top of page

 

THE PINK SANDBOX: BUILD YOUR CASTLE IN BERMUDA

As introduced in our Mid-Atlantic Privacy Compass, the Office of the Privacy Commissioner for Bermuda (PrivCom) is committed to promoting a responsible approach to the way organisations use personal information in Bermuda while facilitating new and innovative technologies.

Responsibility does not solely fall on organisations. Regulatory bodies and stakeholder groups have a responsibility to participate constructively in the process. That is one of the reasons why regulators around the world have developed "sandboxes," or structures where innovative organisations can test and experiment in a controlled environment and in close coordination with the regulator. The regulator’s role in a sandbox is to provide oversight and expertise. 

​Of course, we know something about sand here in Bermuda, which is famous for its pink-tinted beaches. Our community is by nature a collaborative, close-knit space where interactions between participants are convenient - an ideal testing ground for new ideas.

​This page will describe our Privacy Innovation and Knowledge-sharing (or, "Pink") Sandbox and how organisations may express interest in participating.

 

WHAT IS THE PINK SANDBOX?

​The Personal Information Protection Act 2016 (PIPA) provides the Privacy Commissioner with the power to "comment on the implications for protection of personal information in relation to an organisation's existing or proposed programmes" (Section 29(1)(f)) and to "give guidance and recommendations of general application to an organisation on matters relating to its rights or obligations" (Section 29(1)(i)).

​The Pink Sandbox is a free service and a formal mechanism to allow PrivCom to engage with organisations early, without discouraging innovative programmes or ideas that use personal information and do not have long histories of risk profiles.

​The Pink Sandbox will encourage a Privacy by Design approach that anticipates issues early. Such an approach allows participating organisations to avoid missteps and build privacy into their products or services as a default setting.

WHAT ARE THE BENEFITS OF PARTICIPATING? 

Working through the Pink Sandbox provides organisations with access to PrivCom expertise to enable them to

feel more confident in their product, project or service, as well as their organisational approach to using of

personal information and privacy-related issues. 

​Since involvement in the Pink Sandbox will be publicly announced, participating organisations will gain visibility as

a responsible member of the community who is undertaking their due diligence. Organisations will also have the

ability to contribute to the development of PrivCom's regulatory approach to innovation.

WHAT DOES PARTICIPATION ENTAIL?

​Every organisation and idea is unique, so Pink Sandbox participation will vary in each instance. As an early step, the participating organisation and PrivCom will agree on the scope of the participation, including details such as frequency of communications and meetings.

​On a case-by-case basis, PrivCom will issue qualified statements of regulatory comfort to indicate product, project or service, or organisational, compliance with privacy standards and best practices in accordance with PIPA. This statement would be a point-in-time statement that could be adapted, changed, or revoked (even retroactively) based on future developments or additional information.

Important: Please note that participation in the Pink Sandbox and the qualified statements of regulatory comfort issued by PrivCom as part of the Pink Sandbox exclusively apply to PIPA.

 

​WHAT ARE WE LOOKING FOR?

The Pink Sandbox is intended to support organisations that plan to or are in the process of developing innovative products, projects or services that use personal information in novel ways and/or are of benefit to the community (startups,[1] small organisations,[2] mid-sized organisations,[3] large organisations, private, public and third sectors). PrivCom intends to do so by providing the following:

  • advising on mitigating risk of harm to individuals and embedding privacy by design/default;

  • tailoring support and expert advice free of charge to each project, developing a plan; and

  • advising pre-market innovators developing, testing or refining new projects, products and services that use personal information in new, innovative or significantly adapted ways.

 

 

WHAT ARE THE KEY AREAS?

PrivCom is inviting organisations to submit their innovative product, project or service that uses personal information to be considered for participation in the 2025 iteration of the Pink Sandbox (see the Expression of Interest). The Pink Sandbox focuses on two key areas:

Emerging Technologies

PrivCom’s Pink Sandbox aims to support the innovation of organisations working with emerging technologies, and to help them prevent potential harms to people’s privacy. Emerging technologies present significant opportunities to make people’s lives easier, safer, more comfortable, and efficient, but they also present a range of risks that may harm people’s privacy and trust in these technologies. As technology evolves, this is likely to be the case especially if the risks are not addressed.

Exceptional Innovations

PrivCom also welcomes innovations that do not use emerging technologies but display an exceptional level of innovation. For example, an activity that uses personal information that is not yet established in any sector or a novel use of an existing innovative technology. There should be qualitative and quantitative evidence that the innovation is likely to be transformative.

 

​WHAT ARE THE STAGES OF THE PINK SANDBOX?

Estimated Pink Sandbox application & entry process timescale

April                                                              May/June                           Sep                               Oct/Nov

1------------------------------2---------------------------3-----------------------------4-------------------------------5

Call/                 Application/Panel review      Decision                 Pink Sandbox                         Exit &

Apply                         Assessment                                                     Participation                        Review

                                                                        (3-5 weeks)              (6 months max)

 

 

HOW DOES AN ORGANISATION EXPRESS INTEREST?

If you are interested in entering the Pink Sandbox, you can access the Expression of Interest (EOI) form on the link below. A completed EOI form is to be submitted to innovation@privacy.bm by EOD on 11 May 2025.

 

 

Organisation are advised to review the Pink Sandbox Terms and Conditions. A signed agreement will be necessary to engage with PrivCom after an EOI is accepted.

 

[1] An organisation, project, product or service in the first stages of its operations that is often financed during this period with money from its founders.

[2] An organisation with fewer than 50 employees and an annual turnover under $13m.

[3] An organisation with fewer than 250 employees and an annual turnover of $32m - $ 643m. https://www.gov.uk/government/collections/mid-sized-businesses

 

Expression of Interest

bottom of page