The Lexcel Legal Practice Quality Mark has been revised and expanded. Lexcel accredited practices will be assessed against the revised standard from 1st November which means there is plenty for you to be working on.
The Law Society Lexcel website gives you more information.
Broadly, these changes align the standard with recent new and revised legislative requirements in relation to data protection and financial crime.
The SRA Code of Conduct 2011 mandatory outcome 7.5 applies whether or not you are Lexcel accredited… ‘you comply with legislation applicable to your business, including anti-money laundering and data protection legislation’.
There is a lot here to risk assess, develop, train, implement and test before your next Lexcel assessment … and of course to communicate to clients, as appropriate, and to your staff.
With regard to data protection, look at all the Lexcel requirements and you will soon realise that data protection touches all areas of the Standard.
You will need to look at the wider picture to assess and manage the risk of breaches and other offences. A thorough review will include your compliance plan, risk register, policies and procedures, record keeping, monitoring and training. Are you, for example, maintaining appropriate records of data processing activities, information asset registers, money laundering risk assessments and records? Remember it is important to keep records of your decision making to evidence compliance and to have robust breach reporting procedures. You need to understand your vulnerabilities and risks and address these accordingly.
For all these new requirements off the shelf template policies or procedures may be helpful but are not always likely to be sufficient as every practice is different. One size does not fit all. Examine the profile of your own practice, undertake thorough risk assessments and gap analyses. Bespoke policies and procedures in plain language and applicable to your business are best practice, and likely to be more robust and easily understood by everyone.
Train, implement and test.
Ensure your policies and procedures are effective. Undertake audits and spot checks.
Be prepared for assessors (and potentially other bodies), to review your central documentation, follow the audit trails, check your matter files and interview staff for evidence that they understand their responsibilities relevant to their role and have received appropriate training. Importantly too, are your staff able to identify potential breaches or compliance failures and do they know how to go about reporting this?
A wealth of information and guidance is available on the ICO, Law Society and SRA websites. As always, Teal blogs are a great resource for practical guidance.
Make sure you check out the Cyber Essentials scheme which, for Lexcel accreditation, firms are now encouraged to achieve.
Take a deep breath, consider your risks, raise awareness in your business, and start your reviews and preparation now. Most of all, don’t lose sleep and contact firstname.lastname@example.org for a chat as to how we can help you.