Certified Data Protection Practitioner in Education / Foundation (CDPPE/F)

The only certified training for data protection practitioners in education

The best and only certified specialist data protection available for data protection practitioners in education

In the rapidly evolving landscape of data protection and technology, it can be difficult to keep up.

Your professionals and organisation need and deserve the best training available.

This 3-day Certified foundation data protection course combines our deep understanding of how data protection law applies in the education sector with the power of certification, allowing us to train your professionals to the rigour required and accurately measure what they have learned. The result ? Your professionals become more capable and confident with their new – found skills whilst your organisation is equipped to achieve and maintain compliance.

You can choose to take the course with or without sitting the exam. If you sit and pass the exam, you will achieve certified status.*

With certified status you will be able to demonstrate you have what it takes. All of the detail about the course including the syllabus can be read here

* Certification follows passing the exam which is optional.

Course delegates can choose to develop their knowledge and skill – set further by taking the “Certified Data Protection Practitioner in Education / Advanced

Why Choose Use?

1. A unique and rigorous, sector-specific approach which sets it apart from other training courses

There are many data protection training courses available but most are general and not geared to those working in educational establishments. The key to data protection expertise is not just understanding the law but the nuanced approach of how it applies to a school, a college and to children/students. This is because the law varies between different types of educational establishment and whether you are a public authority or not. Also, unlike most other data protection trainers, we are familiar with the overall education law landscape that interfaces with data protection law. These other laws also come into play when applying GDPR in your sector.

2. Unique Certified Status

The 3-day “Certified Data Protection Practitioner in Education / Foundation” is the only specialist certified course currently available for data protection practitioners working in educational establishments. Measurable output means you can see evidence from your investment into training and compliance, whilst your staff are rewarded for their hard work with increased satisfaction and a qualification. Certification is evidence that helps your organisation comply with the GDPR Accountability Principle and is a return on your investment.

3. Lawyer-led trainer with over 20 years’ experience working in education sector

The trainer is one of the UK’s leading Privacy and Data Protection lawyers with over 20 years advising schools, colleges and universities on data protection compliance. Director of Content at Tenjin, Partner at Excello Law, and Former Head of Information Law at Stone King Solicitors. See their full biography here.

4. Course affiliated with Amberhawk Training

The course is affiliated and approved by Amberhawk Training Limited, one of the UK’s leading data protection training companies in the UK, with over 60 years’ combined experience. You can therefore be confident that the course and exam have been vetted by leading data protection experts.

Click here to read our Examination and Syllabus guide which contains everything you need to know.

Course FAQ's


3 days (Plus optional exam clinic (free of charge) and examination)


Live online virtual classroom via MS Teams.

Who should attend?:

Data Protection Officers, Data Protection Leads and anyone who has to deal with data protection compliance in an education setting.

What level?:

This is a Foundation course. No previous data protection knowledge is required. (The Advanced Course and Certificate is available separately.)

What will I learn?:

What you need to perform your job well. Read the full syllabus here:

