The Information Commissioner's Office Consultation on a proposal for a ‘Sandbox’ for new technology

Organisations are increasingly looking to innovate by using technology which often involve novel and untested ways of using personal data. If done correctly, organisations can create a business advantage. If proper procedures are not followed (resulting in inadequate privacy protections), the consequences for an organisation can be disastrous. In order to bridge this gap, the Information Commissioner’s Office (“ICO”) has proposed a new ‘regulatory sandbox’ to work more collaboratively with organisations.

On 6 September 2018, the ICO called for ‘evidence and initial views’ to understand the feasibility, scope and demand for a ‘sandbox’. The consultation process, which includes a series of questions, will end on 12 October 2018.

What is a sandbox?

The term ‘sandbox’ in the technology environment derives from sandboxes we played in as children. Whilst playing in these sandboxes we were able to build elaborate sand castles in a safe area. Technology companies use this term to reference an environment where new ideas, concepts and products can be built and tested without being impacted by outside factors.

The ICO has commented that their regulatory sandbox will provide organisations with a safe space for them to discuss, with the ICO, proposals to develop innovative products and services, whilst using personal data in innovative ways. The ICO has also commented that the sandbox does not absolve organisations of their responsibilities under data protection law, but it will afford companies the opportunity to work collaboratively with the ICO, obtain advice and manage privacy risks.

The ICO’s sandbox proposal is based on the Financial Conduct Authority's (“FCA”) sandbox, which was set up in May 2015 as a safe space for innovation of new products, services, business models and delivery mechanisms. In addition, the ICO would like to understand from individuals and organisations if there are other approaches to be considered. They are also compiling evidence, through the consultation process, of specific areas of concern and interest to organisations who are creating innovative new technology in the GDPR live era.

The consultation questions - what does it focus on?

The following key themes are outlined in the consultation questionnaire:

1. Barriers and challenges in light of GDPR and the ICO’s regulatory approach;
2. Whilst the focus is on digital innovation, are there other privacy practice areas and industry sectors that could benefit from the regulatory sandbox?
3. Benefits of using the sandbox, such as reputational benefits or access to the ICO’s expertise and guidance; and
4. Practical implications, such as when a product is being tested in a live environment and potential for an organisation to receive a ‘letter of comfort’ from the ICO to assist with early trials and/or go live phases.

What’s next? How to have your say

Industry input would be useful to influence the scope of the sandbox and views are invited via the ICO's consultation page.

Some possible implications

1. The reaction of other supervisory authorities
   
   The ICO is taking the lead to engage proactively with organisations. Many technology solutions, however, will apply cross border both within the EU and globally. Accordingly, even if the ICO provides a sandbox, it is not clear how other supervisory authorities may react to this approach and whether they will agree with any guidance provided by the ICO.
2. At what point does the guidance and ‘approval’ from the ICO end?
   
   Will the ICO’s approval extend beyond the initial trial of a new product and also apply to any variations in scope or updates? Whilst this is certainly a welcome development from the ICO, it is still early in the consultation process and time will tell what the final outcome will hold.