New ICO standard set to become default requirement for legal sector

A recently approved legal standard by the Information Commissioner's Office (ICO) is expected to swiftly become the default requirement for law firms and chambers involved in public sector and other projects, according to a specialist barrister.

This development signifies that those engaged in and supplying the legal profession now have a clear benchmark for GDPR compliance.

Similar to the government-backed Cyber Essentials scheme, which assists organizations in safeguarding against common online security threats, Kelly predicts that public bodies will soon demand compliance with the LOCS:23 standard as a prerequisite for tendering for work. This trend is anticipated to extend to the private sector, particularly financial institutions, given the crucial role of GDPR compliance within supply chains.

As the standard encompasses any business handling client data, including digital dictation companies and IT service providers, it is likely to become a prerequisite for law firms and chambers' own supply chains.

Kelly emphasizes that many law firms and chambers have been diligently working towards GDPR compliance without a clear standard to follow. She asserts that achieving LOCS:23 certification may not be as daunting as it appears, as it essentially formalizes existing best practices.

She states, "It’s not asking you to do any more than you already should be doing; rather, it creates a framework to make sure you have every base covered."

The legal profession has faced challenges from the ICO in the past, notably in March 2022 when leading criminal law firm Tuckers was fined £98,000 following a ransomware attack exploiting its "negligent security practices." Kelly notes that this incident underscores that lawyers aren't granted special treatment due to their professional status.

While acknowledging that the standard won't prevent hackers from targeting lawyers, Kelly asserts that compliance will enhance protection and the ability to manage a data breach. It is also expected to serve as a significant mitigating factor during ICO investigations following a breach.

Recertification with the standard is mandated every three years, with evidence of annual training and auditing requirements forming a crucial part of the process.

Kelly acknowledges that upfront investment will be necessary for law firms and chambers to attain certification but emphasizes that it will ultimately reduce overall costs by demonstrating security to others and preventing costly breaches. She concludes, "The standard will rapidly become everyday business compliance in the legal sector."

Briefed is among the first specialist businesses authorized to assist law firms and chambers in preparing for LOCS:23 certification.