LOCS:23 – the new data protection certification standard for the legal sector
Staying on top of law firm compliance can be a struggle at the best of times and ensuring practical compliance with the UK GDPR is no exception.
Certification schemes were introduced under the UK GDPR to enable organisations to demonstrate that they comply with data protection requirements. The schemes focus on particular areas and − as luck would have it − legal services is one of the first off the blocks. The Legal Services Operational Privacy Certification Scheme (LOCS:23) has now been approved by the Information Commissioner’s Office (ICO), and defines how legal service providers can best protect clients’ personal data in compliance with the UK GDPR.
Law firms, solicitors, in-house lawyers, barristers, other providers of legal services and their supply chain partners all fall under the umbrella term of legal service providers.
The first businesses have now started to achieve LOCS:23 certification, which is anticipated to create a ripple effect through the legal sector.
What are the benefits of meeting the LOCS:23 standard?
1. Reassure clients. Show clients that you’re committed to maintaining high data protection standards while processing their personal data.
2. Gain competitive advantage and simplify procurement processes. Stand out in the market and streamline your operations – whether it’s part of a client pitch, or your own purchasing decisions.
3. Align with consistent standards across the legal industry. You can be part of the bigger picture, ensuring uniformity and quality across the sector.
4. Mitigate penalties and enforcement action. The ICO expects legal service providers to comply with the certification standard. Indeed, the ICO has specified that, when it is considering fines or deciding whether conduct was intentional or negligent, it would consider adherence to the criteria of a certification scheme directly relevant to the infringement.
5. Stay up to date with best practice. Keep your business at the forefront of industry data protection standards. As the law and guidance evolves, so too will the standard.
6. Reassure professional indemnity providers. Demonstrate that your organisation is a safe bet.
7. Reduce liability stemming from breaches. Show clients that you have all the right systems and processes in place to reduce the impact of a data protection breach.
What’s the process?
The first step is to assess whether your organisation complies with the LOCS:23 standard by conducting a gap analysis against the scheme’s criteria, and then fixing any issues that arise.
You can do this stage in-house, but engaging a LOCS:23 Approved Implementor or Qualified Consultancy like Pritchetts Law is likely to save you time and resources. You will also benefit from our experience, which enables us to move swiftly to explain requirements and suggest practical remediation steps.
Once you are confident that you meet the standard, you may choose to stop there. If you have used an Approved Implementor or a Qualified Consultancy like Pritchetts Law, we can award you with “LOCS:23 Ready” status. This entitles you to receive a logo to use on your marketing materials, and enables you to demonstrate to clients that you have achieved compliance with the UK GDPR.
However, you may wish to complete the formal certification process with ADISA (the official UKAS-accredited certification body for LOCS:23). If so:
· During Stage 1 of its process, ADISA will assess your application, reviewing your internal audit against the full LOCS:23 criteria. If you have previously engaged a LOCS:23 Approved Implementor or Qualified Consultancy to help you achieve the LOCS:23 standard, you will be able to present those audit findings and your LOCS:23 Ready status.
· If ADISA is satisfied with your audit, you will proceed to Stage 2, when ADISA will commence its certification audit against the LOCS:23 standard. This will comprise a review of your compliance documents and an on-site visit to determine how data protection compliance is embedded in your business. If ADISA recommends any corrective actions, it will report those to you.
As a Qualified Consultancy, Pritchetts Law can help you with the application process and preparation for the audit, as well as any remedial work flowing from it.
A successful outcome from the ADISA audit will lead to achieving UK GDPR certification as a LOCS:23 Certified Data Controller/Processor. So far, Briefed (a provider of case management, GDPR training and data breach management services) and 30 Park Place (a multi-disciplinary barristers’ chambers) have achieved certification as processors. We understand that the first law firm to achieve certification will shortly be announced.
How Pritchetts Law can help
Pritchetts Law is a specialist data protection law firm and LOCS:23 Qualified Consultancy, supporting organisations seeking to implement the standard. Our status as an SRA-regulated law firm, not a consultancy, is one of many reasons why we’re the best choice to help your business become LOCS:23 Ready and achieve LOCS:23 certification. Our experienced Partners, Stephanie Pritchett and Ben Wootton, are LOCS:23 Approved Implementors − they have also worked in some of the UK’s biggest law firms, as well as managing compliance in their own smaller firm.
We are experts with a decades-long track record in data protection compliance, and have particular specialism in advising professional services organisations. This makes us well-placed to help you understand what’s required practically. We can also provide legally privileged advice on your legal compliance risks and how best to manage them.
We have supported numerous law firm clients with their data protection and AI compliance projects. Find out more about how we can help you to achieve the LOCS:23 standard here.
Upcoming online roundtable
In autumn, the Bristol Law Society will be partnering with Pritchetts Law to offer an online roundtable meeting on LOCS:23 and what it could mean for your organisation.