"You better watch out, You better not cry, Better not pout, I’m telling you why: Santa Claus is coming to town...". As the holidays approach, we might just all be humming this tune. However, getting the second verse right next year will prove a little problematic for Saint Nick: making a list, checking it twice and finding out who has been naughty or nice will be governed by a strict set of rules specified in the General Data Protection Regulation (GDPR). Thankfully, Santa has just the right IT elves to do the job...
What is GDPR?
It is an EU regulation coming into force on 25th May 2018. It gives to all people living in EU the status of data subjects, entitling them to a wide array of rights that can be enforced against organisations that process personal data. These rights may limit the ability of organisations to lawfully process the personal data of data subjects, and in some cases these rights can have a significant impact upon an organisation's business model.
Does it apply to Santa’s North Pole organisation?
Santa’s list contains the names of all the EU children thus counting them as Data Subjects. The list also contains personal data such as addresses, ages and gift preferences. Combining this with all the knowledge he has on every EU child (remember that he knows when you’ve been good or bad), GDPR would definitely applies to his North Pole organisation.
What parts of GDPR apply to Santa?
Let’s take a fictional EU child: Little Johnny. Little Johnny as a EU citizen enjoys GDPR rights. There are several scenarios where Little Johnny can have a say in how his personal data is handled by Santa…
- Parental consent for processing children’s personal data: Little Johnny cannot provide consent to data processing without his parents’ authorization. Even though Little Johnny is enthusiastically willing to receive his Christmas surprise Santa will need to ask his parents’ authorization to contact him.
- Right to basic information: before collecting any other piece of information on Little Johnny, Santa would have to let him know what it is going to be used for. In our case, profiling to find out if Johnny has been naughty or nice.
- Right to not be evaluated on the basis of automated processing: Santa has to find out who on his list has been naughty or nice. However, Little Johnny’s parents have a right to say in this regard, hence preventing Santa from reaching his final goal… and thus destroying his whole business model!
On top of the above scenarios putting a dampener on Santa’s business model, there are other rights that Santa and his IT department would have to comply with:
- Identifying Data Subjects: checking that whomever is asking for their personal data is who she/he says he is. You cannot let Little Johnny get access to his personal files without checking who he is first.
- Right of Access: Little Johnny should have access to his personal data whenever he wishes to.
- Right of rectification: if little Johnny’s age is wrong, he should be able to request to have it corrected.
- Right to erasure: unfortunately, Little Johnny does not believe in Santa anymore and wishes to be forgotten by Santa and his elves. Johnny’s personal data, past toy requests and letters should be erased.
- Right of Data Portability: Little Johnny still believes in Santa but would like to take a copy of the wish list he initially sent to the North Pole and recreate it with an online retailer. Just because if Santa does not bring it, grandma just might buy it!
Why should Santa be GDPR compliant?
Setting aside the reputational impact of non-compliance to Santa, the European Union regulators could fine Santa up to €20 million. Luckily for him, Santa is a non-profit organisation otherwise his fine would be 4% of his global turnover instead!
The North Pole not being part of the EU does not exempt Santa from being compliant: remember, it is the EU citizenship of the children that gives them the status of Data Subjects. The criteria for GDPR is where the kids are from, not the location of the organisation.
The consequences of non-compliance go beyond financial penalties: more secure data means it is less likely the Grinch will know exactly what to do to spoil Christmas for everyone!
How can Santa achieve GDPR compliance
So before the EU regulators comes to pay Santa and his IT elves a visit next May, what should they do? Their first step would be to take a look at the following white paper “6 Steps to GDPR Compliance-by-Design”. Developed in partnership between MEGA International and Gruppo Imperiali, it describes a 6-step methodology that might just help the elves assess, remediate and demonstrate the North Pole’s compliance to GDPR.