8 min read

Your guide to LOCS:23 | What you need to know

What is LOCS:23?

Recently approved by the Information Commissioner's Office (ICO), LOCS:23 is a certification that proves a legal service provider or solution partner is compliant with UK GDPR.

By achieving LOCS:23 certification, legal firms validate their practices against a robust security framework that tests their ability to protect sensitive information. This certification indicates a strong privacy and data security culture that impacts every aspect of a company’s operations. 

Why LOCS:23 matters

For law firms, achieving LOCS:23 is key to:

    • Reducing risk — becoming certified helps you identify and address potential data protection risks, reducing the likelihood of breaches and associated costs.
    • Securing a competitive advantage — LOCS:23 compliance shows that you keep pace with change and are leaders in data protection.
    • Boosting your reputation — compliance acts as tangible evidence of your firm’s commitment to safeguarding client data, enhancing client trust and loyalty.
  • Improving operational efficiency — improved data management practices drive efficiency in how you handle sensitive information. 

How to become LOCS:23 certified

As data controllers, legal service providers are eligible for LOCS:23 certification. This includes law firms, solicitors, and legal advisors. As data processors, the solutions partners providing support services to legal firms are also eligible, including IT and data management vendors. 

The LOCS:23 application process

The LOCS:23 website has a list of approved consultancies and solutions that can assist you in achieving compliance. Generally, the application process involves the following five steps:

  • Perform a self-assessment — download the LOCS certification standards to learn what data controls are required. Then review your current data protection practices against the LOCS:23 criteria to identify any gaps.
  • Prepare to meet LOCS:23 requirements — implement any necessary changes or improvements to meet the certification requirements.
  • Submit required documentation: compile and submit evidence of your UK GDPR compliance and data protection practices as specified by the LOCS:23 framework.
  • Undergo audit — an accredited LOCS:23 assessor will evaluate your compliance.
  • Receive certification — upon completion of a successful audit, you will be awarded the LOCS:23 certification, recognizing your adherence to UK GDPR and commitment to data protection.

Preparing for LOCS:23 certification

Achieving LOCS:23 compliance can feel overwhelming. The process is simpler when broken down into steps. When building your plan, consider:

When did you last review your policies?
Ensure your data protection policies are up to date with the UK GDPR and aligned with the specific requirements of LOCS:23. If not, revise your privacy notices, data handling procedures, and consent mechanisms. 

How do you handle data?
Carefully examine data flows within your organization; this includes everything that happens to data from collection to destruction. Ensure that you are only collecting data that's necessary, storing it securely, and using it for the intended purposes. Identify any potential vulnerabilities and implement measures to minimize risks. 

What security measures are in place?
In addition to data protection policies, what technical and organizational measures exist to protect the data you handle? For example, what are your encryption practices, access controls, and incident response plans? With the evolving nature of cyber threats, ensure your security measures are robust, up-to-date, and capable of protecting data against both unauthorized access and human error. 

How do you keep security top of mind for people?
Team members should understand UK GDPR and LOCS:23 requirements. They should also understand the importance of data protection and know how to handle data securely. Training and awareness programmes should cover both the legal aspects of data protection and practical steps for maintaining privacy and security in day-to-day operations. 

How do you maintain detailed records of your activities?
Keeping detailed records of your data processing activities is a requirement under UK GDPR and a critical aspect of demonstrating compliance with LOCS:23. These records serve as evidence of your compliance efforts and can be invaluable during audits or inspections.

The important role of email security in LOCS:23 compliance

Email is a vital tool for legal firms, serving as a primary means of sharing sensitive information between attorneys, clients, and other stakeholders. However, email brings inherent risks. Simple mistakes, such as sending an email to the wrong recipient, can lead to serious data breaches, compromising client confidentiality and violating data protection regulations. The reality is that no matter how well-trained or cautious, individuals can — and do — make mistakes. 

In addition, email alone does not provide the appropriate levels of encryption or essential security tools and functionality to ensure the safe passage of information from point a to point b. 

For example, M365 and Gmail enforce file size limits, so when employees need to send a large attachment, they are often required to utilize third party file transfer platforms which often fall short of data protection legislation. 

In addition, traditional email clients make recalling emails or restricting access to email contents impractical or nigh on impossible - both of which are fundamental tools for data handlers.

Ensuring robust email security that protects data and prevents human error is a critical component of achieving LOCS:23 compliance. Enhancing existing email clients with advanced security tooling is a simple way of preventing data loss events and protecting data, without introducing additional communication suites to your tech stack.

When searching for an email security solution look for features like:

  • Real-time alerts to sensitive information — your security tool should analyze email content in real-time, notifying users to send information securely and to the correct recipients.

  • Access controls like multi-factor authentication — enable senders to specify who can access information and under what conditions.

  • Message encryption — ensuring emails and attachments are encrypted, safeguarding the confidentiality and integrity of sensitive information during transmission.

  • Audit trails — detailed logs of email communications, ensuring that firms have comprehensive records for compliance auditing and reporting.

  • Email recall and expiration controls — preventing access to emails after they’ve been sent. Some tools enable you to see if emails or attachments have been opened before you revoke access. 

The first step towards LOCS:23 compliance

LOCS:23 is an opportunity for legal firms to demonstrate their compliance with UK GDPR and showcase their commitment to protecting their client’s data. Alongside improving data security, achieving compliance helps firms reduce risk and secure a competitive advantage. 

Central to achieving LOCS:23 certification is improving your email security and we’re here to support you in doing exactly that. Our comprehensive email security solution safeguards data and prevents human error. We’ve already helped over 1,000 law firms secure their email communications. Get a personalized demo to see how Zivver can meet the needs of your organization.

First published -
Last updated - 09/04/24
Free demo
Free demo
Free demo

Ready for a deeper dive? So are we.