The Information Commissioner’s Office (ICO) has today (13 February) formally approved a certification scheme aimed at UK legal service providers who process personal data.
Certification schemes were introduced under the UK GDPR to help organisations demonstrate compliance with data protection requirements and in turn, inspire trust and confidence in the people who use their products, processes and services.
Emily Keaney, ICO Deputy Commissioner, said: “Legal service providers such as law firms and barristers’ chambers process large amounts of sensitive personal data. Signing up to this certification scheme will provide them with certainty that they are adhering to data protection standards and reduce time and resource spent assessing third party data processors.
“It will also reassure their clients they are committed to looking after their personal details and have strong information security in place.”
The Legal Services Operational Privacy Certification Scheme is the fifth set of UK GDPR certification criteria that the ICO has approved.
It follows four others that have been successfully approved and published on the ICO website; one offering secure re-use and disposal of IT assets, two looking at areas including age assurance and children’s online privacy and one aimed at training and qualification service providers.
Commenting on the new certification, Orlagh Kelly, CEO of legal compliance business Briefed said tech suppliers to the legal industry could get left behind if they do not adopt it.
“The good news is that most tech companies have been working hard to comply with GDPR, albeit without knowing what level to reach,” said Kelly. “That means achieving certification may not be as daunting as it first appears when reading the 80 pages of requirements.
“It’s not asking them to do any more than they already should be doing; rather, it creates a framework to make sure you have every base covered.”
While the standard will not stop hackers targeting lawyers, Kelly said that complying with it will ensure they are better protected and more able to manage a data breach. “It will also be a major mitigating factor in the event of a breach and an ICO investigation,” she said.
Recertification with the standard is required every three years but part of that process will be providing evidence that training and auditing have been carried out every year, which Kelly observes will strengthen the relationship between legal businesses and their tech suppliers.