News | February 16, 2022

The Regulatory Sandbox

A Sandbox is a testing environment which isolates untested and experimental projects from the real world environment allowing their development in a safe and controlled manner.

The sandbox provides organisations with a free service from the ICO. The sandbox is open to organisations big and small from a number of sectors. Organisations have to apply for the sandbox service. If they are successful they are given the opportunity to engage with the ICO Sandbox team. This will allow them to receive advice and guidance on mitigating risks and embedding data protection by design.

The ICO’s Sandbox was the world’s first GDPR-territory data protection Sandbox.

There are several clear benefits for organisations who take part in the Sandbox. For example organisations will have increased confidence  that the finished project will be fully compliant with data protection regulations. Organisations will also benefit from increased consumer trust in their use of personal information. It may also give them an opportunity to inform future ICO guidance.

There are also clear benefits for the ICO. Engaging with business and innovators in the sandbox allows the ICO to have an involvement in new technology and innovation and the challenges that these may present.

ICO Regulatory Sandbox – history

In Autumn 2018 the ICO launched a consultation and asked for views on a data protection sandbox. A workshop was organised for interested organisations. Following the workshop the ICO created the beta phase sandbox procedures and accepted a number of interested organisations to try out the sandbox service.

Organisations had to meet the ICO criteria by demonstrating that their product or service was innovative in its use of personal information and of public benefit. They also had to show that they were operating in a challenging area of data protection processing.

Ten organisations were chosen. Details of the reports of the organisations involved can be found on the ICO website.

Following the completion of the beta phase the ICO published a report (The Regulatory Sandbox Beta Review) which can be found on the ICO website.

An interesting aspect of the beta phase was that the ICO noted several misconceptions about data protection by the participants. For example some participants struggled with the distinction between data controllers and data processors and in some cases organisational risks and risks to data subjects were not always recognised. The ICO advised the participants to consider an evaluation of risk via data protection impact assessment (DPIA).

Some participants also seemed to be unclear about what constituted personal data. There was also some misunderstandings about anonymisation and pseudonymisation. This enabled the ICO to assist the participants in these areas. There was also some discussions about data minimisation.

The ICO also reported that they had gained valuable insights into several sectors which would be invaluable going forward. For example they gained insights into the financial and banking sectors; law enforcement and the airport sector and the use of facial recognition technology.

Sandbox – key areas for 2021/22

The ICO has published its key areas of focus for the Regulatory Sandbox for 2021/22. They are interested in data protection innovations in the areas of health, central government, finance, higher and further education and law enforcement. The innovations also have to be in the public interest (public benefit).

One of the ICO aims is to promote and enable confident, responsible and lawful data sharing in the wider public interest. They view the sandbox as a means to help demonstrate that data protection legislation is not a barrier to proportionate sharing of personal data.

They are particularly interested in organisations that are developing products or services which are likely to enable substantial public benefits, but where data sharing may, for example:

  • pose the highest risk to the public and to information rights;
  • involve the use of novel or innovative technologies;
  • involve the use of innovative data governance frameworks or data sharing platforms; and
  • involve the processing of sensitive personal data.

Expressions of Interest (EOI)

The ICO are currently considering EOIs for places of the 2021/22 sandbox. All applications will be considered on a ‘first come first serve basis.’ The ICO has said that  once their existing spaces have been filled, successful applicants may be placed onto a waiting list. The ICO promise to notify all applicants within 4 weeks of receipt of an organisation’s submission.

The Sandbox – Frequently asked questions.

An obvious question asked by Sandbox participants is what happens if they are found to be non-compliant in an area of data protection or if they suffer a data breach whilst participating in the sandbox process.

If a data breach occurs whilst participating in the sandbox process the ICO has said that organisations must report the breach within 72 hours as required by the GDPR. However the ICO has said that they will be very unlikely to undertake enforcement action if the organisation had met the terms of the Sandbox entry letter.

The ICO has also said that the sandbox team will not proactively assess an organisation’s wider processes for compliance. They say that if they identify a reportable breach during the course of the sandbox, which falls outside of the scope of the product or service under development they will advise the participant to report this to the ICO as per standard procedures.


Participation in the ICO Regulatory Sandbox gives organisations a chance to develop innovative data protection projects for the public benefit. The opportunity to work with experts from the UK regulator gives organisations increased confidence in their products and increased consumer trust.