UK regulator moots data protection sandbox for organisations to play in

ICO strategy outlines plans to slurp up academic expertise

By Rebecca Hill


The Information Commissioner's Office has promised organisations a regulatory sandbox to test out the data protection implications of new tech as part of its first technology strategy.

The strategy (PDF), which will run from 2018-21, sets out eight goals for the ICO, along with three priority areas – cybersecurity, artificial intelligence, and device tracking – for the next year.

It aims to ensure the body stays up to date with the technology that has changed the sector it regulates almost beyond recognition.

UK data controllers to pay ICO up to £2.4k more a year when GDPR kicks in


The ICO said that its overall approach was that "privacy and innovation are not mutually exclusive" and that tech was both "a risk and an opportunity" – but it seems from the thrust of the document that the body is concerned about its own understanding of the tech.

The strategy makes much of the need to boost the technical expertise of ICO staff, setting out plans for extra training, new hires and closer links to academia, as well as pushing the idea of data protection by design.

One of the most immediate goals, which it plans to start work on this year, is to create a regulatory sandbox where organisations can develop new digital products and services in a way that the ICO can keep up with.

The aim is to ensure that "appropriate protections and safeguards are in place", so the ICO can offer advice about mitigating risks and building in privacy, and the sandbox will be modelled on a system that the Financial Conduct Authority launched in 2015.

Elsewhere, the ICO promises to increase education and awareness on tech issues for staff through training programmes and briefings at all levels, with technical competencies added into job descriptions.

It plans to recruit and retrain staff, along with seconding in experts from other organisations and establish technology apprenticeships with universities or other education providers.

Info Commish tells we shouldn't let artificial ignorance make all our decisions


The ICO also promises a post-doctoral scheme it hopes will increase in-house expertise and give staff easy access to advice. The first position will be a two-year postdoc to investigate the impact of AI on data privacy.

Further plans include greater collaboration with professional, academic and industry technology bodies, and regulators in other sectors and nations, as well as work to revise the ICO's technology reference panel, and to create expert roundtables on specific topics. It will also establish a panel of forensic investigators to support its regulatory work.

The strategy promises an annual conference on data protection and technology, along with reports on lessons learned from security breaches, various technology issues and concerns that arise from data protection impact assessments. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Er, we have 670 staff to feed now: UK's ICO fines 100 firms that failed to pay data protection fee

Enforcing GDPR is expensive work, says watchdog

Campaigners call for immigration exemption in UK's Data Protection Act to be scrapped

Judicial review into law launched

Cambridge Analytica seeks data protection assistant

Jobseeker? You may have heard of it...

Reel talk: You know what's safely offline? Tape. Data protection outfit Veeam inks deal with Quantum

Magnetic strips barrier to ransomware, burble box-flingers

US tech circles wagons as India reviews data protection proposals

Ex-Cisco CEO-chaired lobby leading the charge

IT management software crowd Kaseya buys cloudy data protection crew Spanning

Private equity holdings shuffle

Why, hello Rubrik's Trello: Data protection biz leaves productivity tool open to world+dog

Anyone with URL could see lists of case study projects

Uber hack: EU data protection bods launch taskforce

Justice commissioner slams biz for 'irresponsible' behaviour's Brexiteers warned not to push for divergence on data protection laws

As PM lacks specifics on UK’s desired ‘adequacy-plus’ deal

Big tech wants the ICO on EU data protection board in Brexit fallout

Watchdog keeping voting rights 'huge gain' for marketing sector, say Facebook, Google et al