logo text

Friday, 19 October 2018

ICO consults on establishing a regulatory sandbox to support innovation

A few weeks ago, the Information Commissioner issued a call for views on creating a regulatory sandbox. That consultation has now closed, and the Information Commissioner is reviewing the feedback to inform further work on developing the sandbox. But what's a regulatory sandbox? And how does it work? Read on to find out more.

What is it?
The Information Commissioner's Office ("ICO") has defined its regulatory sandbox as "a safe space where organisations are supported to develop innovative products and services using personal data in innovative ways." Participating organisations would be able to take advantage of the ICO's expertise in the areas of risk mitigation and data protection by design while ensuring that they were establishing appropriate protections and safeguards, although they wouldn't be exempt from complying with data protection law.

Has there ever been one before?
Creating a regulatory sandbox is an innovative approach for a data protection regulator. However, regulatory sandboxes are already being used in FinTech, notably by the Financial Conduct Authority ("FCA"), which launched its sandbox over two years ago. In a report outlining the lessons learned from the first year of the sandbox being in operation, the FCA concluded that:
  • Access to the sandbox had reduced the time and cost of getting innovative ideas to market.
  • Testing in the sandbox had helped facilitate access to finance for innovators, enabling products to be tested and introduced to the market.
  • The sandbox had enabled the FCA to work with innovators to build appropriate consumer protection safeguards into new products and services.

Why would it be useful?
A regulatory sandbox could be particularly beneficial for the data protection community. Organisations are starting to realise that compliance with data protection law is an iterative process, not something that has to be done only once on a project. Also, projects involving technical innovation have particular requirements to meet under data protection law, so using the ICO's "safe space" in tandem with its Regulators' Business and Privacy Innovation Hub to develop them could be advantageous.

However, we don't yet have a clear picture of how it works if businesses have already gone live with a technologically innovative project and then want to use the sandbox to develop it further. The sandbox doesn't offer a data protection amnesty, so if a particular project is not compliant when it is first trialled in the sandbox, it is unclear how the ICO would handle that.

What feedback has there been so far?
The Centre for Information Policy Leadership ("CIPL") has responded to the ICO's call for views, welcoming the ICO's initiative of creating a regulatory sandbox. However, it pointed to anxieties that organisations might have with using it in the absence of a data protection amnesty, saying, "information disclosed into the sandbox must only be used as the basis for an enforcement action in exceptional circumstances . . . the ICO must give some benefit of the doubt where - during testing in a real-life scenario in the supervised space - genuine uncertainty arises about compliance."

In its comments, CIPL sets out:
  • The benefits of the regulatory sandbox for organisations, the ICO, society, the economy and individuals.
  • Real-world and hypothetical examples of situations where participation in such a sandbox could be useful.
  • The practicalities that need to be considered in order to maximise the sandbox's success.
  • Its suggested criteria for acceptance into the sandbox.
  • The need for clarity over the relationship between the sandbox and data protection impact assessments ("DPIAs").
  • The safeguards that must be established to reassure businesses over aspects of their participation in the sandbox.

What's the next step?
The ICO's initial call for views on the feasibility, scope and demand for a sandbox has now closed. The responses are now being reviewed and will inform the ICO's detailed proposal for consultation, which it expects to submit later in the year.

We have many clients working on exciting and innovative new products and services, so please contact us if you would like some assistance with ensuring that your idea stays on the right side of data protection compliance.

Useful links

No comments:

Post a Comment