The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The Regulatory Sandbox is a service developed by the ICO, to support organisations who are creating products and services which utilise personal data in innovative and safe ways.

Participants will have the opportunity to engage with our Sandbox team, to draw upon our wider ICO expertise and advice on mitigating risks and embedding ‘data protection by design’.

The Sandbox provides a free, professional, fully functioning service for organisations, of varying types and sizes, across a number of sectors.

What are the benefits of taking part in the Sandbox?

There are a number of benefits to your organisation participating in the Sandbox. These include:

  • access to ICO expertise and support;
  • increased confidence in the compliance of your finished product or service;
  • a better understanding of the data protection frameworks and how these affect your business;
  • being seen as accountable and proactive in your approach to data protection, by customers, other organisations and the ICO, leading to increased consumer trust in your organisation;
  • the opportunity to inform future ICO guidance;
  • supporting the UK in its ambition to be an innovative economy; and
  • contributing to the development of products and services that can be shown to be of value to the public.

What was the Beta phase of the Sandbox?

In September 2019, we launched the Beta phase of the Sandbox, to allow a sample of organisations to try out the service. This first year allowed us to explore the benefits of running the Sandbox for both the ICO and the organisations we have worked with.

The learnings from the Beta phase have helped our Sandbox work to continue through its next phase. We have published a report into the beta phase of the Sandbox.

Following on from the beta phase, we worked with a number of organisations on projects related to the Age Appropriate Design Code or data sharing. We are continuing to work with existing participants who are developing products and services captured within the scope of the Age Appropriate Design Code. These products or services have a direct relevance to the rights and freedoms of children online. Read more about our previous Sandbox participants and our current Sandbox participants.

Moving forward, we will continue to consider applications from new organisations whose products or services meet our entry criteria, as part of a 'roll-on roll-off' model.

How can I take part in the next phase of the Sandbox?

We are currently accepting Expressions of Interest from organisations who are innovating in the following areas where substantial public benefits can be demonstrated:

  • Compliant data sharing in Health, Central Government, Finance, Higher or Further Education or Law Enforcement considered to be crucial to the operation of modern economies.
  • Products and services exploring the use and deployment of innovative technologies, such as privacy-enhancing technologies or distributed ledger technologies.

For further information about the kinds of innovative projects we are interested in working with this year, please see Our key areas of focus for the Regulatory Sandbox 2021-2022.

Although, we are currently accepting Expressions of Interest from organisations, you should be aware that the Sandbox has limited capacity which may mean we are not able to offer you a place immediately. We will consider EOIs against our criteria as they come in, and once our existing spaces are full, we may place successful applicants onto a waiting list.



Frequently asked questions


Will the ICO provide us with a hosted environment to conduct our work in?

No, we will not be hosting environments as part of the Sandbox. You will be responsible for providing your own IT infrastructure.

Will the ICO assist us to procure data?

No, we are unable to advise you about where or how to procure data. Nor are we able to provide any funding to assist you in procuring data. If you plan to carry out live testing on personal data in the Sandbox, you should consider how you will practically obtain that data in advance of submitting an Expression of Interest.

Will we be able to use real customer (live) data or can we use created/stimulated (dummy) data for testing?

You may use either live or dummy data to test your products so long as they are compliant with data protection law. Using dummy data may be preferable as it does not carry any risk to data subjects. If you are processing live data, you will need to complete a DPIA beforehand if it is likely to result in a high risk to the data subject. We will not be providing live or dummy data and expect you to source your own data for testing.

Will the ICO deal with other regulators on our behalf?

We will not deal with other regulators on your behalf. However, if your proposed product or service is subject to other regulations, we ask that you notify us about this in your final application. We may ask you to provide evidence about how the product or service complies with these other regulations and we may contact other regulators to confirm this is the case.

Will the ICO be providing financial support as part of the Sandbox?
We are unable to provide any financial support if you wish to apply to the Sandbox.
We ask that applicants take note of the ‘data protection by design and default' requirements, which specify that you must consider the costs of implementation of any safeguards or measures needed to protect the rights and freedoms of any data subjects affected by processing.
In the Sandbox, we may recommend that you implement certain controls in respect of high risk processing, and therefore we ask that you consider this possibility prior to applying to the Sandbox.
Will we be expected to cover any costs incurred by the ICO during the Sandbox?
No, we do not expect you to cover any of the ICO’s expenses incurred in the Sandbox.