Got a fancy but slurpy new product? The ICO would like you to stuff it in its sandbox

UK data watchdog's plan to stay on top of Internet of S*'%t

The UK's Information Commissioner's Office is on the hunt for organisations that are using personal data in "innovative" products, to help the data protection watchdog understand how to regulate it.

It is particularly interested in data generated by wearables or which can help increase public trust in data-slurpers. The players will be welcomed into its regulatory sandbox, which starts its beta phase in April.

As a carrot, the ICO said it would offer "comfort from enforcement" for participants – for instance, as long as they were taking steps to try and comply, an accidental breach wouldn't lead to "immediate" enforcement.

The regulator will also issue letters of "negative assurance" on exit – which say that, when the product left the sandbox, there was "nothing to indicate its operation would breach data protection legislation and that any potential areas of concern or potential breaches were resolved".

But don't get too excited - liability for future breaches would lie with your own organisation and not the ICO, the body pointed out.

The watchdog mooted the idea of a test environment in its technology strategy, published last year. The hope is that organisations will be able to develop "innovative" products and services in a way the ICO can keep up with.

It has now set out more details on the beta phase of the "sandbox" – which will involve 10 organisations of varying sizes and from different sectors – in a discussion paper (PDF) ahead of a more detailed event on 6 February.

The idea is that the devs will work closely with the regulator, to gain what the ICO describes a "shared understanding" of what compliance in that area should look like.

In the beta phase, the ICO said it would be particularly interested in applications that address a set of specific data protection challenges.

These include the use of personal data in emerging technology, such as biometrics, wearables, cloudy products and IoT; complex data-sharing agreements; and using existing data for new purposes.

Other challenges leaving the ICO scratching its head are ways to address perceived limitations or lack of understanding of current data protection laws, and building public trust - so products that ensure transparency and clarity on how data is used are particularly welcome. So no 20 pages of tiny text with a tickbox, we suppose.

In order to be selected for the sandbox, the product or service must be shown to be in the public interest, innovative, and be from organisations with a "mature and accountable approach to data protection".

The lucky organisations will be signed up to a "bespoke plan" and would gain access to advice and support from the ICO while working on their products, through mechanisms that the ICO splits into three, based on a research paper from thinktank Nesta.

  • Advisory – ensuring the products meet existing requirements and helping organisations bring compliant products to market
  • Adaptive – adapting frameworks to remove unnecessary barriers
  • Anticipatory – identifying risks and opportunities by monitoring emerging tech

For the sandbox, the ICO said mechanisms in the first bracket might be iterative "informal steers" during testing or advice on risk mitigation. In the third, the ICO might use the product or service as a "use case" to develop specific public information or guidance on compliance for the future.

In the second category, the ICO was clear that it couldn't change the legal requirements of the GDPR or Data Protection Act 2018, and nor would it relax any rules for sandbox participants.

The sandbox will run from July 2019 to September 2020, and applications will be taken from April. Before that, though, the ICO has a survey for people who might consider applying, which it hopes will give it an idea of how many applications it will be fielding. ®

Keep Reading

Biting the hand that feeds IT © 1998–2021