The ICO-approved GDPR certification scheme for legal services.
Every organisation that has achieved LOCS:23 certification has been supported by Briefed. We know the standard from the inside, with Briefed certified as a legal services supplier twice, and use that first-hand expertise to guide each client.
ADISA is the independent, UKAS-accredited certification body for LOCS:23. Accredited to ISO 17065, ADISA's audit process is verified by UKAS through twice-yearly surveillance audits, ensuring the certification is rigorous, impartial, and consistent. Every organisation that has achieved full certification to date was guided there by Briefed.
What LOCS:23 is and why it matters for the Bar.
The Legal Services Operational Privacy Certification Scheme (LOCS:23) is the first GDPR certification standard approved by the ICO specifically for the legal sector. Certification requires a thorough independent audit by ADISA against an 85-page standard covering data governance, subject rights, operational privacy, third-party management, and ongoing monitoring.
For barristers' chambers, it provides a recognised, independently audited, sector-specific standard that tells clients, regulators, and the BSB that your data protection practices have been externally verified. That carries weight in a way that internal policies alone do not.
Certification at a glance
6 to 10 weeks to certification-readiness
Depending on size and current position
3-year certification
With annual reviews to maintain status
85-page standard
Covering five compliance strands
Independently audited by ADISA
Not self-assessed. Externally verified.
Why chambers are pursuing LOCS:23 now.
Reduce ICO enforcement risk
An independently audited compliance standard provides documented evidence to help you mitigate against ICO enforcement action.
Win more work
Public sector clients and large organisations increasingly require evidence of data protection compliance in procurement. LOCS:23 is a recognised standard that simplifies that considerably.
Clearly evidence compliance
GDPR compliance is often asserted but rarely evidenced with rigour. LOCS:23 provides an independently verified benchmark, not a policy on paper that nobody has tested.
Mitigate data breach exposure
The certification process identifies and addresses operational privacy gaps before they become incidents.
The full certification journey.
LOCS:23 certification involves five stages. Briefed guides your organisation through the first two implementation stages, then ADISA independently audits and certifies you. The typical end-to-end timeline is 10 to 16 weeks: 6 to 10 weeks of implementation, followed by ADISA's Stage 1 and Stage 2 audits.
Free consultation
We explain the standard, assess your eligibility and current compliance position, agree timelines, and review your existing documentation. No obligation.
No chargeGap analysis and implementation
We identify gaps against the 85-page standard, implement missing measures, draft or update policies, deploy LOCS:23 approved training, and prepare you for audit.
4–8 weeks typicalADISA Stage 1 audit
ADISA reviews your application and assesses your internal audit against the full LOCS:23 criteria. A documentation review to confirm readiness for the formal certification audit.
Independent auditADISA Stage 2 audit
The formal certification audit: a review of your compliance documents and an on-site assessment to determine how data protection compliance is embedded in your organisation in practice.
On-site visitCertification and ongoing support
Certified status is granted for three years, with annual reviews to maintain it. Briefed provides ongoing training, advisory, and support through each annual review.
3-year certificationAbout ADISA
ADISA is the independent, UKAS-accredited certification body that audits organisations against the LOCS:23 standard. Accredited to ISO 17065, ADISA's audit process is verified by the UK Accreditation Service through twice-yearly surveillance audits. Briefed is the implementation partner: we prepare your organisation for the audit. ADISA independently certifies it.
What LOCS:23 certification covers.
The 85-page standard is structured around five compliance strands, each independently assessed by ADISA.
Organisational and client file governance
A robust governance model for client file management, covering how data is created, stored, accessed, transferred, and deleted.
Data subject rights
A demonstrable process for managing and responding to the full spectrum of data subject rights within required timelines.
Operational privacy
Robust technical and organisational security measures, covering data security, breach response, privacy by design, and GDPR principles in practice.
Third-party and data sharing
Evidence that all third parties handling data on your behalf offer equivalent data protection — including supplier assessments and DPAs.
Monitor and review
A documented process of regular review to identify and address compliance gaps, ensuring the standard is maintained over time.
Approved training, part of every certification we have supported.
GDPR training for all relevant staff is a required component of LOCS:23 certification. Briefed's training suite is LOCS:23 approved and has formed part of every successful certification we have supported. Organisations do not need to source training separately.
Implementation and approved training from the same team, validated against the standard from the inside.
Browse GDPR trainingFor business owners and senior leadership. The full scope of organisational data protection responsibility and LOCS:23 governance requirements.
For senior management, directors, and HR professionals who handle personal data as a core part of their role.
For the majority of staff who process data day-to-day. Practical, accessible, and LOCS:23 accredited.
For non-office-based staff. Ensuring the full workforce meets the awareness threshold LOCS:23 requires.
Barrister-led, with the standard understood from the inside out.
Our LOCS:23 implementation team are experienced barristers who work in-house at Briefed. They have guided every certified organisation through the full process.
Orlagh Kelly
Barrister and CEO
Led Briefed through LOCS:23 certification twice. Oversees all client implementation engagements for the standard.
Chris Kelly
In-House Barrister
LOCS:23 implementation specialist with extensive experience supporting chambers and law firms through the standard.
Ben Murphy
In-House Barrister
LOCS:23 specialist and author of Briefed's standard overview. Leads gap analysis and audit preparation for clients.
Common questions about LOCS:23.
LOCS:23 is the first ICO-approved GDPR certification standard built specifically for the legal sector. Achieving it means your data protection practices have been independently audited by ADISA against a rigorous, sector-specific standard.
Between six and ten weeks to reach certification-readiness, depending on your organisation's size and current compliance position. Once certified, status lasts three years with annual reviews.
Yes. Briefed's training suite is LOCS:23 approved and has formed part of every successful certification we have supported to date.
ADISA. Briefed is the implementation partner. We prepare organisations for the audit and provide approved training. The independent certification is granted by ADISA.
Yes. The two standards are complementary, not equivalent. Cyber Essentials covers technical cybersecurity. LOCS:23 covers GDPR compliance and operational data protection.
The standard spans 85 pages across five compliance strands. Briefed has been through it as a certified legal services supplier (twice), has supported every LOCS:23 certification granted to a chambers or legal services organisation to date, and can also provide LOCS:23-approved training. The combined track record and specialist knowledge is difficult to replicate in-house.