The ICO exists to empower you through information.

Informal steers

A key part of collaborating with us will be receiving our informal ‘steers’. We will agree how these will work and what will be required as part of each bespoke plan.

Some examples of these available are:

  • phased or iterative informal steers – from idea, concept to prototyping;
  • informal supervision of product or service testing;
  • processing design walkthroughs – step by step walkthroughs of proposed processing activity leading to informal advice;
  • informal review of your DP documentation including: data protection impact assessments, privacy notices and data sharing agreements;
  • our attendance at project ‘sprints’;
  • workshops with design and development teams at an early stage in order to inform very early thinking; and
  • informal steers on risk mitigation at design stage.

Statement of regulatory comfort

As part of your bespoke plan, you can request that the ICO issues a statement of regulatory comfort when you exit the Sandbox. We will agree this statement on a case by case basis at that time and will aim to provide information about the compliance of your product or service with the data protection legislation.

Where possible, the statement will set out that, on the basis of the information provided whilst in the Sandbox, the ICO did not encounter any indication that the organisation’s operation of its developed product or service would infringe upon data protection legislation.

This confirmation will only apply to the product or service as it was in the Sandbox and on the basis of the information provided, and the ICO will retain the right to change our view and revoke confirmation based on future legal or market developments, or if we become aware of information that we have not previously seen.

Monitoring of progress

The amount of monitoring we need to do will be specific to each organisation’s Sandbox plan and will depend on the level of risk involved in the development of the product or service. High-risk plans will require more frequent monitoring. We will agree what form this monitoring takes with each organisation, ie weekly, monthly, on an ad hoc basis, via meetings, email, phone or teleconference. However we expect that a minimum of three formal meetings with you will take place during the course of Sandbox participation.

Frequently asked questions


How does the ICO’s data protection impact assessment process link in with the Sandbox?

Under the GDPR, organisations are required to undertake a data protection impact assessment (DPIA) in respect of high-risk processing, and our processes for DPIA consideration will continue to apply through the Sandbox.

At the Sandbox application stage, you will need to identify if your product or service presents a high risk, based on the current DPIA guidance on our website. We will also ask for information about how you intend to mitigate that risk and consider it as part of the application process. If you are then successful, it will be a key element of agreeing your Sandbox plan.

The Sandbox team will then be able to provide informal advice on risk mitigation that might need to be considered in completing a DPIA. However, there is no formal requirement for DPIAs to be submitted to the ICO, unless the DPIA indicates that risk has not been mitigated and you wish to commence processing. For further information, please refer to our data protection impact assessment guide.

If undertaking new processing (e.g. through live testing) is part of the agreed Sandbox plan, then we will need assurances that you have appropriately mitigated risks before you can start that processing.

If prior consultation regarding a DPIA is undertaken with the ICO’s DPIA team, participation in the Sandbox will be paused and contact with the Sandbox team will cease. Participation can begin again once the ICO has delivered the outcome of the DPIA after consultation, and if the risks are deemed acceptable.