RPost Named UK GDPR ICO Standard LOCS:23 Approved Solution

RPost Named an Approved Solution within the Information Commissioner’s Office (ICO) Newly approved UK GDPR Certification Standard LOCS:23

February 13, 2024 - London, England

RPost announces that its cybersecurity and privacy infused email, document rights management, secure file sharing, and eSignature services are among the first approved  solutions to support legal services organisations looking to achieve UK GDPR privacy accreditation according to the LOCS:23 ICO approved standard.

The Legal Services Operational Privacy Certification Scheme (LOCS:23) is a newly approved standard accredited by the UK Information Commissioner’s Office (ICO). It has  been   published to provide a guideline for companies to achieve certification with an independent nationally recognized UK Accreditation Service (UKAS) approved Certification  Body, the certification affirming that the certified company is using best practice technologies and methods to assure GDPR privacy compliance. The certification scheme targets  legal service providers who typically process significant amounts of client personal data, as it assists them in choosing privacy-centric and regulatory-aware technology suppliers,  and further, demonstrates to the regulators investment and care in managing personal data. For clients of legal service providers, working with a provider that is certified with  LOCS:23 or uses LOCS:23 approved solutions provides greater assurance of data privacy and protection and mitigates privacy risks.

“Security, privacy, and compliance are in our RPost DNA. We’re pleased to have been recognized as the first secure communications provider to be named an approved solution for legal services companies to use to enhance their LOCS:23 certification and their GDPR privacy compliance,” states RPost CEO Zafar Khan. “We’ve invested in infusing security-centric technologies and privacy-centric content management features into all our products; we look forward to being there for clients looking to add these RPost compliance and privacy layers to their technology stack.”

Over the years, legal service providers have faced challenges in ensuring that the trust relationship they build with their clients is not let down by the technology services they subscribe to. Using LOCS:23 approved solutions signals to clients of legal service providers that the organisation is ‘compliant’ with current data protection legislation and has implemented best practices to mitigate risks of inadvertent leaks or damaging breaches.

“We’ve known legal services providers have entrusted RPost for years, to transmit firm and client sensitive data in the most secure and compliant manner, all-the-while keeping user experiences for senders and receivers simple,” states Tim Hyman, CEO of 2twenty4 Consulting and LOCS:23 originator. “And, with RPost infusing its security, privacy compliance and authentication technologies across its portfolio of Registered Email™ proof, RMail^® security, RDocs™ controls, and RSign^® eSignature platforms, with one provider --- RPost --- companies can achieve many of the LOCS:23 requirements, including secure responses to SARs and significantly minimizing reportable data breaches due to a true recall and delete function. We’re pleased to have named RPost one of our first LOCS:23 approved solutions and privacy enhancing technology.”

An easy target for GDPR enforcement is watching how organisations protect the privacy of information transmitted to external parties. Among the key GDPR requirements that RPost technologies help companies achieve --- in particular RPost’s Registered Encryption™ services --- is GDPR Article 5 Clause 1(f) and 2, and Article 32 Clause 1(a) and 1(d) which focus on the requirement to protect personal data during transmission with the ability to demonstrate fact of protection of personal data.

“There are many ways to encrypt email, nearly all of which make it more complicated for the intended receiver to review the message. Therefore, a tendency for senders, unless there is consequence, is to not use email encryption systems that are in place and available for use. The fact of an email encryption system being available for use is not fact of use. ‘Fact of Use’, we believe, will be a key criterion in regulatory audits, and in any case, a basis to protect organizations from accusations of a data privacy or GDPR compliance breach,” stated Nick Hawke, Chief Executive Officer, Association of Professional Compliance Consultants in the Foreword from the Technology Guide to Meet GDPR Compliance for Data Privacy for Email.

The following five evaluation categories (protection, utility, audit-ready compliance proof, empowering, and measurement) are important elements of an email encryption technology or service considering the requirements in GDPR for protecting personal data; in particular Article 5 for security, confidentiality, and accountability, and Article 32 for encrypting and assessing the effectiveness of technical measures to ensure securing.

• Article 5 Clause 1(f) calls for maintaining the confidentiality of personal data, stating, “personal data shall be processed in a manner that ensures appropriate security of the personal data…using appropriate technical or organisational measures (‘integrity and confidentiality’)”.
• Article 5 Clause 2 creates the need to maintain demonstrable proof of compliance with the confidential treatment of personal data, stating, “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)”.
• Article 32 Clause 1(a) specifies use of encryption to secure personal data, stating, “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data”.
• Article 32 Clause 1(d) calls for regular assessments to ensure the security of the processing, stating, “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

Considering these requirements, the combination of RMail Registered Encryption™ and other RPost services provide not only GDPR compliant privacy, but also GDPR audit-ready proof of privacy compliance on a message-by-message basis.

Contact RPost to learn more.