On 29 March 2019, the ICO opened the beta phase of the “regulatory sandbox” scheme (the “Sandbox”), which is a new service designed to support organizations that are developing innovative and beneficial projects that use personal data. The application process for participating in the Sandbox is now open, and applications must be submitted to the ICO by noon on Friday 24 May 2019. The ICO has published on its website a Guide to the Sandbox, which explains the scheme in detail.
The purpose of the Sandbox is to support organizations that are developing innovative products and services using personal data and develop a shared understanding of what compliance looks like in particular innovative areas. Organizations participating in the Sandbox are likely to benefit from having the opportunity to liaise directly with the regulator on innovative projects with complex data protection issues. The Sandbox will also be an opportunity for market leaders in innovative technologies to influence the ICO’s approach to certain use cases with challenging aspects of data protection compliance or where there is uncertainty about what compliance looks like.
The beta phase of the Sandbox is planned to run from July 2019 to September 2020. Around 10 organizations from private, public and third sectors will be selected to participate. In the beta phase, the ICO is focusing on data processing that falls within the remit of UK data protection law.
In particular, the ICO is seeking applications for products or services that address the following data protection challenges relevant to innovation:
- use of personal data in emerging or developing technology such as biometrics, internet of things (IoT), facial recognition, wearable tech, cloud-based products;
- complex data sharing at any and all levels;
- building good user experience and public trust by ensuring transparency, clarity and explainability of data use;
- perceived limitations, or lack of understanding of the General Data Protection Regulation and Data Protection Act 2018 provisions on automated decision making, big data, machine learning or AI;
- utilising existing data (often at scale and in linking data) for new purposes or for longer retention periods;
- building ‘data protection by design and default’ into product development, taking account of cost issues and difficulties of doing this until testing has been undertaken; or
- ensuring the security of data and identifying data breaches in complex and innovative environments.
Participating organizations will be asked to sign terms and conditions with the ICO, and will also receive a statement of ‘comfort from enforcement’. This statement will state that the ICO will not take immediate enforcement action for any inadvertent breach of data protection law as a result of product or service development during the Sandbox.
The ICO will work with participating organizations to design a bespoke plan, and provide informal advice or ‘steers’ on the project. Participating organizations can also request ‘statements of regulatory comfort’ from the ICO when they exit the Sandbox, in which the ICO will state that on the basis of the information provided whilst in the Sandbox, the ICO did not encounter any indication that the product or service would infringe data protection law.
The ICO conducted a consultation on the Sandbox in September 2018 (see our previous blog post here), and the analysis of the results of the consultation was published in November 2018. Information about how to apply to the Sandbox can be found here.