If your organisation is accepted, we will notify you by an entry letter setting out the full terms and conditions of your engagement with us whilst in the Sandbox.

You will also receive a statement of ‘comfort from enforcement’. This will state that any inadvertent contravention to the data protection legislation as a result of product/service development, whilst participating in the Sandbox, will not immediately lead to regulatory action, such as enforcement, in accordance with the ICO’s Regulatory Action Policy. This comfort will depend upon you maintaining a collaborative and cooperative dialogue with the ICO and the Sandbox Team.

Following acceptance of the terms laid out in the letter of entry, your dedicated Sandbox team member will arrange to visit you on-site.

Prior to this meeting, we will ask you to complete either the ICO’s Data Protection Self-Assessment Checklist or assessment for small business owners and sole traders. The purpose of this is solely to help ICO tailor the bespoke Sandbox plan to your requirements.

The purpose of this first visit is for us to gather a detailed understanding of both your organisation and your proposed product or service. We may ask to meet with your development teams and to attend a process or design walkthrough of your product/service.

This visit will also be an opportunity for you to:

  • ask any further questions;
  • outline specifically what your expectations are;
  • explain what kind of support mechanisms you may need from us; and
  • discuss practical arrangements, including whether you require any additional resources from us and how these can feasibly be met.

Following this visit, the Sandbox team will work with you to devise a bespoke Sandbox plan, based on:

  • your requirements;
  • your objectives;
  • the level of data protection understanding you have;
  • the data protection measures you already have in place; and
  • any considerations made by the ICO.

We hope to provide a bespoke service to each organisation within the Sandbox. This means that we will be flexible to your organisation’s requirements and timescales wherever possible.

We expect to finalise the plan with you as soon as possible but within a maximum of 8-10 weeks following our initial visit.

Frequently asked questions

What happens if we encounter a breach of personal data whilst our product is in the Sandbox?

If a reportable breach occurs to your product or service in the Sandbox, we still expect you to report it to the ICO within 72 hours, in line with the GDPR requirement. You should state that the product or service is currently participating in the Sandbox. Although the ICO will consider the breach in line with our standard procedures, we will be very unlikely to undertake enforcement action if you are meeting the terms of your Sandbox entry letter.

Report a breach

What if a member of the Sandbox team discovers that we are not compliant in other areas of our organisation during the course of the Sandbox?

The Sandbox team will not proactively assess your wider organisation or processes for compliance. If we identify a reportable breach during the course of the Sandbox, which falls outside of the scope of the product or service you are developing in the Sandbox, we will advise you to report this to the ICO in line with your GDPR requirements, as per standard procedures.

How much do the ICO intend to publicise about our participation in the Sandbox?

A condition of participation in the Sandbox is that you provide us with your consent to make public that your organisation is participating, along with a short description of your proposition, which we will agree with you ahead of publication.

You are not permitted to communicate to any external party about your Sandbox participation without the ICO's express written consent. This includes communications to any regulated or unregulated organisations, media outlets, existing or future customers, data subjects or otherwise. If you wish to communicate with third parties about any aspect of your involvement, you need to agree this in advance with your Sandbox point of contact.

Organisations are not to brand or promote the product or service being developed as ‘ICO- approved’.

What will the ICO’s process be for handling Freedom of Information requests in respect of commercially sensitive information?

The Sandbox team is bound by strict obligations of confidentiality by Section 132 of the DPA 2018. This includes confidential information that relates to an identified or identifiable individual or business provided as part of the Sandbox process. Please ensure you mark on your application form, any information you consider we need to treat as confidential or commercially sensitive.

The Sandbox team will only share information about a product or service with other ICO staff as is necessary to undertake Sandbox work or if it is not in breach of our confidentiality obligations.

As a public authority we are subject to the Freedom of Information Act 2000 (FOIA) and so are legally required to respond to any FOI requests we receive, which may include requests for information provided to us in the Sandbox. 

We will treat any FOI request on a case-by-case basis and you should therefore make it clear to us if you provide us with any information that you consider confidential or commercially sensitive and why. Should we then receive a request for information, we will consider what, if any exemption applies, bearing in mind the exemptions in Section 41 (information provided in confidence) Section 36 (conduct of public affairs) and Section 43 (commercial interests) of FOIA, as well as any other relevant exemptions.

This approach to confidentiality will not stop us agreeing with you what public information about your involvement we can share with third parties.

How will the ICO manage conflicts of interest?

We intend to mitigate any conflicts of interest that may arise from the following:

  • the applicant organisation employing former members of ICO staff; or
  • the applicant organisation having any close relationships (family members, close friends) with individual members of the Sandbox team or the assessment panel.

Where this is the case, we will appraise these risks and consider whether additional safeguards are required on a case-by-case basis.

ICO staff adhere to the ICO’s code of conduct which requires all staff to conduct themselves with integrity, impartiality, objectivity and honesty, and prohibits staff from using their official positon to further private interests or the interests of others.