SANTA — JOLLY OLD MAN OR PRIVACY RISK?

As the first Christmas post-GDPR approaches here’s a pressing question. How well prepared was Santa for the introduction of the new EU General Data Protection Regulation in 2018?

SANTA — JOLLY OLD MAN OR PRIVACY RISK?

Santa himself is a very private individual and lives a low-key life away from the limelight for 11 months of every year. We know he is married to Mrs. Claus.  He lives near the North Pole and is a major employer in the region (the elves). We all know he is kind to animals (the reindeer). That is the extent of our knowledge. Clearly, Santa understands the value of privacy.

So, let’s forget the presents for the moment and take a closer look at Santa’s data protection record. How does Santa’s North Pole operation match up against data protection principles? How prepared is Santa to meet the rights of data subjects? What safeguards has Santa put in place to cover the global nature of his data processing operations?

Are there privacy risks inherent in Santa’s operation? Did he address them in time to continue operating as usual this Christmas?

A DATA-CENTRIC OVERVIEW OF SANTA’S OPERATION

First, let’s examine the data Santa collects about our children:

  • Identity: Name, age, gender and home address.
  • Geo-location: Place of sleep on Christmas Eve
  • Behaviour: Santa maintains a naughty and nice list. He reportedly knows if children have “been good or bad”.
  • Living conditions: Santa knows whether children live in houses or apartments, with and without chimneys.
  • Personal preferences: He has intimate knowledge of children’s wish lists including multiple revisions made from September to December every year. He knows whether children prefer their presents left at the foot of their bed or under the tree.

Combine this with the fact that almost all of Santa’s data subjects are under the age of 13 and this is a huge database of information held on children who are afforded special protection under GDPR.

As a data protection practitioner, I would be advising Santa to carry out a Data Protection Impact Assessment (DPIA) to identify the risks in his data processing activities. I would be most concerned about the scale of processing and the mass surveillance activities required to maintain that naughty and nice list. I would be checking if all the processing is strictly necessary and I would be asking to see his privacy statement.

DATA PROTECTION RISKS IN SANTA’S OPERATIONS

Without going into a formal DPIA process, here are a few possible areas I’d look at in Santa’s massive data-heavy operations:

  1. Transparency: When those letters go up the chimney what does Santa do with the data? Where does he store it? How does he process it? Has anyone ever seen Santa’s privacy statement or is that chimney a one-way communication system?
  2. Legal basis: What is Santa’s legal basis? Is it public interest? Does he get the consent of his data subjects? Has he assessed the necessity and proportionality of his processing?
  3. Retention: How long does Santa retain information? Does he still hold mine? If he does it is clearly long after it is necessary because I haven’t received a present in many, many years!
  4. Automated decision making: How does Santa determine who is on the naughty and nice list? Are machines involved in the process? Do children have recourse to challenge the list?
  5. Accurate and up-to-date: How does Santa keep track of the ever-changing wish-list contents? – I know I can’t, and I only have a small number of children to track! How does he record when children are spending Christmas with grandparents or their cousins?
  6. Surveillance: Santa has a lot of information about children’s location on Christmas Eve and at other times. Clearly, he is carrying out some form of surveillance on children if he knows “when they have been good or bad”. Has he carried out an impact assessment? Has he put controls in place to address any risks?
  7. Data Transfer outside the EU? We know Santa lives near the North Pole but not his exact location. Is his operation EU based or does he transfer his massive database outside the EU?

Clearly this is not an exhaustive list. Perhaps other data protection practitioners would like to add to it (but please don’t scare the children!).

Have a wonderful Christmas in 2018. I do hope Santa took some good GDPR advice and that everything will go smoothly this year.

Join Our Newsletter

Sign-up to receive news and information from Fort Privacy

Fort Privacy processes your personal data in order to respond to your query and provide you with information about our products and services. Please see our Data Protection Statement for further information

AI: THE DOUBLE-EDGED SWORD OF CHANGE

12 June 2024

My personal favourite old Chinese curse, "May you live in interesting times," feels particularly relevant these days. Our world is changing, with both exciting possibilities and daunting challenges emerging on every front. Change, after all, is a double-edged sword. And amidst this whirlwind of change, a new force is rapidly taking shape: Artificial Intelligence.

Crash, Bang, Wallop! What happens when Artificial Intelligence meets GDPR?

07 March 2024

As a technologist, I am both excited and appalled at the developments in AI and it seems from various surveys that I am not alone. My greatest wish is that we can harness its power for good while dampening its power for misuse. It is early days yet – let’s hope this wish comes true!

The Great 2024 GDPR Quiz!

08 January 2024

Everyone loves a quiz so we decided we would kick-off the new year with a bit of tongue-in-cheek fun.

Scroll to top