Out-Law / Your Daily Need-To-Know

'Sandbox' advice could inform GDPR codes of conduct, says ICO

Out-Law News | 14 Dec 2018 | 10:01 am | 3 min. read

Trade associations could develop codes of conduct to help businesses comply with the General Data Protection Regulation (GDPR) through a new 'regulatory sandbox' being set up by the Information Commissioner's Office (ICO), the UK watchdog has said.

In a recent response to an autumn consultation it held on its plans, the ICO confirmed it will open the sandbox "with a year-long ‘live beta’ phase" some time during its next financial year, which begins on 1 April 2019.

The precise framework for sandbox participation has still to be set, but the data protection authority gave guidance on how it might work in its response paper.

"ICO engagement to assist innovation where personal data will be processed is welcomed," said data protection law expert Michele Voznick of Pinsent Masons, the law firm behind Out-Law.com. "The further details of the how it will work and the criteria to ‘play’ are awaited, as the usefulness of participating in the sandbox will depend of the rules and the criteria."

"It is also hoped that, once it is up and running, any ‘lessons learned’ from the use of sandbox will be utilised by the ICO in future GDPR guidance, or incorporated into future GDPR guidance. This will allow the sandbox to be a genuine benefit for all," she said.

According to the ICO, organisations will be able to test innovative products and services through its sandbox if they fulfil certain eligibility criteria. Applicants will need to be able to demonstrate their products or services are genuinely innovative, can deliver material benefit to data subjects, and that they have in place a robust accountability framework for working with personal data, it said.

The sandbox will be "broad in scope and open to all sectors and to all types of innovation" and participation will be informed by advice and 'informal steers' provided by the ICO, although the precise form that guidance will take is still to be finalised.

The ICO said it would work with successful applicants to develop "a bespoke sandbox plan" that works to "a defined timescale", and said it could permit "live data" to be used in testing "if risks can be effectively mitigated".

It promised to "ensure robust safeguards, clarity over the relationship with our other powers and regulatory requirements, and put in place mechanisms to protect the commercial confidentiality of participants whilst meeting our requirements under freedom of information".

The watchdog said, though, that it does "not envisage the sandbox being a place to relax requirements for compliance, or to provide any certification or positive assurances as result of sandbox participation".

While it "will not provide a ‘badge’ or certification" to denote a company's participation in its sandbox, the ICO said it is "keen to explore what forms of communication, such as letters acknowledging entrance and exit to the sandbox, or other mechanisms there may be" to help organisations build trust in their product or service on the back of their participation in the sandbox.

The ICO suggested GDPR-compliant industry codes of conduct could be developed by sandbox participants.

"Many of the answers as to how best to apply the GDPR will rest with organisations and sectors themselves," the ICO said. "The GDPR creates the opportunity for sectors to come together to create codes of conduct that will provide practical application of the GDPR and we welcome dialogue with any sector that wishes to make progress in this manner. The sandbox itself presents an opportunity to test approaches to addressing these challenges and in some circumstances that could then inform the creation of sector-specific codes of conduct."

"We are keen to ensure the sandbox develops in such a manner as to be as accessible to small start-up organisations as to large incumbents, and everything in between," it said.

The ICO said it expects the way its sandbox operates to evolve over time. It said it will not charge businesses that participate in the 'beta' phase of the sandbox, but left it open to potentially levy a fee on participants thereafter.

The ICO will not be the first UK authority to create a regulatory sandbox. The Financial Conduct Authority (FCA) already operates a sandbox for the testing of fintech innovations. Participation in the FCA's sandbox is also subject to eligibility criteria and consumer safeguards are applied to the testing, but in some cases a lighter-touch regulatory framework is applied to the testing. In addition, the FCA's sandbox has operated in staged cohorts, whereas the ICO said it prefers an "always open" approach.