The Legal Services Operational Privacy Certification Scheme (LOCS:23) aims to assist law firms and barristers’ chambers in fulfilling their UK GDPR obligations while providing evidence to clients that their data is properly and legally protected. Certification to LOCS:23 offers several advantages, including:

1. Protection against ICO enforcement and fines
2. Competitive advantage for winning more work
3. Reduced data breaches and associated costs
4. Universally recognised compliance
5. Streamlined procurement processes with improved tender chances

It’s likely that public bodies will soon require LOCS:23 compliance as a precondition for tendering work. Given the paramount importance of GDPR compliance in today’s supply chain landscape, many private sector businesses are expected to follow suit. Additionally, law firms and chambers’ own supply chains may require LOCS:23 compliance, as the standard applies to any business handling client data.

Application Submission:

When your organization believes it’s ready, submit a formal application for either data controller or data processor certification.

Stage 1 Certification Agreement and NDA:

Upon receiving the application, we set up a Certification Agreement and a non-disclosure agreement (NDA) to formalize the partnership. We Inform the UK Information Commissioner’s Office (ICO) for validation, and after document submission and fee payment, your application is approved. You will then receive a Scheme Manual that provides detailed guidance on the certification process, including standard criteria, evidence requirements, and compliance examples.

Pre-Audit Assessment:

An auditor reviews your application’s scope and parameters. They discuss the internal audit based on Standard 8.5.1 with you and confirm your organisation’s current status. Non-compliance at this stage doesn’t hinder progress; compliance plans will be discussed. The auditor details the application, confirms operational scope, identifies key personnel and systems as well as address any certification process queries. Together, you plan the audit schedule, including a tentative date for Stage 2 if you’re ready.

Stage 2 Audit Process (Three Stages):

• • Remote Review: Auditors assess necessary documents for standard conformance via a secure SharePoint site.
  • On-Site Audit: Conducted at your business’s main operational site, with a pre-shared schedule to ensure stakeholder availability.
  • Reporting

3. Certification: Post-review, auditors compile an audit report assessing each criterion. Full conformance is required for certification. Auditors may request extra evidence or clarifications. Successful audits result in certification, while non-conformances must be addressed before certification is granted.