So we’ve all seen the jokes on WhatsApp and Facebook about Santa’s lack of GDPR compliance and how this would all be changed for Christmas 2018. You know the one:
He’s making a list
He’s checking it twice
He’s gonna find out who’s naughty or nice
Santa Claus is in contravention of article 4 of the General Data Protection Regulation (EU) 2016/679
We would like to put everyone’s mind at rest that Christmas will go ahead this year. Santa got BH Consulting on board to help him with his GDPR compliance programme.
So where did we start? First we looked at Santa’s processing activities and especially his processing activities with keeping all of those lists. Surely when a child writes a letter and sends it to Santa – thereby disclosing their own details – we can take this as informed consent? But what do we do about getting parental consent for the really little ones who aren’t able to write their own letters? And what do we do for the other children who haven’t written letters? Surely they can’t be forgotten! So Santa did a legitimate interest assessment – and of course he updated his privacy notice, so everyone’s aware of his legal basis for collecting data.
We also performed a security assessment for Santa, so we could make sure that all that data was safe and secure. Lastly, we made sure that Santa now has a clear retention policy. He no longer retains the children’s data once they reach adulthood (or when they stop believing in him, whichever comes first).
Then we had to delve a little deeper into what Santa was actually doing with this data. Most importantly, we checked whether he used any automated processing or profiling to determine who made it to the naughty list. It simply isn’t fair that any teenager who asks for a ridiculously expensive gift gets put on the naughty list. Now Santa, with the help of Mrs Claus and some elves, can read each child’s letter and review any information they have available to them to decide which list that child belongs on.
Of course, since the advent of GDPR, Santa has put a new data processing agreement in place with the elves so they carry out all their toymaking activities in a GDPR-compliant manner. In the event of some silly elf losing a list with children’s details on it, Santa is notified immediately so he can make the necessary notification to the DPC within 72 hours. Naturally, Santa chose Ireland as his lead supervisory authority.
There is now a full set of GDPR policies available at the North Pole and Rudolph has attended his GDPR awareness training. So all the children – in Europe – can rest assured that Santa has everything in hand and Christmas will go ahead this year in a GDPR-compliant manner. Season’s greetings from all of us at BH Consulting!