#Santa GDPR Fail?

He’s making a list….

So, Santa, have you identified an appropriate legal basis on which to collect and process this data? There are 6 to choose from…

  • Have you obtained the explicit consent of the individual, or in the case of children, their parents, to add them to your list?
  • Do you have a legal obligation to collect and store this information; or need the information in order to protect their vital interests (ie. Save their life)? Thought not.
  • I suspect you might be hoping to rely upon using ‘in the exercise of an official authority’, which covers public functions and powers that are set out in law…Hmm not sure about that last bit though.
  • So I guess your only hope is ‘legitimate interest’, for which the ICO says is most appropriate “where you use data in ways [people] would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.” 

Ah yes – that’s the one. What more compelling justification could there be than Christmas not being cancelled?

 So, all you need to do now Santa is undertake a Legitimate Interest 3-part test, issue an article 13 notice and direct people to your Privacy Policy, in which you clearly state that ‘Santa’ (with your company details) is the data controller. Job done.

He’s checking it twice…

Ah, now this is good. The GDPR says that we have to take ‘all reasonable steps to ensure the personal data you hold is not incorrect or misleading as to any matter of fact”. I’m sure you’ve also got the ‘security’ bit covered too, which says that “you must ensure that you have appropriate security measures in place to protect the personal data you hold”

So that’s a big tick in the GDPR Christmas box for you Santa.

He’s going to find out who’s naughty or nice

Right, we’re having a bit of trouble with this one. Are you accessing people’s criminal records, Santa, and storing them on your list against individuals’ names?

To process personal data about criminal convictions or offences, you must have a both a lawful basis (which we’ve established above) and “legal authority or official authority for the processing under Article 10’.

Oh heck.

But as the ICO says that “you cannot keep a comprehensive register of criminal convictions unless you do so in an official capacity” I think you’re in the clear – after all, who could be more ‘official’ than Santa himself – a globally recognised icon of goodness, generosity and festiveness?

He sees you when you’re sleeping…he knows when you’re awake

Now then Santa, this isn’t good. If you have CCTV installed then you have to notify people that you’re recording their images, and register with the ICO (or potentially other regulatory bodies in other EU countries). This could get tricky. And expensive. Did you know that a company in Telford was fined £4500 in June this year for not having the right signs up?

It gets particularly difficult when the people you’re monitoring in this way are children too, as their data merits ‘specific protection’. Your supply chain might need looking at as well - just recently, the Children’s Commissioner said that s/he is “calling on internet giants and toy-makers to be more transparent about the data they are collecting on children.”

So I think you need to lead by example on this one Santa, and stop collecting images of children without their (or their parents’ knowledge)

I’m counting on you Santa: please tell us that you’ve got all of this sorted, as that’s the best Christmas present we #GDPR-ers could wish for.

Katy Raines
Founder & CEO

Let's talk

Whether you’ve got a specific issue you’d like our help with, or just want to find out how we might help your organisation, get in touch on info@indigo-ltd.com for an informal chat. You can also sign up to our mailing list.