The ICO exists to empower you through information.

If your Sandbox application is successful, a member of the team will be in touch to tell you when we can expect to begin the development of your bespoke Sandbox plan. Subject to capacity, and your readiness to participate, we may be in a position to start this work straight away. Otherwise, you may be given an estimated date for when your participation can begin, or you may be placed onto a waiting list.

You will also receive a statement of ‘comfort from enforcement’. This will state that any inadvertent contravention to the data protection legislation as a result of product or service development, whilst participating in the Sandbox, will not immediately lead to regulatory action. This comfort will depend on you maintaining a collaborative and cooperative dialogue with the ICO and the Sandbox Team.

We will ask you to sign a copy of our terms and conditions prior to the beginning of your participation.

Following acceptance of the terms laid out in the letter of entry, your dedicated Sandbox team member will be in touch to arrange a meeting or call to begin developing your bespoke Sandbox plan.

Prior to this meeting, we may ask you to complete either the ICO’s data protection self-assessment checklist or small businesses checklist. The purpose of this is solely to help ICO tailor the Sandbox plan to your requirements.

Within the meeting, we will aim to discuss the following in more detail:

  • The proposed innovation in more detail.
  • The level of data protection understanding your organisation has and whether you require some additional support which needs to be factored into your Sandbox plan.
  • The data protection challenges or grey areas which you require ICO support on.
  • Your organisational requirements and how we will engage with each other throughout participation.
  • Your objectives and the tasks we will complete collaboratively to achieve your aims.

We hope to provide a bespoke service to each organisation within the Sandbox. This means that we will be flexible to your organisation’s requirements and timescales wherever possible.

We expect to finalise the plan with you as soon as possible, but within a maximum of four weeks following our initial meeting.

Frequently asked questions


What happens if we encounter a breach of personal data whilst our product is in the Sandbox?

If a reportable breach occurs to your product or service in the Sandbox, we still expect you to report it to the ICO within 72 hours, in line with the UK GDPR requirement. You should state that the product or service is currently participating in the Sandbox. Although the ICO will consider the breach in line with our standard procedures, we will be very unlikely to undertake enforcement action if you are meeting the terms of your Sandbox entry letter. Report a breach here.

What if a member of the Sandbox team discovers that we are not compliant in other areas of our organisation during the course of the Sandbox?

The Sandbox team will not proactively assess your wider organisation or processes for compliance. If we identify a reportable breach during the course of the Sandbox, which falls outside of the scope of the product or service you are developing in the Sandbox, we will advise you to report this to the ICO in line with your obligations, as per standard procedures.

What if we are not ready to participate in the Sandbox when we are accepted?

Your organisation does not need to be ready to participate immediately, for example if you are waiting on dependencies internally or externally. We operate a ‘roll on-roll off’ model, which means as one organisation exits the Sandbox, we can invite a new one in from our pool of successful applicants. We ask that you provide us with a good estimated date of when your organisation will be ready to commence work in the Sandbox within your Expression of Interest. We will also discuss this timing with you and agree a possible entry date for your participation in an engagement call.

Your dedicated Senior Policy Officer will look to contact you two weeks prior to the agreed entry date to ensure your organisation’s readiness.

How much does the ICO intend to publicise about our participation in the Sandbox?

A condition of participation in the Sandbox is that you provide us with your consent to make public that your organisation is participating, along with a short description of your innovation, which we will agree with you ahead of publication.

You are not permitted to communicate to any external party about your Sandbox participation without the ICO's express written consent. This includes communications to any regulated or unregulated organisations, media outlets, existing or future customers, data subjects or otherwise. If you wish to communicate with third parties about any aspect of your involvement, you need to agree this in advance with your Sandbox point of contact.

Organisations are not to brand or promote the product or service being developed as ‘ICO- approved’.

What will the ICO’s process be for handling freedom of information requests in respect of commercially sensitive information?

The Sandbox team is bound by strict obligations of confidentiality by Section 132 of the DPA 2018. This includes confidential information that relates to an identified or identifiable individual or business provided as part of the Sandbox process.

Please ensure that you mark on any submission (Expression of Interest, Application form, general correspondence) information you consider to be commercially sensitive or confidential.

The Sandbox team will only share information about a product or service with other ICO staff as is necessary to undertake Sandbox work, or if it is not in breach of our confidentiality obligations.

As a public authority we are subject to the Freedom of Information Act 2000 (FOIA), and so are legally required to respond to any FOI requests we receive, which may include requests for information provided to us in the Sandbox.

We will treat any FOI request on a case-by-case basis and you should therefore make it clear if you provide us with any information that you consider confidential or commercially sensitive and why. Should we then receive a request for information, we will consider what, if any, exemption applies, bearing in mind the exemptions in Section 41 (information provided in confidence), Section 36 (conduct of public affairs) and Section 43 (commercial interests) of FOIA, as well as any other relevant exemptions.

This approach to confidentiality will not stop us agreeing with you what public information about your involvement we can share with third parties.

How will the ICO manage conflicts of interest?

We intend to mitigate any conflicts of interest that may arise from the following:

  • The applicant organisation employing former ICO staff members.
  • The applicant organisation having any close relationships (family members, close friends) with individual members of the Sandbox team or the assessment panel.

Where this is the case, we will appraise these risks and consider whether additional safeguards are required on a case-by-case basis.

ICO staff adhere to the ICO’s code of conduct, which requires all staff to conduct themselves with integrity, impartiality, objectivity and honesty, and prohibits staff from using their official position to further private interests or the interests of others.