LOCS:23, the ICO-approved UK GDPR Certification

LOCS:23 is a UK GDPR certification approved by the UK ICO and announced on 13 February 2024 under Article 42 of UK GDPR, allowing you to become ‘UK GDPR certified‘.

It’s the first ICO-approved certification criteria for Legal Service Providers and their processors. At its heart is the LOCS:23 standard – for which Keepabl is the Exclusive Approved Privacy Management Software. As the ICO Deputy Commissioner, Emily Keaney, said in their announcement:

Legal service providers such as law firms and barristers’ chambers process large amounts of sensitive personal data. Signing up to this certification scheme will provide them with certainty that they are adhering to data protection standards and reduce time and resource spent assessing third party data processors.

It will also reassure their clients they are committed to looking after their personal details and have strong information security in place.

Wait … UK GDPR-certified? They do that?

Absolutely! Article 42 of UK and EU GDPRs both allow for:

As the UK ICO itself states: ‘Certification is a way to demonstrate your compliance with the UK GDPR and enhance transparency.‘

Get certified and you’ll be able to tell customers you’re UK GDPR-Certified, and share your official certificate or mark with them to prove your certified status. And while regulator-approved certifications like LOCS:23 do not reduce your responsibility for compliance with UK GDPR, certification brings with it a ton of benefits.

The Benefits of Certification

Compliance benefits

Let’s hear this from the ICO in their own words, with our emphasis added:

‘Certification is a way of demonstrating that your processing of personal data complies with the UK GDPR requirements, in line with the accountability principle. Certification can help demonstrate data protection in a practical way to businesses, individuals and regulators. Your customers can use certification as a means to quickly assess the level of data protection of your particular product, process or service, which provides transparency both for data subjects and in business to business relationships.

The UK GDPR says that certification is also a means to:

• demonstrate compliance with the provisions on data protection by design and by default (Article 25(3));
• demonstrate that you have appropriate technical and organisational measures to ensure data security (Article 32(3)); and
• to support transfers of personal data to third countries or international organisations (Article 46(2)(f)).‘

Commercial benefits

The ICO also, rightly, notes that obtaining certification can also help you to:

• ‘be more transparent and accountable – enabling businesses or individuals to distinguish which processing activities, operations and services meet UK GDPR data protection requirements and they can trust with their personal data;
• have a competitive advantage;
• create effective safeguards to mitigate the risk around data processing and the rights and freedoms of individuals;
• improve standards by establishing best practice;
• help with international transfers; and
• mitigate against enforcement action.’

That’s right, Article 83(2) UK GDPR expressly states that the ICO has to take into account certain factors when deciding whether to impose and administrative fine and how big that fine should be, and adherence to an approved certification mechanism is one of those factors.

The LOCS:23 Standard

At the heart of the certification is the LOCS:23 standard which, if you’re familiar with standards such as ISO 27001, you’ll know your way around very quickly.

See the ICO’s Certification Scheme Register entry for LOCS. 

Get the LOCS:23 Standard for FREE from the UK ICO’s website.

Why is it called LOCS?

LOCS stands for Legal Services Operational Privacy Certification Scheme. It’s a controls-based way to operationalise and maintain your UK GDPR governance.

Who is it for?

LOCS:23 is for Legal Service Providers, and their processors.

• Legal Service Providers means any provider of legal services such as law firms and barristers.
• Processors includes technology vendors and solution providers who process Client Data for Legal Service Providers.

What processing does LOCS:23 cover?

GDPR certifications aren’t general like ISO 27001, they have to focus on a particular processing arena. LOCS:23 covers the processing of Client Data by Legal Service Providers and their processors. It sets out the technical and organisational requirements for activities concerned with the processing of personal data when maintaining client files.

So it doesn’t cover HR data for example. It’s all about the processing of Client Data – the data most important to your clients.

Does it just cover controllers?

LOCS:23 covers both controllers and processors. Which is great, as solution providers can prove to Legal Service Providers that they’re compliant for processing Client Data.

How is LOCS:23 structured?

The LOCS:23 standard has 34 controls divided into 5 core areas:​

1. Organisational and Client File Governance
2. Data Subject Rights
3. Operational Privacy
4. Third Party Service Providers and Data Sharing
5. Monitor and Review

Is certification compulsory?

Not at all, in fact GDPR states that certifications must be voluntary.

Who can certify us against LOCS:23?

GDPR certifications are issued by ‘certification bodies’ on the basis of criteria approved by the competent supervisory authority (under UK GDPR, that’s the ICO). Regulators can issue certificates, but the ICO leaves it to the independent certification bodies.

The certification body for LOCS:23 is ADISA. Not just anyone can certify you against a UK (or EU) GDPR standard. Each GDPR states that certification bodies must have:

• ‘an appropriate level of expertise in relation to data protection‘,
• ‘demonstrated their independence and expertise in relation to the subject-matter of the certification to the satisfaction of the [ICO]‘, and
• ‘demonstrated, to the satisfaction of the [ICO], that their tasks and duties do not result in a conflict of interests‘.

How long does certification last?

Certification is issued for a maximum of three years and can be renewed if you continue to meet the scheme’s requirements.

Who created LOCS:23?

The Scheme Owner, the creator, of the ICO-approved LOCS:23 certification scheme is 2twenty4 Consulting Ltd.

How do we get certified?

It’s the usual steps to a controls-based certification:

1. First, get yourself a FREE copy of the LOCS:23 standard off the ICO website and become familiar with the standard, and informally (or however formally) take a look at how you currently measure up.
2. If you want some support, you can look at the LOCS:23 website, which has a wealth of information to help with planning for a LOCS:23 certification, such as engaging with an ‘Approved Implementor’ or ‘Qualified Consultancy’ to help with an ‘initial gap analysis followed by policy, process and accountability updates to meet the standard’.
3. Subscribe to Keepabl of course! We’re the exclusive approved Privacy Management Software and we can get your governance up and running, online and intuitive, in no time.
4. When you’re ready, decide on going for Approval or Certification and your LOCS:23 advisor will help you through.
5. Once you’ve reached certification, then it’s a case of maintenance and making sure you’re sailing along nicely, ready for the re-certification in 3 years.

How Keepabl supports you with LOCS:23 certification

Keepabl is proud to have been appointed the Exclusive Approved Privacy Management Software for LOCS:23!

We’ve prepared a crosswalk to the LOCS:23 standard’s controls to show you how we’ve got you covered.

Contact us for a demo to bring Keepabl’s intuitive online Privacy solution to your LOCS:23 journey.