Privacy professionals often grapple with a vital issue within the digital economy: How to use personal data to create innovative products and services while ensuring a data subject's privacy is maintained.
And now, one data protection authority wants to help.
The U.K. Information Commissioner's Office aims to facilitate this balance in an upcoming Regulatory Sandbox initiative for startups and other organizations. In the results of its call to views on the sandbox, the ICO said it received an "overwhelmingly positive response" to the initiative. Respondents included 65 commercial enterprises, public authorities and data subjects.
"We are a regulator with a broad set of tools at our disposal, and a sandbox is a tool that we think would be particularly useful for achieving our ambitions and desire to support innovation," said ICO Head of Assurance Chris Taylor in a phone interview with Privacy Tech. "We just want to, as a regulator, support the safe use of technology and safe innovation."
Taylor stressed the sandbox is still in its developmental phase, but offered some ideas of what form the initiative will take. He also wants to make a notable distinction about the ICO's sandbox: While some sandboxes provide tech tools and software to help entities experiment with the development of their products, the ICO wants to provide a space to help participants via "resources and expertise" instead of through tools. Taylor said companies may need a place to test how their products will use personal data to ensure they do not run afoul of any laws such as the EU General Data Protection Regulation.
Access to ICO resources was the most frequently cited benefit of the sandbox, according to the call to views. Those same participants cited advice and guidance from the ICO as the top sandbox mechanism they want to see in the project.
Respondents also offered some idea of what they would like from the ICO, such as continued advice — from the genesis of the idea to its testing phase — step by step walkthroughs of potential processing activities, workshops with development teams at an early stage, and advice and risk mitigation at the design stage.
"Our current thinking is that sandbox mechanisms will largely be based around such advisory and collaborative processes and that sandbox mechanisms will be developed for each participant in a bespoke sandbox plan – working to define objectives and timescales and drawing such mechanisms from an indicative list," the ICO wrote in the call to views summary.
The ICO's plans for the sandbox would cover a wide scope of industries and products, including health care, energy, telecommunications, financial services and financial technology, and online advertising. As for the products and services the initiative can cover, Taylor believes the sandbox can tackle many areas.
"We can think about the use of personal data in emerging and developing technology such as the internet of things, cloud-based products, biometrics, AI and those kinds of areas where GDPR principles apply," said Taylor.
The ICO plans to roll out the sandbox sometime in the next financial year, but Taylor said it does not want to set a concrete time just yet as there is still much work to be done. The agency is currently developing methods to engage with organizations to gauge interest in the project, as well as the best application criteria. He said the process for assessing applications will be an interesting one, as it is the first time the ICO has taken on such a project. Taylor claims this is also the first time any type of data protection sandbox has ever been established.
To flesh out the sandbox further, the agency will host consultation-style roundtables in 2019 and launch a blog to detail developments on the project as they emerge.
Taylor believes privacy professionals should keep their eyes on this project and hopes sandbox participants can take some vital lessons and turn them into guidance that can help tackle particularly tough issues within the industry. Larger entities may look at the sandbox and attempt to create similar spaces to examine how they develop new products and services.
"Purely from a professional point of view," said Taylor. "I’d imagine that privacy professionals would have a deep professional interest in how this balance between privacy and innovation pans out."
photo credit: Creative Tools 3D-printable sand play set - by Creative-Tools.com v2 via photopin (license)
If you want to comment on this post, you need to login.