LOCS:23 Qualified Consultancy

“Stephanie Pritchett stands out for her dedication, pre-eminent knowledge and expertise. She is perfectly complemented by Ben Wootton who adds his commercial experience and savoir-faire. Together their advice surpasses that of others I know for its precision, simplification of complex issues and value. It makes them trusted advisers beyond compare.”

Quoted in The Legal 500 UK 2024

LOCS:23 Qualified Consultancy logo About LOCS:23

Interested in achieving compliance with LOCS:23? Not sure where to start or too much already to do? We can help!

What is LOCS:23?

In February 2024, the Legal Services Operational Privacy Certification Scheme, or LOCS:23 , was approved by the Information Commissioner’s Office ( ICO ). This new certification scheme is aimed at legal service providers – this includes law firms, solicitors, in-house lawyers, barristers, other providers of legal services and their supply chain partners who process the personal data of clients.

Processors and sub-processors within scope include, for example:

  • Software providers
  • Software-as-a-service ( SAAS ) providers
  • Infrastructure-as-a-service ( IAAS ) providers
  • Platform-as-a-service ( PAAS ) providers
  • External consultants
  • Service providers (e.g. translation, transcription and off-site storage)
  • Third-party legal service providers (e.g. barristers, law firms and notaries)

The LOCS:23 scheme addresses data protection compliance when processing personal data contained in the “Client File”. This includes data collected through the whole lifecycle of a client relationship – from marketing, the initial engagement with a client and providing advice, to closing and archiving the file.

+

Why should your organisation become LOCS:23 Approved or LOCS:23 Certified?

  • LOCS:23 is currently the only ICO-approved certification scheme for legal services providers.
  • Reassure your clients, stakeholders and other users of legal services that your organisation is compliant with the UK GDPR:

    • Your policies, processes and data protection training programme have been approved and/or certified by an independent organisation to ensure you process personal data in your client files in a compliant manner.
    • They can be confident that personal data provided will be protected, kept secure processed fairly and only kept as long as is necessary.
    • You recognise data subject rights and have the processes to enable them.
    • Your breach response processes have been assessed to confirm they have appropriate management and remediation controls so that relevant individuals are notified as soon as possible, and potential harm is minimised.
    • Your data sharing processes have been assessed to ensure personal data is only shared where lawful to do so and with the required protections in place. You maintain consistent standards through the legal supply chain.
    • You promote best practice and ensure your vendors and service providers do the same.
  • Gain competitive advantage and simplify procurement and tender processes. Certification will give confidence to users of legal services. It should also reduce time spent on lengthy data protection and third-party supplier questionnaires during their procurement processes. Even where not mandated, having the standard in place will no doubt ensure competitive advantage over other legal services providers and their supply chain who have not achieved the standard.
  • Maintain consistent standards through the legal industry. This LOCS:23 standard is expected to become an industry norm, and a requirement of public-sector organisations and larger corporate players commissioning legal services.
  • Simplify compliance with other standards such as Lexcel, ISO 27001, Cyber Essentials and Cyber Essentials Plus by having achieved an approved, measurable and auditable level of compliance with an ICO approved data protection standard.
  • Reduce penalties or enforcement action. Despite all your hard work, if a breach occurs, certification is likely to be taken into account as a mitigating factor, if you followed the scheme requirements and took all reasonable steps to prevent non-compliance.
  • Stay up to date with best practice. The LOCS:23 standard is updated with emerging ICO guidance and input from LOCS:23 fellows.
  • Meet GDPR Article 28 requirements when appointing a processor or sub-processor.
  • Ensures that the territorial scope of UK GDPR is recognised by non-UK based Legal Service Providers and their vendors/service providers.
  • Assist compliance with international data transfer rules. The certification may be referred to as a “supplemental measure” when assessing any cross-border transfers.
  • Reassure Professional Indemnity Insurers of your high standard of compliance, hoping to achieve reduced or lower levels of premium.
  • Take steps to protect your organisation from cyberattacks and reduce liability. Recently, there has been a huge increase in cyberattacks on legal services providers and their suppliers. Many firms handle large amounts of special category personal data (health and criminal conviction data for example), or highly confidential commercial and financial information). This makes firms and their supply chain targets for cyberattacks. Becoming LOCS:23 Approved/LOCS:23 Certified doesn’t stop attackers, but it should reduce their chances of success – through implementing a full suite of security measures, carrying out training, and testing in line with the LOCS:23 scheme. It should also help you to deal with and mitigate potential liability claims following such incidents, demonstrating that you had taken all reasonable data protection compliance steps to help avoid the incident occurring.
+

What is the process to become LOCS:23 Approved or LOCS:23 Certified?

The process can follow various paths and we are happy to tailor our approach to suit you:

  • Becoming “LOCS:23 Approved” by us as a LOCS:23 Qualified Consultancy.

    We will complete a gap analysis of your organisation against the LOCS:23 standard, highlighting any remedial work required. If you pass, we can issue “LOCS:23 Approved” status, which will show on the LOCS:23 register, and enable you to tell clients that you have demonstrated appropriate compliance with the UK GDPR.

