FAQs
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Frequently asked questions
Processing data in the Sandbox
-
Will the ICO provide us with a hosted environment to conduct our work in?
-
Does the processing carried out by our product or service have to be processed solely within the UK?
-
How does the ICO’s data protection impact assessment process link in with the Sandbox?
Costs and Resources
-
Will the ICO be providing financial support as part of the Sandbox?
-
Will we be expected to cover any costs incurred by the ICO during the Sandbox?
-
Does our Data Protection Officer have to be involved in the application to the Sandbox?
-
What if we are not ready to participate in the Sandbox when we are accepted?
Who can enter the Sandbox?
-
Can I enter the Sandbox with a product/service that is already processing personal data?
-
Does my organisation have to be a data controller in order to apply to the Sandbox?
-
My organisation has already participated in the Sandbox in a previous year, can we apply again?
-
Do we need sign-off by my organisation’s director to participate in the Sandbox?
Assessing applications to the Sandbox
During the Sandbox
-
What happens if we encounter a breach of personal data whilst our product is in the Sandbox?
-
How much does the ICO intend to publicise about our participation in the Sandbox?
-
In what circumstances could our participation in the Sandbox be terminated?