Cyber LOCS: Expert technical support for GDPR certification and AI compliance

LOCS:23, the first and currently only ICO certification scheme for legal services was launched in 2024. Since then, the first law firms, chambers and legal tech providers have successfully certified with many more either having booked in audit dates or started on the journey to certification.

12 March 2025 saw the final milestone in the development of the standard achieved as UKAS awarded approval to the Certification Body ADISA, enabling them to officially announce the recent certifications for Muckle LLP and The 36 Group Chambers as well as open application for new certifications.

LOCS:23 now sits alongside ISO 27001 and Cyber Essentials forming the ‘golden triangle’ for client data protection.

The LOCS:23 standard has five core modules that cover full UK GDPR requirements including governance, accountability, data subject rights, operational privacy and continuous improvement. It serves as the operational component of a robust data protection framework, encompassing both information security and cybersecurity compliance requirements.

The standard covers a range of aspects from policy to practice, including the implementation of multi-factor authentication, encryption, and secure information sharing, alongside other essentials.

The recent surge in AI usage has highlighted the significance of a firm’s data protection practices while also underscoring the need for technical safeguards to support this. For many firms, AI has become the most likely future cause for financial penalty or reputational damage with user error and insufficient or poorly configured technology protections posing the greatest risks. Whilst many of these organisations have internal data protection knowledge it is typically only the larger organisations that also have cyber expertise. As a consequence, many seek external validation of their compliance efforts.

For this reason and to assist those firms looking to prepare for LOCS:23 certification, we have partnered with Oyster IMS to provide Cyber LOCS; to enable compliance with relevant LOCS:23 security controls, while also offering the broader protections that firms require to safeguard client data effectively.

Josef Elliott, Managing Director of Oyster IMS commented:

“We are delighted to be a part of the Cyber LOCS program. I have known Tim Hyman for many years, and he has worked hard with the regulator to develop the LOCS:23 scheme and bring it to market. It is perfect for us as it brings together our data protection services and our information security offering under the leadership of David Francis, a specialist in both of these areas. I really feel that LOCS:23 will proliferate throughout the legal services industry and we at Oyster IMS look forward to helping as many organisations as we can to achieve the certification.”

LOCS:23 is an ICO-approved certification under Article 42 of the UK GDPR. It consists of a set of data protection controls that can be measured against, audited and certified. The standard is available to download at no charge from the ICO website. Designed to protect client data throughout its lifecycle, the standard has two certification streams, one for Data Controllers (law firms, barristers) and one for Data Processors (Chambers, Legaltech providers).

Oyster IMS is a consultancy-led business providing professional services in the areas of Data Protection, Information Governance and Information Security. Founded in 2003 specifically to provide organisations with a way to manage the increasing volume, variety and velocity of information coming under their management. Since then, business has grown to provide consulting, technology and managed service solutions to organizations small and large across the UK, Ireland, Europe and the Middle East.

From our offices in London and Dublin, we help clients to create, capture, store, manage, share and preserve their information and data in a secure, compliant and cost-effective fashion