What will be included in our bespoke Sandbox plan?
Informal steers
A key part of collaborating with us will be receiving our informal ‘steers’. We will agree how these will work and what will be required as part of each bespoke plan.
Some examples of these available are:
- phased or iterative informal steers – from idea, concept to prototyping;
- informal supervision of product or service testing;
- processing design walkthroughs – step by step walkthroughs of proposed processing activity leading to informal advice;
- informal review of your DP documentation including: data protection impact assessments, privacy notices and data sharing agreements;
- our attendance at project ‘sprints’;
- workshops with design and development teams at an early stage in order to inform very early thinking; and
- informal steers on risk mitigation at design stage.
Statement of regulatory comfort
As part of your bespoke plan, you can request that the ICO issues a statement of regulatory comfort when you exit the Sandbox. We will agree this statement on a case by case basis at that time and will aim to provide information about the compliance of your product or service with the data protection legislation.
Where possible, the statement will set out that, on the basis of the information provided whilst in the Sandbox, the ICO did not encounter any indication that the organisation’s operation of its developed product or service would infringe upon data protection legislation.
This confirmation will only apply to the product or service as it was in the Sandbox and on the basis of the information provided, and the ICO will retain the right to change our view and revoke confirmation based on future legal or market developments, or if we become aware of information that we have not previously seen.
Monitoring of progress
The amount of monitoring we need to do will be specific to each organisation’s Sandbox plan and will depend on the level of risk involved in the development of the product or service. High-risk plans will require more frequent monitoring. We will agree what form this monitoring takes with each organisation, ie weekly, monthly, on an ad hoc basis, via meetings, email, phone or teleconference. However we expect that a minimum of three formal meetings with you will take place during the course of Sandbox participation.