The primary processing activity within the scope of this standard is:

 

Processing of Personal Data in the Client File.

 

Legal Service Providers that process Client data are likely to include in that Processing the Personal Data of the Client.

 

Client data including any Personal Data will be kept as a single electronic record of the Client engagement known as the ‘Client File’. As a consequence, Legal Service Providers must meet UK GDPR requirements particularly in protecting the data and honouring the Client’s rights as a Data Subject. In addition, there are a number of sub-processes that are necessary to maintain the file as listed below in ‘Processing Activities in Scope’.

 

The LOCS:23 standard is applicable to any provider of Legal Services who wish to be LOCS:23 certified and is able to demonstrate their application of Data Protection best practice.

 

The LOCS:23 standard controls are mapped to the UK GDPR requirements relating to the processing in scope to enable certified organisations to demonstrate compliance with UK data protection law.

​

Legal Service Providers, and their supplier/Vendors/Solution providers that have demonstrated compliance with the LOCS:23 standard are entitled to use the LOCS:23 logo on their promotional material once certified by a UKAS approved certification body.

 

Ensuring protection of Client data when shared, Legal Service Providers may use Data Processors and/or Sub-Processors in their supply chain to assist with or provide Processing services.

 

Legal Service Providers may also share Client data with other Legal Service Providers or Data Controllers. To ensure complete protection across the Legal Service supply chain, these should be included within scope where applicable.

​

Legal Service Providers are obliged to ensure the privacy and security of Client Personal Data when selecting and using third-party service providers or sub-processors.