As companies continue to grapple with interpreting how the GDPR’s principles apply to their own businesses, in particular contexts, there is a growing need for data protection regulators to provide clarity on the practical application of the regulation.
In the UK, the Information Commissioner has recently taken steps to address these concerns through the announcement of a ‘Regulatory Sandbox’. Sandboxes offer a formal structure for constructive engagement between a regulator and the parties being regulated; allowing for collaboration and the exchange of ideas.
The ICO intends to use its own Sandbox to support organisations that are looking to use personal data in innovative ways through the use of new technologies and approaches. The scheme is open to companies ranging from multi-national organisations to start-ups. It offers the opportunity to receive access to free and professional expertise and support from the ICO on complying with the GDPR and UK Data Protection Act 2018 during the course of developing products and services.
In the immediate term the Sandbox will be limited to approximately ten organisations that are selected from a pool of applicants. These organisations will participate in the beta phase which is due to run from July 2019 until September 2020. During this period the ICO has committed to offering assistance with concept design and prototyping, informal supervision of testing processes and a series of drop-in workshops. Once a participant’s involvement concludes, they can request that the ICO provide a statement of regulatory comfort which aims to provide assurances regarding the product or service’s compliance with data protection laws.
An alternative approach to regulatory engagement
From a privacy perspective, the Sandbox encourages an alternative approach to regulatory engagement. Currently, the majority of EU data protection authorities have a tendency to operate in a primarily reactive manner. Most organisations will only come into contact with an authority if there has been a complaint issued against them by a data subject, or when they are required to report a personal data breach. This approach means that too much focus has been on contentious enforcement action that occurs after-the-event, as opposed to there being constructive engagement from the start which aims to encourage and guide compliance and determine best practices.
The results of the recent consultation undertaken by the ICO indicate that there is considerable appetite for the Sandbox initiative from the commercial organisations that responded. This shouldn’t be a surprise. DPOs and in-house counsel continue to contend with how to apply the somewhat vague concepts of privacy by design and default to their businesses and being able to find an appropriate balance between the rights of individuals to privacy and their companies’ commercial interests. They will therefore no doubt welcome the opportunity to further understand how the regulator expects companies to act.
A question that is commonly asked is how principles such as fairness, data minimisation and accountability should be applied in a practical environment, particularly to new technologies such as machine learning, blockchain and the internet of things. However, in the absence of approved industry codes of practice and context-specific regulatory guidance, the principle-based nature of the GDPR can create uncertainty and ambiguity. Companies that look to benchmark what they are looking to do against their peers, in order to determine market practice, will often find that approaches diverge significantly, with the key variable often being the degree of regulatory risk an organisation considers to be acceptable.
Therefore, even for the majority of organisations that are not involved in the beta phase, the Sandbox still promises to offer tangible benefits. The ICO has indicated that the initiative is likely to result in the publication of additional regulatory guidance and resources in the fields of innovation they are exposed to during the beta phase, along with publically available information about the identities of the participants and a brief description of the proposed innovation.
Equally, those organisations that are not participating in the beta phase shouldn’t feel discouraged from pro-actively engaging with the ICO and other relevant supervisory authorities independently of the official Sandbox scheme. In addition to consultation with data protection authorities being an obligation under Article 36 GDPR, where a processing activity is determined to result in a high risk to data subjects, consultation offers other benefits. For instance, it gives organisations the opportunity to develop a positive relationship with their regulators.
Opening a constructive channel of communication allows companies to build trust with supervisory authorities and understand what steps they should be taking in order to ensure that their commercial operations are privacy compliant. This step shouldn’t be taken lightly though. Before approaching a regulator it is important to have undertaken an assessment of the privacy risks to data subjects arising from any new technology or innovation and developed a detailed plan for how these risks can be mitigated. Consultation with the supervisory authority then offers an opportunity to validate this approach and tweak accordingly, rather than being mandated to make wholesale changes.
How sandboxes have worked in other industries
Although the ICO’s Sandbox offers a relatively novel approach to compliance in the field of privacy, there is precedent in other industries for the successful adoption of this model. In the UK financial services industry, the Financial Conduct Authority (FCA) introduced a regulatory sandbox in 2015. Similarly to the ICO’s proposed initiative, the FCA’s sandbox aims to facilitate firms testing innovative products, services and business models, with the provision of regulatory expertise and tools to support the design and testing phases. Many organisations, particularly start-ups, have already participated, with new innovations such as so-called robo-advice platforms (which offer automated financial advice) and distributed ledger technologies being tested.
Although one of the potential concerns that organisations may have with pro-actively engaging the ICO is the restrictions that it may seek to impose on the use of personal data, experience stemming from the FCA’s roll-out indicates that this argument should not carry undue weight. A ‘lessons learned’ report published by the regulator in 2017 indicates that access to regulatory expertise through the sandbox had reduced the time and cost of financial services firms getting innovative ideas to market. 90% of the firms that were entered into the first cohort reported to have continued towards a wider market launch of their product or service following completion of the sandbox. The scheme also appears to have fostered partnerships between large firms and start-ups that have been involved in the sandbox, creating further business opportunities for both parties.
The expectation is that, within the next 12-18 months, the ICO’s scheme will be rolled out to a much wider population of organisations. Applicants will be prioritised based on certain eligibility criteria, namely the public benefit offered by the proposal, the ability to demonstrate that the product or service is genuinely innovative (and not just business as usual) and the organisation’s fitness to participate.
In the meantime it will be interesting to observe how successful the beta phase is and whether the benefits we expect to see from the scheme are delivered.
This post was originally published by DataGuidance by OneTrust.