‘Twas the night before Christmas, when all through the grotto, panic was afoot; Santa had forgotten to prepare for the upcoming GDPR enforcement! Where did it all go wrong? And how can you avoid making Santa’s mistakes in your organisation?



Santa heard about the General Data Protection Regulation (GDPR) ages ago, but he didn’t think that it affected him! After all, he’s been getting Christmas so right for all these years what’s different now? Well, with the GDPR a lot’s changed, and nearly every organisation will be affected, including the Grotto…

Santa just didn’t realise how important the GDPR is, but it’s the most ambitious data protection legislation passed in the EU so far! It can all sound a bit bland, but almost every business will have to change its practices when it comes to acquiring, storing and using personal data. It even applies in the UK regardless of Brexit.

What do we mean by personal data? Names, birthdays, addresses, even genetic information! The GDPR extends the rights an individual – customer, employee or elf – has over how you control their personal data. Santa stores lots of personal data at the Grotto: he sees you when you’re sleeping, he knows when you’re awake, he knows if you’ve been bad or good… So of course the GDPR affects him!

Read more about who it affects



We all know he has his list and that he checks it twice to find out who is naughty or nice, but Santa’s breached the GDPR! He’s kept tabs on us for decades, when he only needs to know if we’ve been good in the past year.

He remembers when you stole that sweet from the Pick & Mix when you were five, but that isn’t relevant anymore! Santa only needs to know if you’ve been nice over the past year, not ages ago.

Santa should’ve introduced data minimisation policies to ensure he only acquires, keeps and uses data that he needs to do his job. He also needs to acquire informed consent to use personal data, but that’s a whole different kettle of mince pies!

Read more about data minimisation



Millions of children all around the world write to Santa every Christmas to ask for the best presents, but now they can ask for more – to be forgotten, too! Santa didn’t have the policies in place to grant this Christmas wish though…

Santa’s methods have long been mysterious, but no more! The GDPR will extend how much control everyone has over their personal data, meaning individuals will have the right to request what data organisations hold. They can even ask for this data to be deleted, too.

That’s why introducing adequate retention and deletion policies is crucial. Santa’s been busy packing his sleigh, and hasn’t introduced a robust data storage infrastructure. So when Cindy Lou Who asked for her data to be deleted, Santa didn’t know where in Lapland it was!

Read more about the right to be forgotten



Elves are in high demand in loads of sectors, so they frequently come and go at the Grotto. Santa’s been keeping their details indefinitely when they leave, but why? Under GDPR, he can’t keep it without good reason…

The GDPR grants the individual greater control of their personal data; unless Santa can give a good reason for retaining his ex-helpers’ data, he’ll have to delete it.

It’s also worth reviewing his data breach procedures and anonymising whatever data he does hold. Then, if the Grinch managed to steal Santa’s data cache, he wouldn’t be able to do anything with the data and Santa would know about the theft right away!

Read more about HR & the GDPR



Santa can’t do it all on his own, which is why he’s got a helper for every little job. However, he’d forgotten to assign a data controller and a data processor for the incoming GDPR. Shame on you Santa!

He didn’t think the GDPR was relevant to him, so it’s no wonder Santa didn’t look into the roles of data controllers and data processors. But good governance under GDPR outlines this clearly.

Now Santa has a headache, but he could have avoided it if he had appointed these roles to his elves. A data controller would determine the purposes for which and the manner in which any personal data is or will be processed. Meanwhile, Santa’s data processor would carry out all data processing operations, including obtaining and storing data, all on behalf of the controller.

Read more about data controllers and processors



Disaster! Santa left the keys to the mailroom on the side while he was eating mince pies. Now Rudolph has got his hooves on the children's letters. Santa urgently needs to reassess his personal data safeguarding policies.

Santa has some data protection policies in place already, but nothing like what the GDPR requires. For starters, now he'll have to acquire parental/guardian consent for collecting/using the personal data of under-16s. Likewise, he'll have to anonymise the data he holds, using pseudonyms where possible. There's far more he can do, too, but by introducing a privacy by design approach throughout his organisation, Santa will make some good headway.

As an absolute first though, Santa can start by taking those keys off of Rudolph. Only those who need to use the data should be able to see it. Store those letters more safely next time, Santa!

Read more about safeguarding



It was a long haul, and at one point we didn’t think Santa would make it through, but thanks to Cyber-Duck the Grotto now has GDPR compliance in the bag.

We’ve briefly covered the EU’s General Data Protection Regulation here, but there’s far more to tell. For more information on the GDPR ahead of its enforcement on May 25th 2018, we’re here to help. Check out our other articles on data protection and the GDPR below.

Questions? Feel free to get in touch.


Cyber-Duck is a full-service digital agency based in London and Hertfordshire, UK. We produce innovative user-centric products for clients including Thomas Cook, the Bank of England, and Cancer Research UK. Visit our website to find out more about our services or contact us for consultation about the GDPR.

Get in Touch