The ICO exists to empower you through information.

Will the ICO provide us with a hosted environment to conduct our work in?

No, we do not provide hosting environments as part of the Sandbox. You will be responsible for providing your own IT infrastructure.

Will the ICO assist us to procure data?

No, we are unable to advise you about where or how to procure data. Nor are we able to provide any funding to assist you in procuring data. If you plan to carry out live testing on personal data in the Sandbox, you should consider how you will practically obtain that data in advance of submitting an Expression of Interest.

Will we be able to use real customer (live) data or can we use created/simulated (dummy) data for testing?

You may use either live or dummy data to test your products so long as they are compliant with data protection law. Using dummy data may be preferable as it does not carry any risk to data subjects. If you are processing live data, you will need to complete a DPIA beforehand if it is likely to result in a high risk to the data subject. We will not be providing live or dummy data and expect you to source your own data for testing.

Does the processing carried out by our product or service have to be processed solely within the UK?

We are looking at data processing that comes under the remit of UK data protection law. This does not preclude the use of data processors outside the UK, as long as you have complied with data protection law; including having appropriate processor contracts and sufficient safeguards in place for any international transfers (subject to any changes following the end of the transition period).

How does the ICO’s data protection impact assessment process link in with the Sandbox?

Under the UK GDPR, organisations are required to undertake a data protection impact assessment (DPIA) in respect of high-risk processing, and our processes for DPIA consideration will continue to apply through the Sandbox.

At the Sandbox application stage you will need to identify if your product or service presents a high risk based on the current DPIA guidance on our website. We will also ask for information about how you intend to mitigate that risk and consider it as part of the application process. If you are then successful, it will be a key element of agreeing your Sandbox plan.

The Sandbox team will then be able to provide informal advice on risk mitigation that might need to be considered in completing a DPIA. However, there is no formal requirement for DPIAs to be submitted to the ICO, unless the DPIA indicates that risk has not been mitigated and you wish to commence processing. For further information, please refer to our data protection impact assessment guide.

If undertaking new processing (e.g. through live testing) is part of the agreed Sandbox plan, then we will need assurances that you have appropriately mitigated risks before you can start that processing.

If prior consultation regarding a DPIA is undertaken with the ICO’s DPIA team, participation in the Sandbox will be paused and contact with the Sandbox team will cease. Participation can begin again once the ICO has delivered the outcome of the DPIA after consultation, and if the risks are deemed acceptable.