Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

UK: ICO publishes Legal Services Operational Privacy Certification Scheme

On February 1, 2024, the Information Commissioner's Office (ICO) published the Legal Services Operational Privacy Certification Scheme (the LOCS: 23 Standard) which is designed to enable legal service providers to demonstrate compliance with the UK General Data Protection Regulation (UK GDPR) when handling client data. To this end, the LOCS:23 Standard outlines specific obligations and best practices for managing, processing, and protecting client data.

Obligations for legal service providers

To protect client data throughout its lifecycle, the LOCS:23 Standard states that legal service providers must, among other things:

  • have robust data protection policies and procedures in place - this includes documenting processes for handling personal data, ensuring data accuracy, and regularly reviewing data protection measures;
  • have a defined process for managing data subject rights requests, such as access, rectification, and erasure requests;
  • report high-risk breaches to impacted clients quickly and maintain a register of all personal data breaches;
  • implement technical and organizational security measures such as encryption, and role-based access controls;
  • require third parties working with legal service providers to provide an equivalent level of data protection; and
  • ensure that adequate safeguards are in place to protect personal data that is transferred outside the UK.

The LOCS:23 Standard also provides examples and best practices to help organizations implement data protection controls including guidance on how to maintain an internal audit schedule, conduct Data Protection Impact Assessments (DPIAs), and ensure that Privacy by Design is integrated into all processes.

Certification process

To achieve certification under the LOCS:23 Standard, an organization must document an internal audit review process and establish a Control Audit Schedule covering all areas indicated by the LOCS:23 Audit References. The organization should then conduct annual data protection audits, document findings, and recommendations, and ensure management reviews and approves the audit report. Finally, the organization should present the audit report to an external auditor to complete the certification process.

You can read the press release here and the LOCS:23 Standard here.