On 29 March 2019, the ICO opened the beta phase of the “regulatory sandbox” scheme (the “Sandbox”), which is a new service designed to support organizations that are developing innovative and beneficial projects that use personal data.  The application process for participating in the Sandbox is now open, and applications must be submitted to the ICO by noon on Friday 24 May 2019. The ICO has published on its website a Guide to the Sandbox, which explains the scheme in detail.

The purpose of the Sandbox is to support organizations that are developing innovative products and services using personal data and develop a shared understanding of what compliance looks like in particular innovative areas.  Organizations participating in the Sandbox are likely to benefit from having the opportunity to liaise directly with the regulator on innovative projects with complex data protection issues. The Sandbox will also be an opportunity for market leaders in innovative technologies to influence the ICO’s approach to certain use cases with challenging aspects of data protection compliance or where there is uncertainty about what compliance looks like.

The beta phase of the Sandbox is planned to run from July 2019 to September 2020.  Around 10 organizations from private, public and third sectors will be selected to participate. In the beta phase, the ICO is focusing on data processing that falls within the remit of UK data protection law.

In particular, the ICO is seeking applications for products or services that address the following data protection challenges relevant to innovation:

  • use of personal data in emerging or developing technology such as biometrics, internet of things (IoT), facial recognition, wearable tech, cloud-based products;
  • complex data sharing at any and all levels;
  • building good user experience and public trust by ensuring transparency, clarity and explainability of data use;
  • perceived limitations, or lack of understanding of the General Data Protection Regulation and Data Protection Act 2018 provisions on automated decision making, big data, machine learning or AI;
  • utilising existing data (often at scale and in linking data) for new purposes or for longer retention periods;
  • building ‘data protection by design and default’ into product development, taking account of cost issues and difficulties of doing this until testing has been undertaken; or
  • ensuring the security of data and identifying data breaches in complex and innovative environments.

Participating organizations will be asked to sign terms and conditions with the ICO, and will also receive a statement of ‘comfort from enforcement’. This statement will state that the ICO will not take immediate enforcement action for any inadvertent breach of data protection law as a result of product or service development during the Sandbox.

The ICO will work with participating organizations to design a bespoke plan, and provide informal advice or ‘steers’ on the project.  Participating organizations can also request ‘statements of regulatory comfort’ from the ICO when they exit the Sandbox, in which the ICO will state that on the basis of the information provided whilst in the Sandbox, the ICO did not encounter any indication that the product or service would infringe data protection law.

The ICO conducted a consultation on the Sandbox in September 2018 (see our previous blog post here), and the analysis of the results of the consultation was published in November 2018.  Information about how to apply to the Sandbox can be found here.

Tags: ICO, Privacy by Design, Regulation
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Sam Jungyun Choi Sam Jungyun Choi

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous…

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous vehicles. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Sam advises leading technology, software and life sciences companies on a wide range of matters relating to data protection and cybersecurity issues. Her work in this area has involved advising global companies on compliance with European data protection legislation, such as the General Data Protection Regulation (GDPR), the UK Data Protection Act, the ePrivacy Directive, and related EU and global legislation. She also advises on a variety of policy developments in Europe, including providing strategic advice on EU and national initiatives relating to artificial intelligence, data sharing, digital health, and online platforms.

Read more about Sam Jungyun ChoiEmailSam Jungyun's Linkedin Profile
Show more Show less