    This will help you on your journey to full certification by ADISA if you decide to go down that route (see below). This route is less expensive and less labour-intensive for you. You may decide that achieving LOCS:23 Approved status is sufficient to meet your compliance aims.

  • Becoming “LOCS:23 Certified” by ADISA.

    If you decide to proceed through to the full certification by ADISA, you will need to make an application to ADISA. ADISA will request information on your organisation, including evidence of your own audit against the LOCS:23 standard. Before you submit your application to ADISA, we can help with that initial audit by completing a gap analysis and helping you to complete any remedial work that may be identified.

    ADISA will then complete an onsite visit, where they will dive deeper into how you have embedded the standard into your organisation’s compliance. They will recommend remedial work where appropriate. If you are successful, you will receive a certificate from ADISA and you will also appear in the national public register of LOCS:23 certified bodies. You can see who has already been certified here .

  • Becoming “LOCS:23 SFE Approved” by us as a LOCS:23 Qualified Consultancy.

    If you are a small firm, we can assess your data protection compliance against the streamlined “LOCS:23 SFE” standard.

    This is not approved by the ICO, or approved independently by ADISA, but mirrors much of the main LOCS:23 standard. This may suit you if you wish to keep compliance costs low, and still benefit from setting up your compliance structure in a standard format, which is easily comparable across the industry – and will facilitate a move to the full standard in the future.

+

We are a supplier to the legal industry – is the process any different?

  • The LOCS:23 standard includes a simplified set of requirements for businesses operating as processors. If you can show that you are a processor – for example, because you only process personal data on behalf of a controller such as a law firm or barrister – you can follow the processor pathway and become a “Certified Data Processor”.
  • Law firms and barristers are likely to require their suppliers to demonstrate compliance with LOCS:23 so that they can simplify their own procurement process, and give their own clients comfort that their entire supply chain is set up to support data protection compliance.
+

Why choose us?

Whether you’re a small start-up law firm or a multinational organisation, our friendly team of expert lawyers can help you get to grips with LOCS:23 and demonstrate that you have carried out independent audit and verification of your compliance levels.

We are a LOCS:23 Qualified Consultancy.

Pritchetts Law LLP is an approved LOCS:23 Qualified Consultancy and has a team of LOCS:23 Approved Implementers. This gives you comfort that we are qualified to advise on your LOCS:23 compliance. We are experienced data protection solicitors with specialist legal sector expertise.

Our Partners are specialist solicitors with over 20 years’ experience advising on data protection compliance, often to other organisations – large and small – in the legal sector.

Our status as an SRA-regulated law firm, not a consultancy, is one of many reasons why we’re the best choice to help your organisation with LOCS:23 approval and certification. You can find out more about the advantages of using a regulated law firm compared to other specialists here (including our advice being covered by legal privilege, we hold high levels of professional indemnity insurance, and have professional obligations of confidentiality).

+

We can help you achieve LOCS:23 Approved Status and prepare for final ADISA certification.

Our LOCS:23 Approved Implementors can:

  • Help you to assess your organisation’s current compliance levels against the LOCS:23 standard.
  • Provide consultancy support and advice to implement any recommendations and remedial actions.
  • Award LOCS:23 Approved status to your organisation.
  • Help you to apply for LOCS:23 Certified status from the certification body, ADISA.

Whether you’re a small start-up law firm or a multinational organisation, our friendly team of expert lawyers can provide you with advice on LOCS:23.

+

We’ll help you untangle the complexities of implementing the LOCS:23 standard.

The standard is lengthy, very detailed and requires evidence of relevant controls. We are best placed to help you understand what’s required practically, as we are experts with a proven track record in data protection compliance and working with the legal sector. Our solicitors can also advise you on where your legal compliance risks are, and how best to manage them. Our experience working with other organisations implementing the standard will help save you time and resources ‘reinventing the wheel’.

+

How we can help

Explore below to see how we can help your organisation.

Undertake a gap analysis against the LOCS:23 Standard.

Our first step involves discussing your current level of data protection compliance. We work with you to review your documentation and training programme.

Next, we identify any gaps between your current data protection measures and the requirements set out for LOCS:23 Approval. We conduct a review of all relevant documents, including policies, processes and details of your training programme.

Areas under scrutiny include:

  • Your data governance model.
  • Data subject rights.
  • Technical and operational controls to protect data, including Data Protection Impact Assessments (DPIAs), Records of Processing Activities (ROPAs) and breach notification processes.
  • Protections and safeguards in your supply chain.
  • Additional safeguards for third-party cross-border data sharing.

We have long-standing expertise in performing audits and gap analysis (see here) as well as over 20 years’ experience of working with legal services providers. We can help identify what is needed to meet the LOCS:23 standard, as well as identifying wider best practice.

+

Plug gaps and/or evidence compliance.

“The team at Pritchetts Law are all technically excellent, professional and brilliant to work with, but the best part of working with them, is that they listen to what you need and provide you with clear and relevant advice and solutions.”
Quoted in The Legal 500 UK 2023

+

Carry out a soft audit against the LOCS:23 Standard, and if successful, award you ‘LOCS:23 Approved’ Accreditation.

