Santa and the GDPR Posted by Hugh on 21 December 2016

He better watch out, he better beware!

One of the most notorious data profilers in the world has just 18 months to get his act together, ahead of the GDPR coming on-stream.

In a week that saw news of a one billion-record hack at Yahoo, their second in 3 months, another data processing giant appears to have escaped scrutiny altogether – possibly because of the quiet, secret and perennial nature of the way he does business.

It’s that time of year, again, where minors are terrorised by the profiling and inaccessible data processing of a certain resident of the North Pole. His ‘Naughty or Nice’ list has become the standard against which most children around the world are measured, and leaves the Sunday Times Rich List a poor second in terms of eager anticipation and “the Fear”.

But whatever the benefits of being on his list, Santa will have to change his data processing activities in the next 500 days, in order to comply with the new General Data Protection Regulation, published during the earlier part of this year, and due to come into effect in early 2018.

Under the provisions of the new Regulation, the processing of personal data of data subjects anywhere in the world by a controller who is established in the EU will be subject to this Regulation. As readers (and reindeers) will be aware, substantial areas of the North Pole, protected by Norway, are recognised as forming part of the European Economic Area, so the new Regulations will apply to such processing.

From our reading of this provision, any “Naughty List” (or “Nice List” for that matter) will therefore be considered as ‘Profiling’ where it is being used to monitor the behaviour of EU citizens of any age. 

In turn, Santa will need to review the credibility and accuracy of his list – this has always been a bone of contention, with data traditionally being acquired from completely unreliable sources – stressed parents, general monitoring of social media, and, most unreliable of all, the children themselves through a completely inadequate process of hand-written notes placed in fire-places around the world. It is a long, long way from what ISO27001 would require.

There is no way to sugar-coat this – Santa’s list will be in the cross-hairs by the time this legislation kicks in in early 2018. He and his service providers – again, most of whom are resident within or on the frozen periphery of the EU, have a relatively short time to get their house in order and find a compliant basis for such processing in the future.

There are other concerns – Santa is likely to look among his workforce for candidates to be the Data Protection Officer – as an organisation which systematically monitors the behaviour of (underage) members of the public, there is no doubt that he is on the mandatory list for this obligation.

Up to now, compliance within the DP legislation has always been covered by the “Elf and Safety” department within his organisation, but he may now need to consider a more stand-alone role. And as an independent function within the organisation, the new DPO might be forced to move from being Santa’s little helper to the North Wind (Whistle) Blower.

Simply having the list in the first place will need to be justified with reference to the Lawful Processing Conditions. In some countries, there are real and tragic repercussions for being on the Naughty List – coal in the shoes (Germany), a visit from the Krampus (Austria, naturally), or being kidnapped and removed to Spain (Italy). The risk of getting the lists wrong is, therefore, both high and troublesome. Just as well he checks the list twice.

Traditionally, Santa does not seek the consent of the under-age data subjects whose behaviour, interests and performance he is monitoring. 

Santa is likely to come under even further pressure to maintain an accurate list once the ‘Right to be Forgotten’ comes into play – one can only imagine the eagerness to remove any record of wrong-doing or vandalism committed between Halloween and December in order to transfer to the ‘Nice List’.

Some might wonder how a serial DP abuser can get away with such blatant disregard for the very principles we hold dear. In a year of uncertainties, when Brexit can loom as an impending reality, and when a questionable hair-style can become President, anything is possible.

Sytorus look forward to working with Santa, all Data Controllers, not just those in the seasonal gift distribution and global courier services, to prepare their data management practices for compliance under the new Regulation. In the interim, we wish all our readers a restful, peaceful and worry-free week on the ‘Nice List’, with all that that entails!

In the quiet of the New Year, we may return to look more closely at the privacy implications of Santa’s data gathering activities, especially the more worrying aspects by which “he sees you when you’re sleeping, he knows if you’re awake”, etc. We will deal with covert surveillance on another day.