CERTIFICATION
What is certification?
Art 42 of the UK GDPR provides for the creation of official certification schemes that will be recognised by the local Supervisory Authority (in this case the Information Commissioner's Office).
ICO REQUIREMENTS
-
UK GDPR - The standard must meet all UK GDPR requirements.
-
SCOPE - The standard must have a defined scope that relates to a specific processing activity.
-
PRACTICAL - formulated in such a way that they are clear and allow practical application.
-
AUDITABLE - objectives must be specified along with how they can be achieved so as to demonstrate compliance.
-
RELEVANT - to the target audience.
-
INTEROPERABLE - with other standards such as ISO 27001.
-
SCALABLE - for use by different sized organisations.
Further ICO guidance on the benefits of certification can be found here.
LOCS:23 SCOPE
The primary processing activities within the scope of this standard are:
-
Processing of Personal Data in the Client File
-
Ensuring protection of Client data when shared
(the full scope can be seen in the LOCS:23 Standard).
SCHEME REVIEW
The Certification Scheme has a scheme review process designed to ensure the overall integrity and relevance is maintained. You can see more here
COMPLAINTS
If you wish to make a complaint regarding the Certification Scheme you can see the complaints and appeals process here
CERTIFICATION BODIES
For more information on the Certification Body operating requirements click here
The Official Certification Mark
Specifies Certification Body
QR code links back to CB website to validate certification
Specifies Data Controller or
Data Processor
The Official Certification Mark can only be awarded by a UKAS accredited Certification Body and is the only Mark that signifies LOCS:23 Certification as either a Data Controller or Data Processor.
All Certified organisations will be automatically published in a publicly available register accessible both here and by using the QR code on a Certification Mark.
It is highly recommended that clients check the validity of Certification before relying on it.
The Certification Mark is valid for 3 years from date of issue
The LOCS logo may be used for other purposes but the official Certification Mark will always follow the format of the above example and display the following:
-
Name or logo of Certification Body making award
-
Name of Certified organisation
-
Certified Organisation's corporate address
-
Certification Status (Controller or Processor)
-
Date of issue
-
Validation QR code (enables look up of Certification register)
If an organisation claims to be certified but does not have a Certification Mark in this format you are advised to check the Certification register and if in doubt or to report any misuse contact info@locs23.com
Use of the Certification Mark is closely monitored. Inappropriate or fraudulent use may result in legal action.
Certification Options
Organisations can Certify as a Data Controller or a Data Processor
Suitable for:
-
Law firms
-
Barristers
-
In-house Council
Suitable for:
-
Tech providers
-
Service Providers
-
Chambers
Ecosystem Options
Approved Implementors are experts in the LOCS standard, have full knowledge of the LOCS audit and can assist firms with their certification preparation.
Qualified Consultancies are organisations that have two or more Approved Implementors.
An Approved Solution is a product or service that has demonstrated it meets one or more of the LOCS controls and can assist a firm with its certification
A LOCS Practitioner has passed a knowledge test that covers
-
Data Protection fundamentals
-
InfoSec fundamentals
-
LOCS:23 fundamentals
To preserve the integrity of the LOCS programme, the ICO and UKAS require that public registers be kept of certified organisations
