The Regulatory Sandbox is a service developed by the ICO, to support organisations who are creating products and services which utilise personal data in innovative and safe ways.
Participants will have the opportunity to engage with our Sandbox team, to draw upon our wider ICO expertise and advice on mitigating risks and embedding ‘data protection by design’.
The Sandbox provides a free, professional, fully functioning service for organisations, of varying types and sizes, across a number of sectors.
What are the benefits of taking part in the Sandbox?
There are a number of benefits to your organisation participating in the Sandbox. These include:
- access to ICO expertise and support;
- increased confidence in the compliance of your finished product or service;
- a better understanding of the data protection frameworks and how these affect your business;
- being seen as accountable and proactive in your approach to data protection, by customers, other organisations and the ICO, leading to increased consumer trust in your organisation;
- the opportunity to inform future ICO guidance;
- supporting the UK in its ambition to be an innovative economy; and
- contributing to the development of products and services that can be shown to be of value to the public.
Elizabeth Denham, Information Commissioner, said:
“The ICO supports innovation in technology and exciting new uses of data, while ensuring that people’s privacy and legal rights are protected. We have always said that privacy and innovation are not mutually exclusive and there doesn’t need to be an either-or choice between the two.
“The sandbox will help companies and public bodies deliver new products and services of real benefit to the public, with assurance that they have tackled built-in data protection at the outset.
“Engaging with businesses and innovators in the sandbox is also a valuable exercise in horizon scanning - the ICO can identify new developments in technology and innovation and the potential opportunities and challenges they may provide.”
What was the Beta phase of the Sandbox?
In September 2019, we launched the Beta phase of the Sandbox, to allow a sample of organisations to try out the service. This first year allowed us to explore the benefits of running the Sandbox for both the ICO and the organisations we have worked with.
The learnings from the Beta phase have helped our Sandbox work to continue through its next phase. We have published a report into the beta phase of the Sandbox.
Following on from the beta phase, we worked with a number of organisations on projects related to the Age Appropriate Design Code or data sharing. We are continuing to work with existing participants who are developing products and services captured within the scope of the Age Appropriate Design Code. These products or services have a direct relevance to the rights and freedoms of children online. Read more about our previous Sandbox participants and our current Sandbox participants.
Moving forward, we will accept new organisations to work with us in the Sandbox as space becomes available.
How can I take part in the next phase of the Sandbox?
We are currently accepting Expressions of Interest from organisations who are innovating in the following areas where substantial public benefits can be demonstrated:
- Compliant data sharing in Health, Central Government, Finance, Higher or Further Education or Law Enforcement considered to be crucial to the operation of modern economies.
- Products and services exploring the use and deployment of innovative technologies, such as privacy-enhancing technologies or distributed ledger technologies.
For further information about the kinds of innovative projects we are interested in working with this year, please see Our key areas of focus for the Regulatory Sandbox 2021-2022.
Although, we are currently accepting Expressions of Interest from organisations, you should be aware that the Sandbox has limited capacity which may mean we are not able to offer you a place immediately. We will consider EOIs against our criteria as they come in, and once our existing spaces are full, we may place successful applicants onto a waiting list.
Frequently asked questions
Will the ICO provide us with a hosted environment to conduct our work in?
No, we will not be hosting environments as part of the Sandbox. You will be responsible for providing your own IT infrastructure.
Will the ICO assist us to procure data?
No, we are unable to advise you about where or how to procure data. Nor are we able to provide any funding to assist you in procuring data. If you plan to carry out live testing on personal data in the Sandbox, you should consider how you will practically obtain that data in advance of submitting an Expression of Interest.
Will we be able to use real customer (live) data or can we use created/stimulated (dummy) data for testing?
You may use either live or dummy data to test your products so long as they are compliant with data protection law. Using dummy data may be preferable as it does not carry any risk to data subjects. If you are processing live data, you will need to complete a DPIA beforehand if it is likely to result in a high risk to the data subject. We will not be providing live or dummy data and expect you to source your own data for testing.
Will the ICO deal with other regulators on our behalf?
We will not deal with other regulators on your behalf. However, if your proposed product or service is subject to other regulations, we ask that you notify us about this in your final application. We may ask you to provide evidence about how the product or service complies with these other regulations and we may contact other regulators to confirm this is the case.Will the ICO be providing financial support as part of the Sandbox?