What is certification?
Art 42 of the UK GDPR provides for the creation of official certification schemes that will be recognised by the local Supervisory Authority (in this case the Information Commissioner's Office).
ICO certification requirements include:
-
UK GDPR - The standard must meet all UK GDPR requirements.
-
SCOPE - The standard must have a defined scope that relates to a specific processing activity.
-
PRACTICAL - formulated in such a way that they are clear and allow practical application.
-
AUDITABLE - objectives must be specified along with how they can be achieved so as to demonstrate compliance.
-
RELEVANT - to the target audience.
-
INTEROPERABLE - with other standards such as ISO 27001.
-
SCALABLE - for use by different sized organisations.
Further ICO guidance on the benefits of certification can be found here.
LOCS:23 has been approved by the ICO as the official certification for Legal Service Providers.
LOCS is an acronym for:
Legal Services Operational Privacy Certification Scheme
LOCS:23 Scope
The primary processing activities within the scope of this standard are:
-
Processing of Personal Data in the Client File
-
Ensuring protection of Client data when shared
(the full scope can be seen in the LOCS:23 Standard).
Who Should certify?
For smaller firms the LOCS:SFE standard may be more suitable.
Only Approved Implementors or Qualified Consultancies can award LOCS:SFE Approved status based on a successful audit.
Prior to full certification, an organisation can promote the fact it is ready by becoming LOCS:23 Approved.
Only Approved Implementors or Qualified Consultancies can award LOCS:23 Approved status based on a successful audit.
