Certified Data Protection Practitioner (GDPR)

We advise learners to have some prior practical Data Protection experience, although not essential. Attending the QA Data Protection Foundation (QACDPF) course is recommended but not mandatory.

Target audience

This Data Protection Foundation & Practitioner course is primarily aimed at DPOs and professionals working with IT, Risk, Security, Governance and Compliance roles across public and private sectors. It is also aimed at Human Resource and Marketing Professionals, Product Owners, Business Analysts and Project Managers.

Learn to address new privacy situations by applying acquired knowledge, facts, techniques, and rules learnt from this course.

• Apply the implementation pathway for Data Protection & GDPR compliance
  • Data Protection Principles & Individual Rights
  • Data Protection Impact Assessments
  • Incident Response
  • Policy Frameworks
  • Privacy by Design / Default
  • Information Risk Management
• Understand the role of the data Protection Officer (DPO)
• Understand the impact of the Data (Use and Access) Act on Data Protection
• Develop a plan to address the challenges of developing a privacy programme across your organisation
• Understand the role of Artificial Intelligence (AI) on privacy
• Prepare for managing and reacting to a data breach both from a regulator and commercial perspective
• Identify and understand the rights of data subjects, consent, data in the cloud and third parties
• Model the enforcement aspects of the DPA18 & GDPRs to your organisation

Business outcomes

• Demonstrate understanding of the data protection principles and individual data subject rights and when and how they apply at an operational level.
• Understand why privacy is important, and how it relates to data protection in your business
• Be able to understand the role of the Data Protection Officer, if you need one and how they help your business achieve compliance
• Learn to solve Data Protection (GDPR) problems and advise on privacy risks by applying acquired knowledge, facts, techniques, and rules learnt
• Respond in a more responsible, ethical, and well-informed manner, to GDPR compliance issues and scenarios
• Consider the privacy, ethical and regulatory impact of Artificial Intelligence (AI) and or shadow AI being adopted in your organisation or supply chain
• Adapt your communication style to being one of a knowledgeable, capable Privacy Professional and or Practitioner
• Build effective working relationships by being able to articulate and determine GDPR compliance issues, via the logical interpretation and application of the GDPR Articles and Recitals, to real world and hypothetical work/life scenarios
• Demonstrate good knowledge of the (EU & UK) GDPRs and related legislation

Module 1: Data Protection Management Maturity

By the end of this module, learners will:

• Be able to establish their current level of compliance.
• Be able to conduct a self-assessment and create an improvement plan.
• Understand what data mapping is and why it is used.
• Be able to carry out a data mapping exercise.

Exercise: Accountability Framework and Implementation Plan Document

Module 2: Useful steps to compliance

By the end of this module, learners will be able to:

• Identify useful steps to take to achieve / maintain GDPR compliance.

Module 3: Data Protection by Design, by Default and DPIAs

By the end of this module, learners will:

• Understand what is meant by privacy by design.
• Know what a DPIA is.
• Understand how DPIAs are linked to the risk management approach.
• Understand how data mapping and creating information flows facilitate DPIAs.
• Be familiar with the ICO DPIA template and what the expected outputs of that framework are.
• Understand how DPIAs are used to check for and demonstrate compliance with the principles.
• Understand how DPIAs are used as part of the prior consultation process.

Exercise: DPIA

Module 4: Risk Management, Assurance and Appropriate Security

By the end of this module, learners will:

• Be able to determine what appropriate security is, using a risk-based approach.
• Understand what information assurance is and why an information assurance plan is required.
• Be able to create an information assurance plan.
• Understand what is meant by baseline control sets.
• Be able to implement a baseline control set for personal data.

Exercise: Baseline Control Sets and Risk Assessment for the process

Module 5: Obligations on Controllers and Processors

By the end of this module, learners will:

• Understand the obligations GDPR puts on controllers and processors.
• Understand the impact of the Data (Use and Access) Act 2025.
• Be able to identify ways their organisations can maintain compliance with these obligations.

Exercise: Breach Reporting

Exercise: Subject Access Requests

Module 6: Direct Marketing and Online Profiling

By the end of this module, learners will:

• Understand how the e-privacy review may potentially impact their organisation.
• Understand how the GDPR consent impacts on direct marketing operations.
• Understand the impact of the Data (Use and Access) Act 2025.
• Understand why consent clarification emails may not be legal.
• Understand why GDPR impacts how an organisations website works.
• Understand how GDPR consent applies for cookies and profiling.

Module 7: Transfers to Third Countries

By the end of this module, learners will:

• Understand how transferring data to processors or international organisations is impacted by GDPR.
• Understand what arrangements apply where no safeguards or adequacy agreements exist.
• Understand the impact of the Data (Use and Access) Act 2025.
• Understand international transfers.

Module 8: Privacy & Monitoring

By the end of this module, learners will:

• Be aware of privacy and monitoring aspects relating to GDPR.
• Be able to identify areas where DPIAs are necessary and critical to compliance.
• Be aware of relevant ICO guidance.

Module 9: Information Commission & Staying Compliant

By the end of this module, learners will:

• Understand the impact of the Data (Use and Access) Act 2025.
• Understand the new role of the Information Commission.
• Be aware of different approaches they can take to become and remain compliant.
• Be aware of useful privacy resources.

Exercise: Case Studies

Module 10: AI, Data Protection & Other Laws

By the end of this module, learners will:

• Understand how Data Protection & AI are related.
• Recognise the overlap between Data Protection & AI Governance.
• Explore key areas to consider AI under Data Protection.
• Recognise legislation related to AI & Data Protection.

Module 11: Introduction to AI Governance

By the end of this module, learners will:

• Be aware of AI Governance principles and strategies.
• Understand aims and objectives of EU AI Act.
• Introduction to the EU General Practice AI Code of Practice.

Module 12: Introduction to Privacy impact of Generative AI & AI Agents

By the end of this module, learners will:

• Understand the differences between Generative AI and AI Agents.
• Understand some of the risks and benefits of AI Agents and the privacy impact.

Module 13: Implementing AI Systems and Privacy

By the end of this module, learners will:

• Explore strategies and steps to addressing privacy risk when implementing AI.

Exams and assessments

Learners will be prepared for the independent APMG Data Protection Practitioner exam. The exam is administered separately and is not included as part of the teaching delivery. Exercises, reviews, and scenario-based work support exam readiness throughout the programme.

Hands-on learning

The course includes practical exercises, case studies, and real-world scenario analysis. Learners develop hands-on capability in DPIAs, breach reporting, information assurance planning, international transfers, and applying GDPR requirements.