With the deadline of May 25th, 2018 looming, organisations are hustling to become compliant with the EU’s General Data Protection Regulation (GDPR).However, it appears that the new regulations may have a completely unintended consequence. Yes, we’re sorry to have to tell you this, but as a supplier of technology that enables firms to comply with GDPR – Christmas will have to be cancelled. It might have been the snow in London last week that turned our minds to Christmas and all the joy, bonhomie and gift giving (and receiving) that comes with it. But then, as our team worked on a GDPR customer case, the two realities came crashing together in one horrible and oh so vivid flash of realisation; Santa is not GDPR compliant.
Christmas 2018 is going to have to be cancelled.
It brings us no joy to have to tell you this, believe me. Nevertheless, the harsh reality is unavoidable.
GDPR, in essence, involves two checkboxes. If any organisation checks both boxes, then there are two consequences. Although it pains me to do so, let’s work through this process for “Santa’s Workshop Inc”:
If an organisation collects, stores or processes information on EU nationals, GDPR applies. It doesn’t matter where the organisation itself is based. Santa’ workshop may be based in Canada, northern Finland or Russia, but it doesn’t matter. Santa’s list involves quite a few EU citizens.
GDPR applies to Santa.
Is the data ‘personal’? Well, this is pretty obvious – Santa provides perhaps the most tailored gift-giving service in the world (sorry Mr. Bezos…) so if he’s not working off a list that holds personal data then water is clearly not wet.
Santa works with personal data of EU citizens.
If an organisation holds personal information on an EU citizen, that person is able to ask the organisation what information is held on them and the organisation must comply with the request. Now, seriously, has anyone among us, at any point, sent a letter to Santa’s workshop and actually gotten a reply? No, thought not…this is strike 1 for Santa.
Related to point 3, the person should also be able to request that the personal data held on them by the company is deleted. I’m not sure why anyone would want to do this, but nevertheless, Santa’s Workshop Inc. isn’t known for its customer support channel and accordingly Santa is unable to comply with any delete request. Strike 2.
That’s it – Santa is clearly not GDPR compliant.
There is only one unavoidable conclusion to be drawn – Christmas 2018 will have to be cancelled. Sorry.