Designing data-driven products and services in compliance with privacy requirements can be a challenging process. Technological innovation enables novel uses of personal data, and companies designing new data-driven products must navigate new, untested, and sometimes unclear requirements of privacy laws, including the General Data Protection Regulation (GDPR). These challenges are often particularly acute for companies providing products and services leveraging artificial intelligence technologies, or operating with sensitive personal data, such as digital health products and services.
Recognising some of the above challenges, the Information Commissioner’s Office (ICO) has commenced a consultation on establishing a “regulatory sandbox”. The first stage is a survey to gather market views on how such a regulatory sandbox may work (Survey). Interested organisations have until 12 October to reply.
The key feature of the regulatory sandbox is to allow companies to test ideas, services and business models without risk of enforcement and in a manner that facilitates greater engagement between industry and the ICO as new products and services are being developed.
The regulatory sandbox model has been deployed in other areas, particularly in the financial services sector (see here), including by the Financial Conduct Authority in the UK (see here).
Potential benefits of the regulatory sandbox include reducing regulatory uncertainty, enabling more products to be brought to market, and reducing the time of doing so, while ensuring appropriate protections are in place (see the FCA’s report on its regulatory sandbox here for the impact it has had on the financial services sector, including lessons learned).
The ICO indicated earlier this year that it intends to launch the regulatory sandbox in 2019 and will focus on AI applications (see here).
Further details on the scope of the Survey are summarised below.
The Survey has asked for views on a number of topics, including:
- What barriers and challenges to developing innovative products and services are perceived as a result of the GDPR and UK data protection legislation, as well as the regulatory approach taken by the ICO?
- What technologies or sectors should the regulatory sandbox focus on?
- What mechanisms would be most useful in the regulatory sandbox? For example, advice, “informal steers”, adaptions of regulatory guidance, letters of comfort, or negative confirmation (i.e., there is nothing to indicate that the proposed product or service would breach data protection legislation).
- What timeframes should apply?
- What criteria should be established to manage demand for the regulatory sandbox? Should it be limited to certain sectors or areas? How would the regulatory sandbox be funded?