What a wonderful and joyful time for young and old. A few more nights and dear Santa Claus will surprise us with the most beautiful presents. So, what will we get this year? A new bike? A laptop? A mobile phone or a Lego set? But for a moment, just imagine that Santa Claus would be inspected by one of the European data protection authorities. Would he still be allowed to deliver presents this year?

The GDPR regulation celebrates its second anniversary in May 2020. Some companies have ignored the new data protection rules, while others have been working hard in recent years to map their data and to find out which personal data they are collecting and processing. But is this data mapping comprehensive? And are these data still correct? Did your company take the appropriate measures? Keep in mind that mapping all data and keeping them permanently up to date are GDPR’s biggest challenges.

Christmas Inc.
Just suppose that Santa Claus would be the Chief Data Officer of Christmas Inc. Would he be GDPR compliant or would he be more likely to expect to by find by the data protection authorities? To deliver his Christmas gifts, Santa needs a lot of information:  name, gender and age, address details, personal preferences,.. Little Kevin, for example, got a puzzle last year, but now that he’s moving out of town with his parents, he’d like to get a new bike.

Moreover, Santa Claus would always have to make sure that every newborn is registered and that the details of children who are becoming adults are carefully removed from his records. In order to continue to deliver parcels in Europe, Santa should be fully GDPR-compliant:

  • Will he have a record of all the processing activities of the children’s addresses and preferences?
  • Will he have protected this record sufficiently so it cannot be misused?
  • Have the children, or rather their legal representatives, all given their consent to the storage and processing of their data?
  • Is the data that Santa is allowed to share, according to the reported processing activities and to the received consents, completely free of undeclared information?
  • Can he provide each child or their legal representative with the details regarding the personal information he holds?
  • Does a child who is not happy with the toys he or she received have a right to be forgotten and not receive other toys in the coming years? (highly unlikely to happen, but must be addressed)
  • Does Santa have a point of contact for each child, or their legal representative, to assert their rights?

Reputation loss
So there you go. If Father Christmas was a businessman, he would have to operate in compliance with the GDPR order to maintain our trust and avoid reputational loss. But fortunately, we are all big fans of Santa. We hope that he knows what we desire and we are confident to find once just the right gift underneath the Christmas tree.