A wise organisation builds its products and services upon the… sand?

What is a regulatory sandbox?

A regulatory sandbox is a safe place for organisations to test and create innovative products and services. Over the last few years, a number of regulators such as the Financial Conduct Authority (FCA) have started to offer sandboxes within their own frameworks. The latest to do so is the Information Commissioner’s Office (ICO) which, on 29 March 2019, launched the “beta phase” of its regulatory sandbox to “support organisations using personal data to develop products and services that are innovative and have demonstrable public benefit.” ¹ The question for organisations is: how does it work and what are the potential upsides (and downsides) to using the ICO’s sandbox for privacy related products and services?

How does a regulatory sandbox work?

Typically, a regulator invites a number of participants from its regulated community to test innovative products and services in a controlled environment where some of its otherwise restrictive regulatory requirements are disapplied for a specified period of time. Often this will be accomplished through the grant of waivers or modifications to existing regulatory arrangements for those within the sandbox, as well as immunity from any enforcement action, in respect of the products/services.

To mitigate any risk of harm towards the public it is duty-bound to protect, the regulator will confine and control the activities by providing additional regulatory oversight to the participants operating in the sandbox. In addition, there will often be a unilateral termination/exit provision in place to enable the regulator to immediately stop any harmful activities.

The principal goal of a sandbox is for the regulator to collaborate with the sandbox participants in order to test innovative ideas, consider modifications to its own regime and bring beneficial products to market that otherwise may have been prevented or delayed through the strict application of regulatory requirements.

How will the ICO’s regulatory sandbox work?

The ICO sandbox will operate in a similar way. Approximately 10 organisations of different sizes and business sectors considered by the ICO to have innovative products with a demonstrable public benefit, will be invited to work in the ICO’s regulatory sandbox. Although the ICO cannot suspend the application of requirements under the GDPR and Data Protection Act 2018, it will provide a level of comfort from enforcement action to participants. The participants will also receive dedicated support from a ‘sandbox team’ at the ICO that will provide expertise and guidance on compliance with regulatory requirements and help build-in privacy by design.

What are the upsides/downsides?

There are clear benefits to both the ICO and organisations that participate in the sandbox.

Through using the sandbox, participants are likely to have increased confidence in their products’ compliance with data protection obligations at the point of going live, be seen as taking compliance issues seriously by the regulator and public, and benefit from an enhanced understanding of data protection frameworks and how these apply to its business.

In return, the ICO is likely to receive a greater understanding of technological developments in the market and the related challenges that its regulatory regime faces. It will therefore be in a better position to keep pace with changes and adapt its regulatory approach by removing any unnecessary barriers to innovation ahead of time. It is also likely that the ICO will use its learnings from the sandbox to produce guidance and compliance resources in relation to nascent or particularly complex emerging areas.

However, it is not without its limitations. It is important to remember that, although the sandbox is a safe space in relation to the ICO’s regulatory regime, requirements from other regulatory regimes outside of the ICO’s remit, such as the FCA and CMA, will still apply during this period. Indeed, the ICO is asking the applicants to make it aware of any applicable concurrent regulatory requirements upfront.

Further, from a GDPR perspective, organisations using live data in the sandbox should exercise caution, as this leniency of enforcement from the ICO will not impact the approach of its European counterparts or preclude affected individuals from bringing civil proceedings. It is also important to note that organisations which are planning to use live data in the sandbox will continue to be subject to DPIA requirements under GDPR. Consequently, if the product or service is likely to result in a high risk to the data subject, then a DPIA will need to be completed beforehand. For this reason, the use of dummy data by participants may be preferable.

A final point to note: in an effort to reassure organisations involved in the sandbox scheme about sharing sensitive commercial data and/or intellectual property (IP) with the ICO, the ICO highlights its strict confidentiality obligations set out under Section 132 of the Data Protection Act 2018. An important consideration for organisations is, however, the potential implications of the ICO’s disclosure obligations under the Freedom of Information Act 2000 (FOIA). Accordingly, organisations should take into account the relevant FOIA exemptions and ensure that any confidential or sensitive IP is highlighted to the ICO.

Conclusion

The ICO’s sandbox is a marked change in its regulatory approach to date. If you are an organisation with data protection challenges central to your products or services, it is a rare opportunity to receive dedicated support and a degree of assurance from the regulator. We will be watching the beta phase of the ICO’s sandbox experiment with interest and look forward to hearing of its findings.

¹ https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/03/ico-opens-sandbox-beta-phase-to-enhance-data-protection-and-support-innovation/