Dear Santa, we need to talk about the GDPR

Dear Santa Claus, it has come to our attention that you are among the biggest collectors of personal data in the world. By our calculations, you collect personal information on more than 30% of young children in families around the world. Information gathered concerns whether subjects have been ‘naughty’ or ‘nice’, the geographic location of the bedrooms of children, knowledge about wishes and dreams and most peculiarly: sleeping patterns.

We can only assume that this information has been gathered through extensive data-gathering operations, rumored to be accomplished via a program termed ‘Elv3s’, distributed through the Rud01PF platform. With the GDPR fast approaching, we are concerned about whether your data collecting and processing activities are being conducted in a way that complies with the GDPR-regulation that comes into effect May 25, 2018. Because at Datastreams.io we are big fans of your charitable behavior, we would hate to see you fined up to 4% of your annual turnover. To avoid this, you might want to take a hard look at the following elements of your data processing:

Consumers consent. While at Datastreams.io we know that you have nothing but good intentions, we also know that it is important to establish the lawfulness of your data processing activities. We believe that the lawful processing basis for your activities should be consent. We therefore advice to look at your consent policies, which are no longer up to date. Under the GDPR you will also be required to ask consent from parents before gathering information on their children. We’ve already written a guide on GDPR consent that may be useful to you.

• Transparency and disclosure. We understand you are a very secretive person, but it’s time to disclose some of your secrets. Specifically, which data you collect and how this data is collected and stored. You have clearly attempted to disclose some of this behavior in songs like ‘Santa Claus is coming to town’, but we believe this disclosure of information is not sufficiently written in a concise, transparent, intelligible and easily accessible form, using clear and plain language” as the GDPR prescribes. Furthermore, data subjects will need to know where to contact you if they want personal data deleted or lodge a complaint. It’s time to reveal where on the North Pole your company is, exactly. 

• Security and protection. Because you are, as far as we know, the only data processor working with the Elv3s software, we hope that you have taken possible privacy concerns into consideration when implementing your data solutions. Encrypting data and regularly testing your cybersecurity solutions will be integral to keep operating in a compliant way. Make sure you don’t forget to inform your data subjects in the event of a data breach. Because you regularly monitor data subjects on a large scale, you will also be required by law to appoint a Data Protection Officer. You can appoint one of your current employees as a DPO, or bring in help from outside. We’re sure many ‘little helpers’ will be happy to take on the role.

Santa's not so GDPR compliant list...

These are just a few concerns we have with your data processing policies, Mr. Claus. The Data Protection Officer you will hopefully appoint will likely point out more issues, such as the profiling of children as ‘naughty’ or ‘nice’ and the reliability of kept records. You might find your current data architecture incapable of dealing with GDPR demands, but no fear: our data stream manager & consent manager solutions will help you comply with GDPR demands in time, so you can work on getting us those presents we asked for…

Merry Christmas, Santa!

Recent Posts

Leave a Comment