LOCS:23 is a UK GDPR certification approved by the UK ICO and announced on 13 February 2024 under Article 42 of UK GDPR, allowing you to become ‘UK GDPR certified‘.
It’s the first ICO-approved certification criteria for Legal Service Providers and their processors. At its heart is the LOCS:23 standard – for which Keepabl is the Exclusive Approved Privacy Management Software. As the ICO Deputy Commissioner, Emily Keaney, said in their announcement:
Legal service providers such as law firms and barristers’ chambers process large amounts of sensitive personal data. Signing up to this certification scheme will provide them with certainty that they are adhering to data protection standards and reduce time and resource spent assessing third party data processors.
It will also reassure their clients they are committed to looking after their personal details and have strong information security in place.
Absolutely! Article 42 of UK and EU GDPRs both allow for:
the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors
As the UK ICO itself states: ‘Certification is a way to demonstrate your compliance with the UK GDPR and enhance transparency.‘
Get certified and you’ll be able to tell customers you’re UK GDPR-Certified, and share your official certificate or mark with them to prove your certified status. And while regulator-approved certifications like LOCS:23 do not reduce your responsibility for compliance with UK GDPR, certification brings with it a ton of benefits.
Let’s hear this from the ICO in their own words, with our emphasis added:
‘Certification is a way of demonstrating that your processing of personal data complies with the UK GDPR requirements, in line with the accountability principle. Certification can help demonstrate data protection in a practical way to businesses, individuals and regulators. Your customers can use certification as a means to quickly assess the level of data protection of your particular product, process or service, which provides transparency both for data subjects and in business to business relationships.
The UK GDPR says that certification is also a means to:
The ICO also, rightly, notes that obtaining certification can also help you to:
That’s right, Article 83(2) UK GDPR expressly states that the ICO has to take into account certain factors when deciding whether to impose and administrative fine and how big that fine should be, and adherence to an approved certification mechanism is one of those factors.
At the heart of the certification is the LOCS:23 standard which, if you’re familiar with standards such as ISO 27001, you’ll know your way around very quickly.
See the ICO’s Certification Scheme Register entry for LOCS.
Get the LOCS:23 Standard for FREE from the UK ICO’s website.
LOCS stands for Legal Services Operational Privacy Certification Scheme. It’s a controls-based way to operationalise and maintain your UK GDPR governance.
LOCS:23 is for Legal Service Providers, and their processors.
GDPR certifications aren’t general like ISO 27001, they have to focus on a particular processing arena. LOCS:23 covers the processing of Client Data by Legal Service Providers and their processors. It sets out the technical and organisational requirements for activities concerned with the processing of personal data when maintaining client files.
So it doesn’t cover HR data for example. It’s all about the processing of Client Data – the data most important to your clients.
LOCS:23 covers both controllers and processors. Which is great, as solution providers can prove to Legal Service Providers that they’re compliant for processing Client Data.
The LOCS:23 standard has 34 controls divided into 5 core areas:
Not at all, in fact GDPR states that certifications must be voluntary.
GDPR certifications are issued by ‘certification bodies’ on the basis of criteria approved by the competent supervisory authority (under UK GDPR, that’s the ICO). Regulators can issue certificates, but the ICO leaves it to the independent certification bodies.
The certification body for LOCS:23 is ADISA. Not just anyone can certify you against a UK (or EU) GDPR standard. Each GDPR states that certification bodies must have:
Certification is issued for a maximum of three years and can be renewed if you continue to meet the scheme’s requirements.
The Scheme Owner, the creator, of the ICO-approved LOCS:23 certification scheme is 2twenty4 Consulting Ltd.
It’s the usual steps to a controls-based certification:
Keepabl is proud to have been appointed the Exclusive Approved Privacy Management Software for LOCS:23!
We’ve prepared a crosswalk to the LOCS:23 standard’s controls to show you how we’ve got you covered.
Contact us for a demo to bring Keepabl’s intuitive online Privacy solution to your LOCS:23 journey.
Trick question: is it legal for a national postal service to guess your political opinions from what they know about you, such as age and address, and sell that data…
Artificial Intelligence, or AI, has had significant impact on the world in the last decade, and it’s only accelerating. The enormous leaps forward in research, development, and accessibility have meant…