing and Schedule 1, para 2 (3) and Chapter 2, Part 2 – the GDPR, Section 10, para (1) of the DP Bill

3.1.4  Personal data relating to criminal convictions and alleged offences (Article 10)

3.1.5  Processing which does not require identification (Article 11)

4 Rights of the Data Subject (13% - 2 hours of coursework)

4.1 Lawfulness of processing

The objective is to ensure the candidate is able to identify the rights granted to individuals (Articles 12–22). Specifically, the candidate will be required to explain data subject rights in relation to:

4.1.1  Confirmation of processing

4.1.2  Being informed (transparency), including of further processing compatibility (Article 13 and Article 14)

4.1.3  Access to personal data (Article 15)

4.1.4  Rectification (Article 16)

4.1.5  Erasure (Right to be forgotten) (Article 17)

4.1.6  Restriction of processing (Article 18)

4.1.7  Obligation to notify the rectification, erasure or restriction to recipients and the data subject (Article 19)

4.1.8  Portability (Article 20)

4.1.9  Objection and rights in relation to direct marketing (Article 21)

4.1.10  Automated individual decision making and profiling (Article 22)

4.1.11  Lodging a complaint (Article 77)

4.1.12  Effective judicial remedy (Article 78 and 79)

4.1.13  Compensation (Article 82)

4.2 Restriction on Data Subject Rights

The candidate is not expected to have a detailed knowledge of restrictions on data subject’s rights (Article 23) but will be expected to identify restrictions that may affect data subject rights of access (Article 15), to include:

4.2.1  Protection of the rights of others

4.2.2  Crime and taxation

4.2.3  Prevention or detection of crime:

-  Apprehension or prosecution of offenders, self-incrimination

-  Processing (e.g. disclosures) likely to prejudice crime and taxation

-  Assessment or collection of a tax, duty or similar imposition

-  Border control

-  Immigration

-  Disclosures prohibited by law

-  National Security

4.2.4  Processing in connection with legal proceedings, seeking legal advice or exercising or defending legal rights and legal professional privilege

4.2.5  Processing likely to prejudice the discharge of statutory functions designed to protect the public (e.g. regulatory functions, ministers of the Crown)

4.2.6  Corporate finance

4.2.7  Courts and judiciary

4.2.8  Management forecasts

4.2.9  Negotiations with the data subject

4.2.10  Confidential references

4.2.11  Health, social work, education:

-  Child abuse data

 - Education data, exam scripts and marks

4.2.12  Research and statistics

4.2.13  Archiving in the public interest

5 Privacy and Electronic Communications (EC Directive) Regulations (PECR) 2003 (6% - 1 hour of coursework)

The objective is to ensure the candidate can identify the relationship between the PECR and the GDPR, including the PECR’s:

5.1 Objective and broad scope (email, phone, SMS, automated calls, robocalls)

5.2 Provisions relating to electronic marketing communications

5.3 ICO Guidance on Direct Marketing and Direct Marketing Commission Code:

- DMA telephone preference services

5.4 ICO services to the public – Reporting complaints and concerns

6 Data controller and data processor obligations (19% - 3 hour of coursework)

The objective is to ensure that the candidate can identify the following controller and processor obligations:

6.1 Accountability and data governance (Article 5 (2))

6.2 Controller obligations (Article 24)

6.3 Data protection by design and by default (Article 25)

6.4 Joint controllers (Article 26)

6.5 Processor obligations (Article 28)

6.6 Processing under the authority of a Controller or Processor (Article 29)

6.7 Records of processing activities (Article 30)

6.8 Co-operation with the ICO (Article 31)

6.9 Information security (Article 32)

6.10 Data breach notification obligations (Articles 33 and 34) to the:


- Data Subject

6.11 Data protection impact assessment (Article 35)

6.12 Consultation with the ICO on high-risk processing (Article 36)

6.13 Data Protection Officer appointment, competency and independence (Article 37 to 39)

7 Enforcement (3% - 0.5 hours of coursework)

The objective is to ensure the candidate can indicate how the supervisory authority (ICO) and the courts enforce the provisions of the GDPR and the Data Protection Bill. Specifically, the candidate will be expected to identify the powers of the ICO (Article 58) in relation to:

7.1 Information notices and assessments

7.2 Undertakings

7.3 Enforcement notices

7.4 Monetary penalty notices (Article 83 and 84)

7.5 Data protection audits by the supervisory authority

7.6 Offences

NB Candidates will need to understand where enforcement powers apply under the GDPR and be aware of potential changes as the Data Protection Bill is enacted.

8 Codes of Conduct and Best Practice Standards (9% - 1.5 hours of coursework)

The candidate will be expected to be aware of the existence of published Codes of Conduct and official guidelines published by the ICO, the importance of using them and the existence of recognised standards that support data protection laws in the UK, including BS10012:2017. The candidate will be expected to recall what Codes of Conduct are available and the value of using them, but are not expected to know the detailed content. Specifically, the candidate will need to be able to identify:

8.1 The status and use of Codes of Conduct

8.2 Published codes in the following key areas:

- Privacy notices

- Subject access

- Employment practices


- Data protection impact assessment

- Business sector codes

- Proposed codes of practice (Data Sharing Code and Direct Marketing Code)

- Useful standards

Exams & Certification

BCS Exam

Duration and Format of the Examination

The BCS Foundation Certificate in Data Protection exam format is a one-hour multiple-choice examination. The exam is closed book i.e. no materials can be taken into the examination room.

The BCS Examination for the Foundation Certificate in Data Protection is held on the last afternoon of the accredited training course.

Pass Mark

The pass mark is 26/40.

This equates to 65%

Format of the Examination

Multiple choice, 40 Questions (1 mark each)

Duration: 1 Hour. An additional 15 minutes will be allowed for candidates sitting the examination in a language that is not their native language

Supervised: Yes

Open Book: No

Pass Mark: 26/40 (65%)

Distinction Mark: None

Calculators: No, calculators cannot be used during this examination

Delivery: Paper based examination

Additional time for candidates requiring Reasonable Adjustments

Candidates may request additional time if they require reasonable adjustments. Please refer to the reasonable adjustments policy for detailed information on how and when to apply.

Additional time for candidates whose language is not the language of the exam

An additional 25% (15 minutes) will be allowed for candidates sitting the examination in a language that is not their mother tongue. If the examination is taken in a language that is not the candidate’s native/official language, then they are entitled to use their own paper language dictionary (whose purpose is translation between the examination language and another national language) during the examination. Electronic versions of dictionaries will not be allowed into the examination room.

Related Courses

Privacy Notice

In order to provide you with the service requested we will need to retain and use your contact information in accordance with our Privacy Notice. If you choose to provide us with this information you explicitly consent to us using the information as necessary to provide the requested service to you. If you do not agree please do not proceed to request the service from us.

Marketing Permissions

Would you like to receive our newsletter and other information on products and services which we think will be of interest to you by email. We will always treat your information with care and in accordance with our Privacy Notice. You are free to withdraw this permission at any time.


We work with the best