'He’s making a list, he’s checking it twice, he’s gonna find out who’s naughty or nice’...but is Santa doing so in compliance with the GDPR?

As the first Christmas trees and advent calendars go up in stores and homes across the UK, our thoughts may turn towards the joys – and pressures – of the festive season. But a look at some of the activities of one of its most famous icons may help anyone who deals with personal data to understand some data protection basics.

So, is Santa subject to the main data protection law in the UK and Europe, the General Data Protection Regulation (GDPR)? And if so, what would good data protection compliance look like?  

We know that Santa collects personal data such as names, addresses, present preferences, and information to determine if someone has been naughty or nice. It’s possible that this information is just in his head, in which case data protection law can’t apply. But we suspect that Santa is either keeping a digital record, or at least a structured filing system (a big book). If so, he’ll have to read on. 

Santa will be a data ‘controller’ over the personal data he collects. This is because he decides ‘the purposes and means’ (the why and how) of personal data processing. He collects personal data directly from individuals and via surveillance operations for the purpose of allocating, making and delivering presents on Christmas Eve without being seen by data subjects. 

Pole position 

Even though Santa is established in the North Pole (and only the North Pole as far as anyone is aware), he offers his goods and services to individuals based in the UK and EEA. Furthermore, as the song goes “he knows when you're awake, he knows if you've been bad or good”, so we would probably conclude that Santa monitors the behaviour of individuals in the UK and EEA. Whilst Santa’s delivery of presents to the world at large arguably may not meet the relevant geographic ‘targeting’ requirements when offering goods and services, he would come squarely under the monitoring limb of the ‘territorial scope’ tests in Article 3(2) GDPR and will have to comply with its provisions resulting from a level of identity-linked behavioural monitoring that the world of Adtech could only dream of! 

Since he’s established as a data controller subject to GDPR, Santa should:

• Check if he needs to register with the relevant regulator (in the UK, the Information Commissioner’s Office or ICO) and pay any required data protection fee. In the UK he could benefit from the exemption for not-for profit organisations. But even if he doesn’t have to register or pay, the GDPR will still apply.
• Appoint an EU and UK representative in the UK to act as a liaison point for regulators and data subjects and keep a copy of Santa’s record of processing activities. Santa will need this as, though the GDPR applies to him, he is not established in the UK/EU. He’d also do well to look into which regulator is his EU lead supervisory authority, or whether he doesn’t have one and needs to deal with a number of them.
• Conduct a data protection impact assessment (known as a ’DPIA’). Santa’s processing is high risk, given the geographic scope of his surveillance operation, the sheer volume of individuals whose personal data is being processed and the type of individuals: children. This triggers the need for a DPIA, to identify and minimise any data protection risks before the processing begins. In particular, Santa should carefully consider how he will safeguard the personal data of children. 
• Establish a lawful basis for processing personal data. He might want to consider consent, or even a public interest task (both may be problematic), but the most appropriate lawful basis is likely to be legitimate interests, either of the controller or a third party. Santa’s own interests might be collecting mince pies and sherry. Third party interests might cover all those people who will receive gifts, or who benefit from the good behaviour of others striving to be on Santa’s nice list. Before relying on this basis Santa will need to conduct a ‘legitimate interests assessment’ to balance those benefits against the rights and freedoms of the individuals whose personal data is being processed, and record the outcome.  
• Provide a privacy policy to individuals. This policy should explain how and why Santa processes their personal data and how they can exercise their data protection rights. Santa should consider having two versions of this policy, one for adults and one for children as it is important that the policy is clear for its target audience. Additionally, Santa should provide an employee privacy policy to his elves to explain how and why their personal data is processed. 
• Put in place appropriate technical and organisational security measures to keep data safe and prevent a personal data breach. A leak of the naughty list could cause serious distress. 
• Put in place data processing agreements. Santa’s workshop is full of hard-working elves, many of whom will be at full capacity in the run up to Christmas, so it’s unrealistic to think that Santa won’t have arranged outsourced resource for overflow work (no doubt under a watertight NDA). Third party service providers will be legally separate entities acting as Santa’s data processors when handling Santa’s personal data. Depending on how they’re working with Santa, he might need to put a data processing agreement in place with these providers which contains the mandatory clauses in Article 28 GDPR. 
• Consider international transfers of personal data. Excited stocking-hangers sending information in letters to Santa fall outside the GDPR as, for them, it’s household information. But as soon as Santa needs to make a transfer, say to those outsourced elves, the GDPR restrictions on transfers kick in. The North Pole does not yet have an adequacy decision either from the UK or Europe, so to transfer the data lawfully, Santa must consider relying upon either a safeguard such as the standard contractual clauses or binding corporate rules or a derogation under Article 49 of the GDPR. 
• Consider if he is gathering data on criminal convictions and offences. He’s having a good think about the alleged commission of offences ‘and related security measures’, which covers a wide range of information. That naughty list might even constitute a ‘comprehensive register’, in which case he can only hold it under official authority. Let’s hope he’s authorised to do this by a law enforcement agency. In any event he will need additional compliance measures in place.
• Put in place data protection policies and procedures to comply with the GDPR. Santa will need records of processing activities, a data breach register, and policies on data retention, breach management, surveillance and data subject rights. Finally, as Santa engages in large scale, regular and systematic monitoring of individuals he should appoint a data protection officer. 

With these measures in place Santa can happily board the sleigh and set off for his annual madcap dash round the world. We wish him, and you, a happy (and GDPR-compliant) Christmas!