Two years ago, the U.K. Information Commissioner’s Office (ICO) formally launched its regulatory sandbox to help companies develop data-driven products safely.
Since then, a mix of small and large multinational companies—among them Heathrow Airport and pharmaceuticals firm Novartis—have worked with the regulator to ensure the products and services they intend to run strictly comply with the General Data Protection Regulation (GDPR) and other privacy legislation.
Legal tech firm Seers applied to take part in the ICO’s regulatory sandbox last October and gained approval in January—a process the company’s chief commercial officer, Zahra Shah, describes as “in-depth” and “thorough.”
The firm operates a privacy and consent management platform for companies worldwide that enables age verification checks before children can access Website content—an issue close to the ICO’s heart since the regulator launched its code of practice to protect children’s online privacy last year.
Since being approved, Seers has had regular meetings with the ICO and has agreed to an action plan of how the development should proceed, with regular stage-gates included to ensure the project meets the necessary criteria before moving forward. The project should be signed off by July at the latest.
Shah says the company wanted to be part of the sandbox because “we work in a fast-moving industry where the issue of protecting children’s online privacy has become increasingly paramount. We need our services to not only be fully GDPR compliant, but ahead of the curve in terms of best practice. Having close, direct access to an ICO subject matter expert is an invaluable asset in helping ensure our platform is designed with safety in mind.”
Last year, Norway’s data protection authority (DPA) launched its sandbox initiative to promote the development of ethical and responsible AI solutions, principally in startups and new firms. Meanwhile, this February, France’s CNIL has called for the first round of applications for its own sandbox to promote data-led projects in the healthcare sector.
Both schemes aim to implement “privacy-by-design” in the projects they greenlight from the outset.
“It makes practical sense for DPAs to engage with the tech sector to provide a clear steer about how data-driven products and services can be developed safely, what best practice looks like, which areas of development may be problematic, and what would be considered risky or noncompliant.”
Bojana Bellamy, President, Hunton Andrews Kurth’s Centre for Information Policy Leadership
The Norwegian DPA has received 25 applications, though only three or four tech firms will be successful in the first round. The regulator hopes the projects that are ultimately selected for the sandbox will offer lessons for businesses in how to maintain sound data privacy practices, as well as demonstrate what the authority is looking for when companies attempt to launch similar data-driven products and services.
Stefan Borg, chief information officer at medtech startup Nordic Brain Tech, says the company applied to take part in the sandbox because it saw it as an opportunity to collaborate and make use of the regulator’s expertise to develop a user-friendly product and reduce GDPR compliance risks from the outset of its design.
Another applicant is NCE Finance Innovation, a nonprofit FinTech cluster made up of three insurance companies, a technological consultancy, and a law firm that aims to create a large data set for training fraud detection models by pooling customer data from the three insurers. The idea is the fraud detection models from each company will achieve greater accuracy by training on more data.
Henrik Hedegaard, project lead, says the initiative’s primary challenge has been concerns around data privacy rather than building the technical infrastructure. “With our project being based on transferring customer data out of the companies involved, we require guidance in navigating the dicey waters of data privacy,” he says. “This has so far been provided by our legal counsel, but we have realized starting a dialogue directly with the DPA would speed up progress and perhaps allow us to be slightly less cautious in our approach.”
If its application is successful, Hedegaard expects the process to last for six months, with the hope the DPA can then act as counsel when needed as the project goes into development. If it is unsuccessful, Hedegaard says the company “will continue with our current approach, which is to have our legal counsel make qualified guesses as to what the authorities will count as personal data.”
“We feel this is the best—and only—alternative, but perhaps not the optimal solution in terms of efficient development and maintaining clarity with regard to GDPR risk,” he adds.
Such sentiments are shared by fellow applicant Secure Practice. The cloud services provider aims to develop an employee profiling tool so clients can determine what level of data privacy risk an individual may present given their understanding of data protection rules and procedures. The profiling would then enable the employer to consider providing further training or denying them access to sensitive data if they believe certain employees would not treat it with the care it needs.
“Employee profiling is a new area for us, and it presents enormous legal risks if any part of the process we are developing is not GDPR compliant,” says Erlend Andreas Gjaere, the company’s co-founder and CEO. Like Hedegaard, Gjaere says if the company’s application is unsuccessful, he will continue to proceed with developing the product but admits it could be at a slower pace without the regulator’s hands-on GDPR and legal expertise.
Bojana Bellamy, president of law firm Hunton Andrews Kurth’s Centre for Information Policy Leadership, welcomes DPAs’ efforts to encourage safe data innovation through sandboxes and believes others will continue to follow suit.
“It makes practical sense for DPAs to engage with the tech sector to provide a clear steer about how data-driven products and services can be developed safely, what best practice looks like, which areas of development may be problematic, and what would be considered risky or noncompliant,” says Bellamy.
“The only problem is resources,” she says. “Most European DPAs have limited budgets and staff numbers, which means only a handful of companies—at best—are going to go through the scheme per year. The only way this is going to be scalable and provide meaningful help is if DPAs can make these case studies public and use them to produce guidance so the tech sector more widely can benefit from these experiences.”