The Sandbox is for organisations who intend to or are in the process of developing innovative products and services using personal data.

We welcome applications from start-ups, small or medium organisations and large organisations, across both private, public and voluntary sectors.

For this beta phase we are only accepting applications from organisations whose data processing comes under the remit of UK data protection law.

This phase aims to support these organisations in addressing data protection challenges posed by emerging technologies, such as:

  • use of personal data in emergent or developing technology such as biometrics, internet of things (IoT), facial recognition, wearable tech and cloud-based products;
  • complex data sharing at any and all levels;
  • building good user experience and public trust by ensuring transparency, clarity and explainability of data use;
  • perceived limitations, or lack of understanding of GDPR/Data Protection Act 2018 provisions on automated decision-making, big data, machine learning or AI;
  • utilising existing data (often at scale and in linking data) for new purposes or for longer retention periods;
  • building ‘data protection by design and default’ into product development, taking account of cost issues and difficulties of doing this until testing has been undertaken; or
  • ensuring the security of data and identifying data breaches in complex and innovative environments.

Frequently asked questions

Does the processing carried out by our product or service have to be processed solely within the UK?

For the purposes of the beta phase of the Sandbox we are looking at data processing that comes under the remit of UK data protection law. This does not preclude the use of data processors outside the UK as long as you have complied with data protection law, including having an appropriate processor contracts and sufficient safeguards in place for any international transfers (subject to any changes following our exit from the EU).

Can joint controllers participate in the Sandbox?

In the beta phase we are looking primarily to work with single lead organisations. This will ensure clarity over the informal advice we provide and in managing working relationships.

We recognise, however, that some products or services may involve more than one organisation. We still expect to work with one lead organisation who will then take responsibility for managing the input of the other organisations and their compliance with the terms and conditions. We will have no formal relationship with the other organisations. More information on data processors and the use of contracts in a data protection capacity can be found on our website.