As the first Christmas post-GDPR approaches here’s a pressing question. How well prepared was Santa for the introduction of the new EU General Data Protection Regulation in 2018?

Santa himself is a very private individual and lives a low-key life away from the limelight for 11 months of every year. We know he is married to Mrs. Claus.  He lives near the North Pole and is a major employer in the region (the elves). We all know he is kind to animals (the reindeer). That is the extent of our knowledge. Clearly, Santa understands the value of privacy.

So, let’s forget the presents for the moment and take a closer look at Santa’s data protection record. How does Santa’s North Pole operation match up against data protection principles? How prepared is Santa to meet the rights of data subjects? What safeguards has Santa put in place to cover the global nature of his data processing operations?

Are there privacy risks inherent in Santa’s operation? Did he address them in time to continue operating as usual this Christmas?

A Data-Centric Overview of Santa’s Operation

First, let’s examine the data Santa collects about our children:

  • Identity: Name, age, gender and home address.
  • Geo-location: Place of sleep on Christmas Eve
  • Behaviour: Santa maintains a naughty and nice list. He reportedly knows if children have “been good or bad”.
  • Living conditions: Santa knows whether children live in houses or apartments, with and without chimneys.
  • Personal preferences: He has intimate knowledge of children’s wish lists including multiple revisions made from September to December every year. He knows whether children prefer their presents left at the foot of their bed or under the tree.

Combine this with the fact that almost all of Santa’s data subjects are under the age of 13 and this is a huge database of information held on children who are afforded special protection under GDPR.

As a data protection practitioner, I would be advising Santa to carry out a Data Protection Impact Assessment (DPIA) to identify the risks in his data processing activities. I would be most concerned about the scale of processing and the mass surveillance activities required to maintain that naughty and nice list. I would be checking if all the processing is strictly necessary and I would be asking to see his privacy statement.

Data Protection Risks in Santa’s Operations

Without going into a formal DPIA process, here are a few possible areas I’d look at in Santa’s massive data-heavy operations:

  1. Transparency: When those letters go up the chimney what does Santa do with the data? Where does he store it? How does he process it? Has anyone ever seen Santa’s privacy statement or is that chimney a one-way communication system?
  2. Legal basis: What is Santa’s legal basis? Is it public interest? Does he get the consent of his data subjects? Has he assessed the necessity and proportionality of his processing?
  3. Retention: How long does Santa retain information? Does he still hold mine? If he does it is clearly long after it is necessary because I haven’t received a present in many, many years!
  4. Automated decision making: How does Santa determine who is on the naughty and nice list? Are machines involved in the process? Do children have recourse to challenge the list?
  5. Accurate and up-to-date: How does Santa keep track of the ever-changing wish-list contents? – I know I can’t, and I only have a small number of children to track! How does he record when children are spending Christmas with grandparents or their cousins?
  6. Surveillance: Santa has a lot of information about children’s location on Christmas Eve and at other times. Clearly, he is carrying out some form of surveillance on children if he knows “when they have been good or bad”. Has he carried out an impact assessment? Has he put controls in place to address any risks?
  7. Data Transfer outside the EU? We know Santa lives near the North Pole but not his exact location. Is his operation EU based or does he transfer his massive database outside the EU?

Clearly this is not an exhaustive list. Perhaps other data protection practitioners would like to add to it (but please don’t scare the children!).

Have a wonderful Christmas in 2018. I do hope Santa took some good GDPR advice and that everything will go smoothly this year.

Like what you've just read? Give us a bualadh bos (that's Irish for clap!) and let us know! 👏👏👏
Marie Murphy
Co-Founder & Operations Director

Marie's interest is in data protection operations focusing on people and process to manage personal data processing risk in large and small organisations with a special interest in privacy by design.