Santa Clause is coming to town, but has he considered the GDPR implications?

20 December 2018


Saint Nicholas may have checked his naughty or nice list twice, but has he checked the GDPR implications of processing millions of people’s personal data, including the data of all the children?

Despite the North Pole business model being run outside of the EU, Saint Nick still has to comply with the GDPR due to the fact that he processes data of individuals covered by the EU regulations.

We discussed GDPR endlessly prior to its implementation but since ‘D’ day it’s been nothing but a silent night. So, let’s consider the time of year and ask ourselves…what does Santa really need to consider about GDPR before he makes his world-wide trip on Christmas Eve?

T’was the night before Christmas…

Santa’s elves have been preparing and know all about GDPR. The elves have created a checklist for Santa to make sure he is GDPR compliant…

Parental consent – A child cannot give consent to data processing without his parents agreeing too. Santa must have consent from parents before he processes the children’s’ personal data.

Have you got consent for all circumstances when you are required to?

Right to be informed – Data subjects have the right to be informed of the purposes for processing personal data, retention periods and who it will be shared with.  A privacy notice can be an effective way of keeping everyone informed.

Have you issued privacy notices where appropriate?

Right not to be evaluated on the basis of automated processing -  the GDPR sets out provisions on:

  • automated individual decision-making (making a decision solely by automated means without any human involvement); and
  • profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.

You can only carry out this type of decision-making where the decision is:

  • necessary for the entry into or performance of a contract; or
  • authorised by Union or Member state law applicable to the controller; or
  • based on the individual’s explicit consent

Is there enough elf-power in case every child decides to withhold their consent? Lots of elves will be needed to make those decisions manually.

Other GDPR considerations include;

Right of Access – individuals have the right to access their personal data which is commonly referred to as subject access.

Individuals can make a subject access request verbally or in writing and you have one month to respond.  You cannot charge a fee for this.

Right of rectification – the GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete.

An individual can make a request for rectification verbally or in writing and you have one month to respond. In some circumstances you may refuse a rectification request.

Right to erasure – the GDPR introduces a right for individuals to have personal data erased -commonly referred to as the “right to be forgotten”.

Individuals can make a request for erasure verbally or in writing and you have one month to respond to a request. The right is not absolute and only applies in certain circumstances.

Right of data portability -  the right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

Have you considered your policies and processes to ensure that you are prepared for any requests or queries in relation to GDPR and personal data?

Despite the slowing media attention, the Data Protection Elves, also known as the Information Commissioner’s Office (“ICO”) have been working tirelessly to ensure that the naughty list is monitored and updated regularly. Here’s some of the work they’ve done since May 2018;

Tax Returned Limited

London-based firm Tax Returned Limited has been fined £200,000 by the Information Commissioner’s Office (ICO) for sending out millions of unsolicited marketing text messages.

ICO issues the first fines to organisations that have not paid the data protection fee

The ICO has issued the first fines to organisations that have failed to register.  This has affected businesses across a range of sectors including business services, construction, finance, health and childcare.

All organisations, companies and sole traders that process personal data must pay an annual fee to the ICO unless they are exempt. Fines for not paying can be up to a maximum of £4,350.

Don’t trust your luck – check here to see if you are exempt and, if not, ensure that you register and pay the fee.

Secure Home Systems Ltd

Secure Home Systems (SHS) of Bilston, West Midlands, has been fined £80,000 for making calls to 84,347 numbers registered with the TPS between September and December 2017, using call lists bought from third parties without screening them.

Boost Finance Limited

The Information Commissioner has fined London-based marketing company, Boost Finance Ltd (BFL), a company responsible for millions of nuisance emails about pre-paid funeral plans.

See the list of all the enforcement action taken, here.

Whilst it is the season to be jolly and enjoy the celebrations, it is also important to remember that compliance with the GDPR was not a tick box exercise and the compliance work will continue on an ongoing basis.

Don’t risk your name being on the naughty list next year!

Find out more about Hanna Sandford, Consultant at Aspire Business Partnership here

T:   0121 445 6178 


View Hanna's LinkedIn profile