The Information Commissioner's Office (ICO), which is responsible for enforcing GDPR and data protection in the UK, has launched an initial consultation, calling for evidence and initial views, on its proposed regulatory sandbox. The ICO sandbox is intended to support firms in adopting new technologies, such as Artificial Intelligence, to test their services in a controlled environment and, where genuine challenges exist, provide a forum to discuss possible risk mitigation and management approaches. Regulatory sandboxes have been successfully established by some regulators to understand and take a view on how regulation applies (or not, as the case may be) to innovative products. A regulatory sandbox will be immensely helpful to both the ICO and firms to work through how existing data security and privacy regulation should be enforced in a digital economy fuelled by private and public consumer data.
The application of technological innovation poses unique challenges to both the regulator and the regulated. My favourite is the inherent conflict between the immutable and non-erasable nature of data on the blockchain and the “right to be forgotten” under GDPR. This consultation provides an opportunity to highlight such inherent conflicts, or any other barriers to innovation, as well as to help shape the sandbox scope and capabilities required to address these.
The deadline for responding to this initial consultation is 12 October 2018. A detailed consultation (based on this initial round of feedback) is due later in the year.
If you would be interested in finding out more about regulatory sandboxes, including how start-up firms can best engage with them, please let me know.
[Firms] won’t be exempt from complying with data protection law, but they will have the opportunity to engage with us; drawing upon our expertise and advice on mitigating risks and data protection by design, whilst ensuring that appropriate protections and safeguards are in place.