Written by
Walter McCahon, Manager, Data Policy,
UK Finance


The Information Commissioner’s Office (ICO) recently consulted on some fundamental principles to inform its development of a ‘regulatory sandbox’. For now this is just a high-level proposal, but the plan is to create an environment in which firms can test innovative products and services that use personal data. By drawing on ICO support, participating firms could more effectively meet data protection requirements, such as ‘privacy by design’.

The details are still to be worked out, and there is much the ICO could do to help firms through the product development process in a privacy-enhancing way. The ICO has identified for example:

  • Informal advice on compliance to the firm to assist in product development
  • Reassurance that accidental breaches of the rules during the development stage will be treated sympathetically
  • Advice that a product, when it’s ready to leave the sandbox, appears to be within the rules

A sandbox that’s used actively by businesses would hopefully be beneficial to all parties. Access to the cutting edge of private sector innovation will help ICO staff ensure they are up to speed on the latest technology and products. This will in turn help the ICO produce up-to-the-minute public guidance material, which will then help innovating firms check their own compliance.

This is all encouraging and indeed there might be room for some synergies in the financial services sector. The FCA operates an innovation sandbox already. In the context of financial services, it would be ideal for there to be a connected approach to regulator-assisted innovation. There are a lot of cross-overs between FCA rules and data protection requirements. GDPR requires firms to ensure that all personal data processing is fair and transparent. Clearly this must link pretty closely to the FCA’s requirements for firms to treat customers fairly, and to ensure that they receive clear information and are kept appropriately informed.

Perhaps there could be a ‘joint sandbox’, or there could be an option for firms going into one sandbox to ask for the other the regulator to also be brought into the conversation.

ICO data protection sandbox
Tagged on: