Data security: Certification should help with clients
A leading law firm has become the first to obtain the new legal services-specific data protection certification approved by the Information Commissioner’s Office (ICO).
Jane Whitcombe, senior legal counsel at Osborne Clarke, said the certification process had allowed the practice to “take a step back and look at everything holistically”.
The ICO said the aim of the Legal Services Operational Privacy Certification Scheme or LOCS:23, launched in February, was to provide law firms, chambers and others with “certainty” when processing personal data and reassure clients that lawyers had “strong information security” in place.
The largest chambers in Wales, 30 Park Place in Cardiff, was the first legal services provider to be certified.
Ms Whitcombe said that like the chambers, Osborne Clarke took part in a pilot of the process and was able to make comments, for example on flexibility, that could help development of the latest version.
The firm was approached to join the pilot in September last year and certified under LOCS:23 last month.
“I’m confident that our data processing is robust and in line with the GDPR, but it’s good to get a third-party view. You can take a step back and look at everything holistically.”
Ms Whitcombe, a solicitor, said she had moved from being a commercial lawyer and working directly with clients at the law firm to becoming a senior legal counsel and specialising in risk and compliance.
She said that any large business was required to ensure that its clients’ data was safe when it was received.
New clients had to assure themselves about a full range of issues, from anti-money laundering and conflicts of interest, to data protection and information security
She said pointing to an independent certification like LOCS:23 helped “make the process more efficient and our responses more compelling and evidence-based”.
Ms Whitcombe said it could complement the ISO 27001 information security certification the firm had been using for a number of years.
The main challenge in obtaining LOCS:23 was the time it took and the “information-gathering” involved.
“I had go into aspects of the more technical and cyber-based aspects of GDPR compliance that were not really my comfort zone, and get help from my more technical colleagues.”
She said the process involved members of the firm’s internal IT, information security, business continuity and risk management teams, and had helped identify opportunities to improve internal processes and procedures.
Ms Whitcombe said she had not been contacted by any other law firms interested in getting LOCS:23 certification but she was aware that others were thinking of going through the process.
“It would be really welcome if that did happen as this gains traction and publicity. It would be great if it becomes an industry standard that our clients can rely on.”
Orlagh Kelly, barrister and chief executive of legal compliance business Briefed, which was itself certified earlier this year under LOCS:23, said last month that she was working with eight sets of chambers on certification and several law firms, and having conversations with “several dozen” others about when they would apply.
Leave a Comment