The LOCS:23 standard requires you to demonstrate that you are monitoring the implementation of LOCS:23 controls through the use of regular audits. We can help you carry out those audits at the outset and then annually, to check that you are continuing to meet required standards.

Following a successful audit, a LOCS:23 Approved Implementor at Pritchetts Law, itself a LOCS:23 Qualified Consultancy, will award you ‘LOCS:23 Approved’ status. This will allow you to use the official LOCS:23 Approved logo.

+

Assist you with your application to the certification body ADISA for you to seek LOCS:23 Certified status.

  • If you decide to proceed to full ADISA certification, we can help you with your application, and your LOCS:23 Approved’ status should help to streamline the work involved at this stage. For example, larger law firms will be billed by ADISA on a time spent basis. If you have already achieved the LOCS:23 Approved’ standard, this should significantly reduce those costs.
  • If you achieve the full ADISA LOCS:23 certification as either a “Certified Data Controller” or a “Certified Data Processor”, it will last for 3 years before you need to recertify.
  • To achieve re-certification, you will be expected to audit the organisation annually to ensure adequate training, policies and processes are in place. We can assist you to ensure that these audit and other processes are up to date, as well as preparing for any future recertification process.
+

Assist you to identify any crossover among standards.

There may be crossover among the LOCS:23 Standard and other relevant standards such as ISO 27001, Cyber Essentials, Cyber Essentials Plus and Lexcel. We can help you to identify where this is the case so that you avoid unnecessary duplication work and costs.

+

Carry out training on LOCS:23 and data protection compliance generally.

Our senior solicitors are experienced data protection trainers, so if you need help with getting your staff up to speed on the LOCS:23 standard or data protection compliance more generally, we can help with that too. The ICO will always expect you to have a high standard of training in place to help ensure compliance.

Contact our experienced trainers to find out more.

“Stephanie and Ben, the Pritchetts Law partners delivering the training, were superb presenters. They clearly had a great deal of practical experience and in-depth legal knowledge to deal with the queries we threw at them.”
Ceri Sharples, Learning & Development Manager, Somerset Bridge Shared Services Ltd

+

What’s out of scope of LOCS:23?

Any processing that is not related to the ‘Client File’ is out of scope of the LOCS:23 standard. This means any assessment based on LOCS:23 would not look at your data protection compliance in other key areas such as:

  • Processing your HR/employee data.
  • Your compliance with the Privacy & Electronic Communications Regulations (PECR), and wider guidance in relation to your direct marketing.
  • Processing of third-party supplier data.
  • Law enforcement processing subject to DPA 2018, Part 3.
  • Information Society Services processing.

LOCS:23 only deals with compliance with the UK data protection requirements. Your organisation must either operate in the UK, or deal with individuals in the UK. Processing of personal data subject to compliance with the law of other countries is out of scope.

A lot of organisations operate similar systems and processes across the organisation. If you would like to assess your wider data protection compliance outside the ‘Client File’, we can, of course, help with advice and auditing in relation to the areas outside the scope of LOCS:23 (see below).

Next steps

As specialist solicitors in this field, we can go the extra mile and help you with data protection matters that arise as a result of completing the LOCS:23 approval process.

  • Working with you to apply for final certification.

  • Reviewing your compliance with data protection regulations in the UK, EU and beyond.

    The work that your firm undertakes to secure LOCS:23 is not the end of the data protection road. You may need to improve specific areas of data protection, such as HR or your supplier setup. And what about your wider operational use of personal data, perhaps involving marketing or compliance by your worldwide group companies? We often do this kind of work for clients, so we are well-placed to help.

  • Helping you with regular annual audits.

    A fundamental requirement of the LOCS:23 standard, is to ensure that organisations annually audit themselves against the standard. We can support that process by streamlining the annual audits.

    An ADISA certification lasts for 3 years. The audit process will also help you build towards a successful renewal.

  • Designing and delivering data protection training.

  • Carrying out horizon scanning.

    We’re well-practised in looking to the future for our clients, and can alert you to likely changes to the LOCS:23 standard and data protection compliance in general.

  • Demonstrating that you have, as LOCS:23 states, a “robust and manageable accountability framework” that is measurable and auditable.

What will it cost?

We can provide as much or as little support as you need.

We scale our fee to your requirements, and the extent of maturity and general level of data protection risk of your business.

Contact us to discuss your requirements and find out more.

Contact Us

Get in Touch

Pritchetts Law LLP
Hillside
35 Westbury Hill
Bristol
BS9 3AG
United Kingdom

+44 (0) 117 307 0266
info@pritchettslaw.com

Make an Enquiry

Please provide your details, and a brief summary of your enquiry, and one of our team will be in touch.

Pritchetts Law LLP is a Limited Liability Partnership registered in England and Wales (company no. OC413975) and authorised and regulated by the Solicitors Regulation Authority (SRA no. 647155). "Partner" refers to a member of Pritchetts Law LLP.
© Copyright 2024 Pritchetts Law LLPWeb Design By Toolkit Websites