This article is more than 1 year old

UK's data protection watchdog preps to 'get its hands dirty' with beta of regulatory sandbox

Scheme to test compliance of innovative products accepting applications until 24 May

The UK's data protection watchdog has said it wants to "get its hands dirty" as it launched a scheme that will help it figure out how to regulate innovative products using personal data before they get on to the market.

The Information Commissioner's Office today opened the beta phase of its regulatory sandbox programme for applications from organisations that are working on ideas that use personal data in new ways.

Successful applicants will work with the ICO team – there are three full-time staffers on the project – as they develop their product or service, with the aim being to make sure they comply with data protection rules.

elizabeth denham

Facebook political data probe: £2.5m. Powers for the ICO: Priceless


The plan is part of the ICO's efforts to be taken seriously by the tech firms it regulates as it pushes the message that data protection shouldn't get in the way of innovation. It has also indicated it wants to play a part in building up public trust in the use of personal data.

Such messaging has stirred debate in data protection circles as many argue the regulator should dedicate more of its limited time and resources to enforcement, echoing complaints that too much was spent on the high-profile Facebook-Cambridge Analytica case.

Critics say the ICO's job is to keep organisations in line, not to champion innovation – and have questioned how often data protection rules have genuinely prevented innovative products from being a success.

But the ICO's head of assurance, Chris Taylor, who is leading the sandbox project, argued in an interview with El Reg that "prevention is better than cure".

The only way for it to keep pace with the increasingly varied and complex uses of personal data was to "get its hands dirty" and work with "people genuinely trying to do innovative stuff with personal data", he said.

"For multiple cases and enforcement actions in the past, it would have been much better to be involved early on... rather than run expensive enforcement action [afterwards]."

Over time, Taylor said, the aim is to develop a bank of knowledge it can use for guidance and practical case studies. Although the ICO doesn't control the law, he said it was possible the work would eventually allow it to provide advice "further up the chain".

But in the short term, the ICO is focusing on the beta project, and for the past couple of months it has held a pre-application process asking organisations that might be interested to get in touch.

hospital patient

Guess who's working on a health data-slurping digital tool? Bzzt! Nope, it's the UK Department for Work and Pensions


Taylor said the most interest had come from the healthcare and patient administration sector, making up about 16 per cent of these responses. Others areas included legal, education, financial, advertising, insurance and recruitment, as well as government departments and regulators.

About half of all responses were from micro-organisations, and a quarter from larger bodies, which Taylor said was an "encouraging" spread. The ICO is hoping to have public, private and voluntary sector bodies in the beta phase so it can understand the different approaches it will need to take for each.

For instance, one of the ICO team might sit in on a startup's sprint to observe and advise on the data protection rules, while a government department might already have a detailed programme of work that the ICO can feedback on.

Taylor said that part of the idea of the beta stage is to figure out what the best use of the ICO's time and resources are, and how they can fit in with different organisations. "We'll be as flexible as we can, to fit in where we can."

There is also some flexibility in the ICO's regulatory approach to the projects in the sandbox – although this can only go so far.

Taylor said that if an organisation works with transparency and in good faith, and takes action quickly if a breach of some kind happens, the starting point would not be to take enforcement action.

"If someone in the sandbox goes completely off-script, that's completely different," Taylor said.

"We recognise that this line will be one we've got to tread. But one of the only ways to get to grips [with emerging tech's use of personal data] is getting in there and bearing that sort of risk."

The ICO will also offer a "negative assurance" letter that will effectively say that when the product left the sandbox there weren't any glaring data protection concerns.

But this isn't long-term assurance or endorsement. "The ICO can never offer an entire carte blanche, or a safe space," he said. "We're all grown-ups... it is the organisation's responsibility to ensure they comply, this won't be a way of providing endorsement."

The ICO is accepting applications from now until 24 May, and Taylor emphasised that the team is ready to take calls from people weighing up whether to apply. ®

More about

More about

More about


Send us news

Other stories you might like