How GDPR Stole Christmas

‘Twas the night before Christmas, when all through the grotto, panic was afoot; Santa had forgotten to prepare for the upcoming GDPR enforcement! Where did it all go wrong? And how can you avoid making Santa’s mistakes in your organisation?

IT ISN’T RELEVANT TO ME!

Santa heard about the General Data Protection Regulation (GDPR) ages ago, but he didn’t think that it affected him! After all, he’s been getting Christmas so right for all these years what’s different now? Well, with the GDPR a lot’s changed, and nearly every organisation will be affected, including the Grotto…

Santa just didn’t realise how important the GDPR is, but it’s the most ambitious data protection legislation passed in the EU so far! It can all sound a bit bland, but almost every business will have to change its practices when it comes to acquiring, storing and using personal data. It even applies in the UK regardless of Brexit.

What do we mean by personal data? Names, birthdays, addresses, even genetic information! The GDPR extends the rights an individual – customer, employee or elf – has over how you control their personal data. Santa stores lots of personal data at the Grotto: he sees you when you’re sleeping, he knows when you’re awake, he knows if you’ve been bad or good… So of course the GDPR affects him!

SANTA’S LIST

We all know he has his list and that he checks it twice to find out who is naughty or nice, but Santa’s breached the GDPR! He’s kept tabs on us for decades, when he only needs to know if we’ve been good in the past year.

He remembers when you stole that sweet from the Pick & Mix when you were five, but that isn’t relevant anymore! Santa only needs to know if you’ve been nice over the past year, not ages ago.

Santa should’ve introduced data minimisation policies to ensure he only acquires, keeps and uses data that he needs to do his job. He also needs to acquire informed consent to use personal data, but that’s a whole different kettle of mince pies!

WRITING TO SANTA

Millions of children all around the world write to Santa every Christmas to ask for the best presents, but now they can ask for more – to be forgotten, too! Santa didn’t have the policies in place to grant this Christmas wish though…

Santa’s methods have long been mysterious, but no more! The GDPR will extend how much control everyone has over their personal data, meaning individuals will have the right to request what data organisations hold. They can even ask for this data to be deleted, too.

That’s why introducing adequate retention and deletion policies is crucial. Santa’s been busy packing his sleigh, and hasn’t introduced a robust data storage infrastructure. So when Cindy Lou Who asked for her data to be deleted, Santa didn’t know where in Lapland it was!

RETAINING ELF DATA

Elves are in high demand in loads of sectors, so they frequently come and go at the Grotto. Santa’s been keeping their details indefinitely when they leave, but why? Under GDPR, he can’t keep it without good reason…

The GDPR grants the individual greater control of their personal data; unless Santa can give a good reason for retaining his ex-helpers’ data, he’ll have to delete it.

It’s also worth reviewing his data breach procedures and anonymising whatever data he does hold. Then, if the Grinch managed to steal Santa’s data cache, he wouldn’t be able to do anything with the data and Santa would know about the theft right away!

SANTA’S LITTLE HELPERS

Santa can’t do it all on his own, which is why he’s got a helper for every little job. However, he’d forgotten to assign a data controller and a data processor for the incoming GDPR. Shame on you Santa!

He didn’t think the GDPR was relevant to him, so it’s no wonder Santa didn’t look into the roles of data controllers and data processors. But good governance under GDPR outlines this clearly.

Now Santa has a headache, but he could have avoided it if he had appointed these roles to his elves. A data controller would determine the purposes for which and the manner in which any personal data is or will be processed. Meanwhile, Santa’s data processor would carry out all data processing operations, including obtaining and storing data, all on behalf of the controller.

DISASTER IN THE MAIL

Disaster! Santa left the keys to the mailroom on the side while he was eating mince pies. Now Rudolph has got his hooves on the children's letters. Santa urgently needs to reassess his personal data safeguarding policies.

Santa has some data protection policies in place already, but nothing like what the GDPR requires. For starters, now he'll have to acquire parental/guardian consent for collecting/using the personal data of under-16s. Likewise, he'll have to anonymise the data he holds, using pseudonyms where possible. There's far more he can do, too, but by introducing a privacy by design approach throughout his organisation, Santa will make some good headway.

As an absolute first though, Santa can start by taking those keys off of Rudolph. Only those who need to use the data should be able to see it. Store those letters more safely next time, Santa!

CONSENT

Previously, Santa just assumed everyone wanted presents on Christmas Day, but now people must opt-in – did Santa get everyone’s fully informed consent to collect their data and share with toy marketing companies?

Gone are the days where Santa could assume that people were okay with him collecting their data, simply because they didn’t tell him otherwise. Now, Santa has to gain explicit consent to put you on his Naughty or Nice Lists, after he’s explained exactly how he’ll use your data.

But this year it’s caught him out! Fortunately, Santa doesn’t make any money – if he did, he could have been fined up to 4% of his turnover or €20 million, whichever amount is greater. Close one, Santa – better hope businesses don’t make the same mistake though…

A MERRY CHRISTMAS AFTER ALL!

It was a long haul, and at one point we didn’t think Santa would make it through, but thanks to Cyber-Duck the Grotto now has GDPR compliance in the bag.

We’ve briefly covered the EU’s General Data Protection Regulation here, but there’s far more to tell. For more information on the GDPR ahead of its enforcement on May 25^th 2018, we’re here to help. Check out our other articles on data protection and the GDPR below.

Questions? Feel free to get in touch.

Cyber-Duck is a full-service digital agency based in London and Hertfordshire, UK. We produce innovative user-centric products for clients including Thomas Cook, the Bank of England, and Cancer Research UK. Visit our website to find out more about our services or contact us for consultation about the GDPR.

Get in Touch

Introducing GDPR

The Basics of the New Data Protection Regulation

5 minute read

Read this story

User Experience & the GDPR

Best Practices You Need to Adopt

5 minute read

Read this story