Santa Claus & the General Data Protection Regulation (GDPR)

9 min readNov 9, 2018

I thought I would ease back into blogging (I know you’ve missed me…) with a jovial post given that it is apparently Christmas already (read: it is after Halloween)

Have you ever thought about Santa Claus (aka Father Christmas, St. Nick or St. Nicholas) and his General Data Protection Regulation (EU) 2016/679 (“GDPR”) compliance? Well… come right on in.

H/T here for the post idea.

I have also written a post about The Tooth Fairy & GDPR.

Santa needs YOU to help with GDPR (and WiFi)

The Problem

Problem Statement

Santa’s organisation is based in a North Pole but he has Data Subjects all over the world, including the European Union (EU), so he is subject to the GDPR — probably.

His ultimate goal is to deliver gifts (or coal) to those Data Subjects. In order to achieve this, he maintains a list of Data Subjects and arguably these include the parent/guardian information as well to facilitate decision making.

The Personal Data held likely looks something like:

full name
date of birth (with calculated age)
gender
address at the time of 24th/25th December
whether said address has a viable chimney
calculated score on naughty-v-nice
metadata on score decision making (naughty/nice factors over the year)
personality traits (to establish toy preferences)
toy wishes (letters received, if any, with requests)
a list of existing toys
parental/guardian information (might even so far as to salary information to determine number of gifts etc)

His staff must have access to this list in order to help him maintain it but at the very least in order to assess the perfect gift (or how big the coal should be) and make it.

One could argue technology could/should be used for automated decision making.

This list (database — likely Oracle RDS on Amazon Web Services) contains millions of records for Data Subjects all over the world.

Problem Scope

For simplicity, we will de-scope the privacy concerns stemming from actually visiting the property and entering it without being explicitly invited by an authorised person.

We will also assume the scope is limited to live Data Subjects (being newborn infant through to ‘whenever Santa stops delivering’ ) so that legacy records (including backups) are automatically purged when no longer required.

I said Santa is ‘probably’ under GDPR as thats how the legislation is applied — the Data Controller is subject to it based on Data Subject jurisdiction not Data Controller source jurisdiction.

Judicial redress is considered (or not considered) separately so for these purposes we’ll say that while the North Pole is considered under de-facto United Nations (UN) conditions (it is not a normally recognised country or territory) the EU regulators would fine (etc) Santa even if considered unenforceable (they can never imprison Santa or actually get any money out of him)

GDPR Compliance

Disclaimer

These are in no way exhaustive and I am not a [privacy-specialist] lawyer. I would urge Santa to retain an appropriately capable and experienced GDPR professional and engage a privacy-specialist legal firm.

Bite-sized chunks

I’ll review Santa’s GDPR position based on the GDPR core requirements. This is summarily what he could be doing, or at least what I hope is in place, and this will take Santa through to being somewhat aligned with GDPR’s core principles under a proportionality banner.

What data is being held?

We’ve covered this above, I think Santa has a pretty good grasp on the information he has.

Due to the logistical burden on his operation (how many gifts delivered in how long?!) he is likely to be intolerant of any paper records beyond the gift tags or address labels on item. I expect his sleigh to have a redundant IT systems (2+ iPads) with redundant satellite connectivity.

What are the conditions for processing?

Article 6 provides some core options:

(1)(a) — consent
this cannot apply as Santa does not obtain consent from Data Subjects (or more likely, parents/guardians on their behalf)
(1)(b) — contract
there is no exchange of promise for value
(1)(c) — legal obligation
I get the feeling Santa isn’t doing this because someone is making him
(1)(d) — vital interests
I’d argue the Data Subject wants a gift pretty vitally
(1)(e) — public interest task or vested authority
I’d argue a bunch of happy kids would be in the public interest (the vested authority does not apply as the EU would not recognise it)
(1)(f) — legitimate interests
as much as Santa as Data Controller wants to give gifts, the legitimate interests of the third parties (parent/guardian’s sanity) is likely more legitimate

I would advise Santa use the ‘vital interests’ and ‘legitimate interests’ (of the parents/guardians) as possible conditions for processing.

Where the data is being held

Offshore through Amazon Web Services. WorkSpaces are used for GUI representation and running queries with Oracle RDS holding all of the data.

Lambda is used for automated processing such as tallying the overall Data Subject naughty-v-nice score over the year (from the last Christmas until the cut-off point by which Santa needs a decision to make the gift in time).

Who has access to the data?

Pretty much everyone in Santa’s organisation, on the basis that they are all goal/mission orientated — even Rudolf needs to know where to go.

Elves should only be able to access Data Subject information as part of their work, so the right Data Subject information at the right time for the appropriate duration — if they are making Joe’s toy, they can only see Joe’s information (and limited scope) at that time — naughty-v-nice score, toy preferences etc.

Limited scopes are important based on context — Elves don’t need to know the address of the Data Subject while making a gift but they may need addresses (but not scores) when helping Santa pack his sleigh.

Who is responsible for the data?

Santa is likely operating as a sole trader in this situation as he isn’t worried about sales taxes etc.

