LOCS:23 - making GDPR compliance measurable, auditable and certifiable
LOCS:23 STANDARD
The LOCS:23 Standard is a set of controls that are required to be in place to achieve LOCS:23 Certification.
The only certification standard for Legal Services approved by the ICO, LOCS:23 reflects best practice for protecting Client personal data whilst meeting UK GDPR requirements.
For the first time, compliance is measurable and auditable.
The LOCS:23 standard has 34 controls divided into 5 core areas:
1 ORGANISATIONAL AND CLIENT FILE GOVERNANCE
2 CLIENT RIGHTS
3 OPERATIONAL PRIVACY
4 THIRD-PARTY SERVICE PROVIDERS AND DATA SHARING
5 MONITOR AND REVIEW
The primary processing activity within the scope of this standard is:
Processing of Personal Data in the Client File.
Legal Service Providers that process Client data are likely to include in that Processing the Personal Data of the Client.
Client data including any Personal Data will be kept as a single electronic record of the Client engagement known as the ‘Client File’. As a consequence, Legal Service Providers must meet UK GDPR requirements particularly in protecting the data and honouring the Client’s rights as a Data Subject. In addition, there are a number of sub-processes that are necessary to maintain the file as listed below in ‘Processing Activities in Scope’.
The LOCS:23 standard is applicable to any provider of Legal Services who wish to be LOCS:23 certified and is able to demonstrate their application of Data Protection best practice.
The LOCS:23 standard controls are mapped to the UK GDPR requirements relating to the processing in scope to enable certified organisations to demonstrate compliance with UK data protection law.
Legal Service Providers, and their supplier/Vendors/Solution providers that have demonstrated compliance with the LOCS:23 standard are entitled to use the LOCS:23 logo on their promotional material once certified by a UKAS approved certification body.
Ensuring protection of Client data when shared, Legal Service Providers may use Data Processors and/or Sub-Processors in their supply chain to assist with or provide Processing services.
Legal Service Providers may also share Client data with other Legal Service Providers or Data Controllers. To ensure complete protection across the Legal Service supply chain, these should be included within scope where applicable.