After 2.5 years in GDPR, the Brexit around the corner, you are wondering how Santa has managed to make his entire organisation more compliant to European data protection and privacy law. He may be based at the North Pole, outside of the EU, but he has the personal details of all the children who celebrate Christmas in the EU and he delivers presents to them, and so the GDPR applies to him.
Since Santa doesn’t have a website on which to place his privacy notice, he’ll somehow need to provide a privacy notice to every parent whose child he delivers a gift to – if he’s to be compliant with the GDPR.
Santa needs to prove consent
Because he holds personal information such as name and address, age, interests and recent behaviour for each and every child he’s supposed gain consent from a parent of each minor child if he’s to be GDPR compliant.
I think we can safely assume that every parent would give consent for him to hold his or her details – so that their child can be sure of receiving a gift – but these days one can’t assume consent has been given because it’s not lawful to do that. Consent needs to be given freely and clearly and by means of a clear act.
Some argue that by writing a letter to Santa Claus and inviting him to visit your house you’re giving him your consent, but that won’t do for the GDPR. Unless they release an exceptional kind of clause before this Christmas, Santa Claus will be treading on thin ice.
Santa will need a DPO
Another thing is that Santa holds the details of well over 250 children and, because he performs systematic monitoring on them (to determine whose been good and bad), he’s obliged under the GDPR to appoint a data protection officer. His most responsible elf will probably get the job of advising him, but Santa himself will be the one responsible for compliance, as stipulated by the GDPR.
Since the GDPR came into play in May this year all data controllers like Santa must be able to show that they’re protecting the personal data they have on their records, that they’re using it lawfully and that they have permission to do so from the owners.
We may have to wait till Christmas to find out if Santa’s got his compliance act together. In the meantime, sweep your chimney and make sure your compliance journey is on track too.
PrivIQ offers an all-in-one solution highly affordable. Starting at £45/month, a license will include all features from data mapping to data breach management but also DPIA (Data Protection Impact Assessment) and Data Subject Access Request (DSAR).