ICO re-opens its “Regulatory Sandbox” for safer data innovation

What does the re-opening of the Regulatory Sandbox mean for organisations who are engaged in more cutting-edge data development?

The key takeaway

Organisations should consider whether they would benefit from participating in the Regulatory Sandbox in the development of innovative products or services in the above industries, particularly where they are engaged in the two key areas of ICO focus, being children’s privacy and data sharing. Experimenting with new data process within the safe boundaries of the Sandbox may be an ideal way to develop your new products, especially as one of the side benefits is a “comfort from enforcement” statement from the ICO. 

The background

The Regulatory Sandbox is an ICO service that provides free support to organisations that use personal data as part of their development of products and services. The ICO has sought expressions of interest from companies that are involved in specific sectors; predominantly in the healthcare, financial services, higher education or law enforcement sectors. Participating organisations are able to use the Sandbox to engage with the ICO’s team, to draw upon wider ICO expertise and advice in mitigating risks and embedding “data by design”. The service will allow organisations to better ensure compliance with legal requirements, understanding data protection frameworks and how these affect their business directly through informal guidance and help throughout the development process.

The development

A beta phase was started in September 2019, but the ICO has indicated it has more capacity to take on new organisations that want to take part in the Regulatory Sandbox, with a focus on two themes: children’s privacy and data sharing. In the light of this focus, the ICO is interested in hearing more from organisations concerned with the implementation of the “Age Appropriate Design Code”.

What the ICO provides to organisations as a part of the Sandbox includes:

• phased or iterative informal steers during product development from the idea stage all the way to concepts and prototyping;
• informal supervision of product or service testing;
• processing design walkthroughs, which lead to informal advice; and
• informal review of your DP documentation including data protection impact assessments, privacy notices and data sharing agreements.

In addition to protection during participation in the Sandbox, the ICO can also issue a “statement of regulatory comfort” to all participants at their request once they leave the Sandbox. This will set out that, based on the information provided whilst in the Sandbox, the ICO did not encounter any indication that the organisation’s operation of its developed product or service would infringe upon data protection legislation.

The ICO hints that some of the products submitted to the Sandbox will be “at the cutting edge of what is possible within specific fields and sectors”. The Sandbox can allow for organisations to develop these products with informal assistance from the ICO to better gauge compliance with data protection legislation in a more granular manner throughout the development process, especially where they operate in more challenging areas of data protection.