- Posted by Marie Murphy
- On December 13, 2016
- Christmas gdpr, good data practice, Risk Assessment
How well prepared is Santa for the introduction of the new EU General Data Protection Regulation in 2018? How much is 4% of Santa’s annual global revenue and could he meet the fines?
Santa himself is a very private individual and lives a low-key life away from the limelight for 11 months of every year. We know he is married to Mrs Claus. He lives near the North Pole and is a major employer in the region (the elves). We all know he is kind to animals (the reindeer). That is the extent of our knowledge. Clearly Santa understands the value of privacy.
So let’s forget the presents for the moment and take a closer look at Santa’s data protection record. How does Santa’s North Pole operation match up against the 8 principles? Are there privacy risks inherent in Santa’s operation and how should he look to address them in 2017.
A Data-Centric Overview of Santa’s operation
First, lets take a look at the data Santa collects about our children:
- Identity: Name, age, gender and home address.
- Geo-location: Place of sleep on Christmas Eve
- Behavior: Santa maintains a naughty and nice list. He reportedly knows if children have “been good or bad”.
- Living conditions: Santa knows whether children live in houses or apartments, with and without chimneys.
- Personal preferences: He has intimate knowledge of children’s wish lists including multiple revisions made from September to December every year. He knows whether children prefer their presents left at the foot of their bed or under the tree.
Combine this with the fact that almost all of Santa’s data subjects are under the age of 13 and this is a huge database of sensitive information held on minors.
Clearly, as a data protection practitioner I would be advising Santa to carry out a Data Protection Impact Assessment (DPIA). He should identify risks to the data he collects and start addressing those risks in preparation for GDPR in 2018.
Data Protection Risks in Santa’s Operations
So without going into a formal DPIA process here are a few possible areas I’d look at in Santa’s massive data-heavy operations:
- Transparency: How does Santa collect all the information he holds? Does he get the consent of his data subjects?
- Retention: How long does Santa retain information? Does he still hold mine? If he does it is clearly long after it is necessary because I haven’t received a present in many, many years.
- Automated decision making: How does Santa determine who is on the naughty and nice list? Are machines involved in the process? Do children have recourse to challenge the list?
- Accurate and up-to-date: How does Santa keep track of the ever-changing wish-list contents (I know I can’t and I only have a small number of children to track)? How does he record when children are spending Christmas with grandparents or their cousins?
- Surveillance: Santa has a lot of information about children’s location on Christmas Eve and at other times. Clearly he is carrying out some form of surveillance on children if he knows “when they have been good or bad”. Is this surveillance legitimate and reasonable?
- Data Transfer outside the EU? We know Santa lives near the North Pole but not his exact location. Is his operation EU based or does he transfer his massive database outside the EU?
Clearly this is not an exhaustive list. Perhaps other data protection practitioners would like to add to it (but please don’t scare the children!).