  • The Data Protection legal landscape in the UK (including the UK GDPR, Data Protection Act 2018);
  • Understand essential terminology, data protection concepts;
  • Know where the main data protection “trigger points” lie in an educational establishment.g., use of personal devices, remote working, data sharing, international transfers, use of student images, data sharing, EdTech, and data breaches;.
  • Understand an educational establishment’s main data protection obligations. E.g., compliance with the data protection principles, record keeping and breach reporting requirements, duty to pay the Controller’s fee, and compliance with individual rights including Subject Access Requests (SARs);
  • Understand the requirement to have a lawful basis for the processing;
  • Understand how to comply with the data protection principles; when to conduct a Legitimate Interest Assessment (LIA); when to rely on “consent” and when not to rely on “consent” and the requirements of legally valid consent;
  • Understand how to draft a privacy notice and what it must contain;
  • Understand how to process special categories of personal data lawfully under UK GDPR and the Data Protection Act 2018, E.g., in the context of SEND, Exam Access Arrangement (EAA) information;
  • Understand the principle requiring you to take technical and organisational security measures to protect personal data and what measures you are expected to implement within your setting. E.g., when working in an office, classroom, remotely, on the move or from home;
  • Understand how to comply with the Accountability Principle in order to be able to demonstrate compliance, including which accountability measures are obligatory and the circumstances under which they are obligatory, such as data protection policies and the appointment of a DPO, and which measures are optional? (Article 24/25 UK GDPR);
  • How and when to carry out a Data Protection Impact Assessment (DPIA);
  • Understand the requirements under UK GDPR relating to staff data protection training and data protection policies;
  • Understand the different individual legal rights; how to handle a Subject Access Request including when you can refuse one; understanding the exemptions from the right of subject access that typically apply to educational establishments;
  • Understand when you are required to appoint a DPO, maintain a Record of Processing Activities (ROPA) and pay the annual Controller fee;
  • Understand the role and enforcement powers of the ICO, aspects of the ICO’s Regulatory Action Policy (RAP); certain criminal offences including the offence of unlawful obtaining of personal data; offence of re-identification of de-identified personal data; offence of alteration, blocking, erasing etc. of personal data following a request such as a SAR; penalties for breaches;
  • Data Subject’s remedies for infringements;
  • Understand and overcome the challenges of using student images lawfully. E.g., lawful use of student images on your website, social networking platforms and in printed publicity;
  • Understand the rules relating to data sharing with third parties. E.g., disclosures to other parents, the local authority, police, Childrens Services/Child Protection, service providers such as cloud service providers;
  • Understand the specific data protection compliance issues around using Edtech including the UK GDPR rule relating to contracts between Controllers and Processors;
  • Understand about the Age-Appropriate Design Code (or Children’s Code) in the context of Edtech; Understanding if and when the Code applies to you or to your service providers;
  • Understand the data protection rule that is engaged (and how to comply) when processing the personal data of a child under the age of 13 years, on the lawful basis of consent, in the context of an Internet Society Service (ISS);
  • Learn how to recognise, handle, and prevent personal data breaches in an educational establishment; know when to report a breach to the ICO and affected individuals; what to include in a notification to comply with the law but minimise the risk of a civil claim against you;
  • Understand the basic rules relating to international transfers of Personal Data from the UK to other countries and the typical options for an educational establishment to consider, to ensure that a transfer complies with UK GDPR rules relating to international transfers. he course includes a high-level review of the latest developments including the EU-US Data Privacy Framework and the UK Extension to it, Standard Data Protection Clauses and when to carry out a Transfer Risk Assessment (TRA);
  • Understand the data protection risks related to remote working and working from personal devices and how to mitigate those risks;
  • Understand the data protection considerations and risks of using Artificial Intelligence (AI) and Generative AI for teaching and learning and HR and how to mitigate those risks; The DoE’s Policy Paper “Generative Artificial Intelligence (AI) in Education”; Understand the AI regulatory landscape;
  • Horizon scanning: A review of the potential changes to UK Data Protection law including the Data Protection Digital Information Bill (No.2) and a summary of how the changes will affect educational establishments;
  • My name is Maximus Decimus Meridius, commander of the Armies of the North, General of the Felix Legions, and loyal DPO/SRI to the true emperor, Marcus Aurelius. Father to a murdered son, husband to a murdered wife. And I will have my vengeance, in this life or the next.
  • Understand how to achieve and maintain a culture of compliance in an education setting. Understand the challenges and how to overcome them.

Is there an exam?:

Yes. The 75 minute computer-based (closed-book) examination is optional. However, it must be passed in order to achieve certified status. The examination consists of 50 multi choice questions. The pass rate is 65% or above. (i.e.33 or more correct out of 50 questions). There is more information about the format of the examination including about our remote practice tutorials so you can get comfortable with the arrangements, Exam Access Arrangements for those candidates with a disability or impairment and minimum technical requirements, plus lots of other useful information can be found here.

Can I see some example questions?:

Yes. You will find the full syllabus together with some sample questions in our detailed document Examination Guide and Syllabus here. A larger number of sample exam questions is available upon request.

Will the course give me a certification?:

Yes, providing you sit and pass the examination, you will be certified with the relevant qualification. Certified Data Protection Practitioner in Education/Foundation (CDPPE/F). You will receive a certificate in digital format to download as evidence of your qualification.

Is this training course regulated?:

The certification is not regulated by Ofqual, Qualification Wales, CCEA or SQA. The training course and examination is provided in association with Amberhawk Training Limited (“Amberhawk”), a renowned Information Law training company founded in 2008 and accredited by the British Computer Society. This means that the CDPPE/F training content and syllabus has been reviewed by experts at Amberhawk , who also have a role in setting the examination, the syllabus and ensuring examination standards are high. Amberhawk don’t provide a specialist training course for data protection practitioners working in educational establishments but are partnering with us to deliver one.


£1200 to include:

Next Course Dates:

March 12th, 13th & 19th 2024
April 23rd, 24th & 30th 2024
June 11th, 12th & 18th 2024
September 17th, 18th & 24th 2024
October 1st, 2nd & 8th 2024
November 12th, 13th & 14th 2024

How do I book?:

Complete the online booking form by clicking below.

Further questions?:

What next?

The follow-on course from this Foundation course is the ‘Certified Data Protection Practitioner in Education / Advanced’.

To find out more about the Advanced course, Please click here.

Now booking for: March, April and June 2024

The course is affiliated and approved by Amberhawk Training Limited, one of the UK’s leading data protection training companies in the UK, with over 60 years’ combined experience. You can therefore be confident that the course and exam have been vetted by leading data protection experts.

This site uses cookies to enhance your user experience