The ICO exists to empower you through information.

The Sandbox is a free service for organisations who intend to or are in the process of developing innovative products and services using personal data, operating under UK data protection law.

Please see Our key areas of focus for the Regulatory Sandbox, for further information about the kinds of innovative projects we are interested in working with in the Sandbox this year.

We welcome expressions of interest from start-ups, small or medium organisations and large organisations, across private, public and voluntary sectors. Expressions of interest are also welcome from organisations whose innovations are at different stages of development, from proof of concept stage to the scaling of existing innovations.

We are only accepting applications from organisations whose data processing comes under the remit of UK data protection law.

If you are applying as a consortia or as joint controllers, please ensure your Expression of Interest is completed by a single, nominated ‘lead organisation’ for your sandbox participation. They will take responsibility for managing the input of the other organisations and their compliance with the terms and conditions.

Frequently asked questions


My organisation has already participated in the Sandbox in a previous year, can we apply again?

Organisations are free to apply whether they have been previously involved or not. However, in deciding whether to work with you, we will be considering how to gain the most benefit from our engagement with you. It is therefore unlikely that we would accept applications from the same organisation, unless their project is significantly different to what we have engaged on before, and is of considerable public benefit.

Does the processing carried out by our product or service have to be processed solely within the UK?

We are looking at data processing that comes under the remit of UK data protection law. This does not preclude the use of data processors outside the UK, as long as you have complied with data protection law, including having appropriate processor contracts and sufficient safeguards in place for any international transfers (subject to any changes following the end of the transition period).

Does my organisation have to be a data controller in order to apply to the Sandbox?

No, not necessarily. We welcome applications from controllers, processors or where you will have no data protection role in the eventual processing. For example, you may be looking to develop a product or service which is then used by another organisation in their processing of personal data. We consider data protection by design to be a responsibility of all organisations involved in a supply chain.

Can joint controllers participate in the Sandbox?

For ease of communication and in order to manage the relationships, we expect there to be a single point of contact that the Sandbox engages with on a regular basis. We will ask you to appoint a lead organisation to take responsibility for managing the input of the other organisations and their compliance with the terms and conditions. We will have no formal relationship with the other organisations.