Santa is operating a large organisation so should consider appointing a Data Protection Officer (DPO). The DPO must have direct access to the highest level of management in the organisation and can offer advice and while Mrs Claus is in conflict (and thus cannot be DPO) she would in theory be an effective one as she could make sure Santa sleeps on the couch if there was a Data Breach — this might offer the European Court of Justice (ECJ) some mild indirect appreciation that some justice has been served.

That the data is up to date and needs to be kept

Santa likely gets his data from governmental records (registering a birth workflows etc) — although I do suspect this is ‘extra legal’ due to lack of formal data sharing capabilities.

I would strongly recommend Santa create the North Pole as a territory and achieve UN recognition, in order to then setup data sharing agreements with each target country.

Once Santa holds this birth information, he can calculate age. But he needs to keep addresses up to date, so likely is buying copies of electoral data through data brokers who aren’t too worried about legal jurisdictions. Address data is parent/guardian linked, so he clearly has access to a plethora of education, social care and local state/authority data to be able to consistently link a Data Subject child with parents/guardians.

Using ‘extra legal’ means Santa may be re-washing his data with other data sources (other government databases etc) in order to keep things as accurate as he can — as data matching is hard and a single-source of truth is very difficult to find.

Santa likely programmatically monitors databases for deaths and change of name. A few Elves may be dedicated to the morbid job of monitoring hospital databases and obituary publications.

(I am increasingly worried about how we protect databases from Santa — but I would advise any organisation to consider Santa along with all other state actors but perhaps in a milder sense given Santa’s motivations are not to be harmful.)

That processing information is conveyed

Article 13 does not apply (Santa doesn’t get data directly from Data Subjects) so Santa is very likely in contravention of Article 14 as to my knowledge there is no published or readily available privacy notice conveying processing information.

Santa is unlikely to have any applicable exemptions in this regard (such as recognisable national security exemptions) that excuse him from needing to provide processing information.

What security is in place to protect the data?

Santa’s organisation likely uses up to date macOS devices because Santa is still burning VC cash all these years later.

As the macOS devices are only used for work, Internet connectivity to get to the AWS WorkSpaces and thus onwards into the Oracle RDS is a good solution.

EUCS controls through the JAMF device management solution prevent the Elves from accidentally exporting copies of data and ensure the local device is encrypted at-rest.

Santa has paid $$$$ to AWS and he has the Oracle RDS solution tiers which allow encryption in-transit.

Santa considered all the FVEY agency guidance and prefers the UK National Cyber Security Centre (NCSC) ones the most — so ensures he follows their end-user device guidance, IPSec & TLS configuration guides and more.

Santa does have a Bring-Your-Own-Device (BYOD) policy (based on the UK Ministry of Justice’s open source IT policy content repository) but he doesn’t pay the Elves enough to have their own personal devices so this isn’t an issue (well, in this forum — labour laws in the North Pole are sketchy)

No direct competition for Santa appears to exist so staff are unlikely to be subject to corporate espionage or other such influences/motivations thus Santa is quite happy with his inside actor risk (he perceives it more as inadvertent accidental breaches than intentional bad actor).

Santa has ensured that he has leveraged the shared responsibility models with AWS to ensure that they are responsible for commodity technical security such as patching, protecting against Denial of Service (DoS) attacks and so on.

Data subject rights (Articles 12 to 23)

Santa tends to get more ‘request’ letters than anything else so he sees this as a Article 16 (‘Right to Rectification’) over Article 15 (‘Right of access’).

Santa doesn’t comply with Article 17 (‘Right to erasure’) as his experience tells him either the Data Subject ages out of his scope, very sadly passes away or the Data Subject is ‘naughty’ and the right is not observed as he is insistent on delivering coal. Similarly, Santa laughs in the face of any restrictions (Article 18) or objections (Article 21).

Santa does not consider Article 20 (‘Right to data portability’) something he will be faced with due to lack of direct competition, and the most competition stemming from parents/guardians or other associates who likely have the same information. Santa is unwilling to comply as he also believes this would provide clarity to the extra legal methods he takes to obtain Personal Data.

Due to Santa’s opaque position on how scores are tallied and gifts decided upon, we’ll have to see what Santa’s position on Article 22 (‘Automated decision making / profiling’) is.

Santa cackles in the face of any restrictions (Article 23) because he has checked his list at least twice and is comfortable in the legal ambiguity the North Pole provides.

Summary & Recommendations

Santa’s GDPR compliance is summarily unclear and appears to pivot between possibly/probable compliance through to disrespect for Data Subject rights. Any accurate review is impossible without accurate accessible privacy notices and/or view of independently-audited internal risk assessments or privacy documentation.

My further recommendations above those already made would be:

engage in a proportional review from a high-level data protection/compliance perspective (starting with GDPR then into other requirements from other jurisdictions)
take a far more transparent approach by publishing a privacy notice
tell the hacking Elves to take it easy with this extra legal database activity stuff
include a brief leaflet with each delivery explaining where Data Subjects (or parents/guardians on behalf of) can go to view data, request it be updated and the contact details for where to send general data protection queries and complaints.
ensure the leaflet is printed on magic paper, so the complaints section dynamically conveys the Data Subject’s local data regulator and changes language and phrasing to ensure it is plain language (in the local language) to ensure it is understood.