“He’s making a list, he’s checking it twice, he’s gonna find out who’s naughty and nice, Santa Claus is in breach of the GDPR…. Dear Santa, all signs lead us to believe that you are in breach with the GDPR. If you don’t get compliant, you are putting Christmas and gifts delivery in danger!”
This note slips out of Santa's hands, terrified that he won't be able to deliver the presents this year! He, therefore, contacted Sopra Steria to find the answers to his questions and secure the Christmas deliveries.
First step: what is Santa's situation?
Santa Claus is the administrator of a database that includes every single person on the planet. In order to carry out his mission, he has to know names, surnames, addresses, where to land, and how to get down the chimney. He has to know our gift preferences, which change constantly throughout the year. Santa has never made a mistake or failed to deliver presents to people around the world.
Until now, Santa has always been convinced that the GDPR did not apply to him. After all, he is based in the North Pole, far from the European Union, and his Christmas journey covers the whole world. So, what about it? Let's find out together, by looking at this transcript of the discussions between Santa Claus and Sopra Steria.
Santa: Does the GDPR apply to me, even if I'm based in the North Pole?
Sopra Steria: Yes, even if your organisation is based in the North Pole, your activity falls within the scope of the GDPR. You indeed process personal data of individuals around the world, but more importantly, you also process personal data of EU citizens. More precisely, you process different types of personal data of 447 million EU citizens.
Santa: What should I do with the data I process? Where do I start?
Sopra Steria: The first step is to identify the personal data that your organisation processes and understand what you do with it. Without this data, it would be impossible to achieve your mission. Let's do a data categorisation analysis together to give you an overview of the data you collect and process:
- Personal data such as surnames, first names, age, gender, home address, probably also online data such as IP address, e-mail, other identifiers when wishes are communicated electronically to ensure that Christmas presents are delivered to the right person.
- Special categories of data such as race, ethnicity, religion, political opinions, and health-related data including our health conditions, eating habits, and food preferences in order to deliver culturally and socially adequate gifts.
- Behaviours and preferences such as data on our habits, wish lists and desires, general behaviour over the year in order to create "naughty" and "nice" lists.
Also, dear Santa, remember that GDPR also applies to digitally obtained information as well as to paper documents, such as letters you receive!
Santa: That sounds complete and reasonable to me. So, you also say that I need to be careful about whose data I have and keep in my database?
Sopra Steria: Absolutely. You can't ignore who the data subjects are. Many of them are children, who are considered vulnerable data subject group. It is also important to mention that you can also process the data of other groups of vulnerable people. The GDPR sets stricter conditions when processing personal data of vulnerable groups. Also, given the amount of data you process, you need to know you process special categories of data on a large scale.
In addition, we have found that your organisation also relies on profiling and automated decision-making, mainly to establish who has been good or naughty. For example, you create and maintain the 'naughty or nice' list every year. The automated decision-making is something that the GDPR generally prohibits, but which may be allowed in exceptional situations and with human intervention involved. We have discovered that your machine learning solution for the 'naughty or nice' list uses algorithms that can significantly affect children by creating prejudice or discrimination about who will or will not receive presents for Christmas. This issue is a major concern for you.
Santa: I am very concerned about this analysis of the situation! I have to tell you that compliance with the GDPR seems overwhelming and complex. I don't know where to start. Can you help me to comply and ensure the delivery of the gifts?
Sopra Steria: Of course Santa, it would be a great pleasure and honour to help you! Sopra Steria has extensive experience in Governance, Risk & Compliance (GRC), including expertise in GDPR and data protection by design. Our approach to bringing your organisation into compliance is to help you develop and implement a Data Protection and Privacy strategy that you can maintain easily in the long run. We can help you with this in a concrete way: help you understand what you do with data, document it accordingly, review and define necessary privacy policies and provide you with technical and security expertise. This way you will follow through with the implementation of data protection by design approach from start to finish.
Another practical way we can help you to ensure your processing activities and use of data is done in a data protection-friendly way is to perform the Data Protection Impact Assessment. This, Mr. Santa, will allow you analyse in-depth data processing activities and assess risks for people stemming from these processing operations. You will then ensure respecting all required data protection principles and, more importantly, implement adequate organisation and technical measures to protect individual’s rights and freedoms. We will help you do this, don't worry!
Santa: Thank you Sopra Steria, thank you from the bottom of my heart! I am sure that with your help, Christmas will go smoothly, and our privacy will be even better protected!