A cautionary Christmas tale.

It had been quite a year for the keepers of that vast, ever-changing database held in that ever-so-secure environment right by the North Pole. Since Santa Claus had come to the uncomfortable realisation that not only the identities of the billions of children worldwide that he held, but also his unique naughty/nice classification of that data were subject to the EU General Data Protection Regulation, he had been scratching his beard trying to work out exactly what he should be doing to get compliant. Although the North Pole was outside the EU/EEA it was still subject to GDPR because of all the EU children whose data he held.

The data privacy elves had helpfully put together a data flow analysis to work out exactly what personal data they were holding and what it was being used for. Fortunately, Santa would never allow any of his data to be exported for use by anyone else.

Security was tight. The cyber technologists had certainly earned their mince pies in averting the attempted hack by the trolls last year, and had put in place the latest firewalls and hack-resistant software. Getting rid of the old servers and moving everything to the cloud made perfect sense to Santa. The reindeer were just a little confused as to which one was THE cloud.

The compliance programme seemed to be going well. All the elves and fairies had completed their data privacy training, and a month before the big night not only presents, but also data processing appeared to be under control. For every letter he received, the elves requested parental consent to the child’s request being considered, and sent details of the new Privacy Statement and Cookie Notice.

Then, around 25 November, an innocuous-looking letter arrived. Little Johnny Begood wrote that he would like a Ferrari for Christmas, since he had been trying very hard this year to live up to his name. Santa certainly had him down as ’trying’. Johnny added that he was intrigued to know what Santa knew about him and asked exactly what information he had. Santa smiled a knowing smile and chuckled a knowing chuckle. That was for him to know and children like Johnny to wonder about. He popped it on the pile of letters to be answered when things quietened down a bit and thought no more about it.

Three weeks later, and with a week to go, he was having a leisurely stroll through the Grotto, checking this and that, when he noticed his Chief Data Privacy Fairy sending elves scurrying left and right, pressing buttons and setting up spreadsheets. She was waving a letter around and shouting “How long have we had this? Why wasn’t I told immediately? Didn’t you recognise what it was from your training?”

Santa had never seen her so angry, and as soon as he recognised Johnny’s letter in her hand he had the first creeping sensation that something was about to go ever-so-slightly catastrophically wrong.

With his best jovial Santa voice he said “So, what’s the problem eh? We only disclose information on a need-to-know basis and this little Johnny most definitely does not need to know all information we have about him.”

“But Santa, you don’t understand, this letter is quite clearly a DSAR”. 

“A DSAR? Sounds a bit like a D-Sar-ster” quipped Santa.

“Exactly” said the Chief DPF. “A Data Subject Access Request means that you have to provide details of all personal data you hold about an individual, and you don’t have much time to do it. 30 days in fact, since we probably can’t claim that this is a particularly complex request. And it looks like we have been sitting on it for over three weeks, so that only leaves us a week to gather all the information we need and put a reply together, smack bang on top of Christmas Eve! The timing couldn’t be worse!”

“Calm down” said Santa. “The letter doesn’t say anything about it being a DSAR thingy. Can’t we just ignore it? The last time we got one we asked the little girl to pay £10 and we never heard from her again”.

“It doesn’t have to say it’s a DSAR. It just has to make a request for the personal data you hold as a data processor, which it does. And things have changed under the GDPR – is quite clear that you have to reply and you can’t charge for it.”

“Well surely a few days here or there won’t make a difference?” said Santa.

“I wouldn’t bank on it” said the Chief DPF. “From what we know about young Master Begood he knows his rights and will probably have the 30 day deadline marked on his Advent Calendar, so when he opens the door there will be a message saying ‘Data Breach – Notify Information Commissioner!’. The next thing we know we will have an investigation by a Data Privacy Regulator on our hands, and who knows where the enforcement action will lead”. 

Santa didn’t often feel cold, but that definitely sent an icy chill travelling down his spine, not at all helped by the realisation that this time-pressure was all his fault. In a much more contrite tone he asked “Er … do we have enough time? Surely we don’t have to send him everything … do we? Can’t we just delete it all and say we don’t have any data on him?”

“It’s a criminal offence to delete data to avoid disclosing it for a DSAR, so we won’t be doing that. We will have to check every record to decide whether we have any basis for withholding it, or whether we will have to remove personal data of other people, like his older sister who tipped us off about him scoffing the entire chocolate cake that he was supposed to share with her. If we work flat out we might just have enough time, but I will need four more elves to help. It’s going to be …”

“The Nightmare before Christmas … Again” groaned Santa.

At the North Pole they were used to burning the midnight oil, but even by their standards this was a mammoth task. Co-ordinated by the extraordinarily efficient Chief DPF, the elves located and trawled through the surprising large number of records relating to Master Begood, identifying and redacting data of others. Somehow, by the end of the 29th day, a complete set of personal data had been gathered together ready to send out to little Johnny.

With the Chief DPF at his shoulder, and between gritted teeth, Santa composed his most charming and effusive letter complimenting Johnny on his knowledge of data privacy law and explaining the extent of the data which was held at the North Pole and why certain data had been redacted.

“He’ll go far, that young man” muttered Santa as he stuffed Kevin the Carrot into Johnny’s stocking. “But not far enough or quick enough for my liking”.