It’s okay, kids; Santa is GDPR compliant.
Sometimes as a consultant, you get a call about a dream gig - iconic brand, a big juicy problem and unlimited budget. I recently got one of those calls from none other than Barnard, Santa’s Head Elf (Google it). It seems that Northpole Ltd. was a little behind in their GDPR preparations and needed some help.
Like every other GDPR engagement, this project started by getting an understanding of what data they hold, where they got it and how they keep it up-to-date, as well as understanding the technical aspects of how the data is stored. They have a list of everybody in the world that includes name, home address, gender and of course the naughty/nice indicator added as part of their data processing. There is a single hardcopy version of the list that is kept at CEO S. Claus’s office, although he does sometimes work on it at his place of residence. Mr. Claus himself assigns the naughty/nice indicator to each record; there is no automated processing of the data.
It is important in sessions like this to follow a very structured approach. Conveniently, the ICO has a handy interactive guidance tool which walks you through each basis by asking a series of questions and provides guidance about each answer.
The first question asked was whether we have or intend to have a contract with the data subjects. There is certainly no written contract between Northpole Ltd. and the data subjects. Of course contracts do not have to be written down, but for a contract to be valid there has to be a value exchange. This is no clear value exchange in the Northpole business model. Parents benefit from the good behaviour of their children. The children benefit from getting the toys. Other than fulfilling its mission, however, Northpole gets no real value.
Children would also be part of the contract and they would have to be able to understand the terms. Children frequently receive Christmas presents before they are even born so clearly the terms of this contract have not been made clear to them nor are they capable of understanding the terms with regards to the naughty/nice designation nor the ramifications of each.
Creating a contractual relationship could be possible in the future but would require a complete rethink of the business model. We answered, “I don’t know.”
Is Northpole processing the data to comply with the law? We could not find any statute compelling North Pole or any other organisation to give gifts in December or at any other time throughout the year.
We answered, “No.”
Is the processing of the data in the vital interest of the data subject? In other words, is the processing of the Naughty and Nice List a matter of life and death to the data subject?
The floor flailing protestations of the four year-old not withstanding, we answered “No.”
Is CEO S. Claus processing the data to carry out an official task or as part of an official role? Some public tasks include:
Administration of justice
Parliamentary (legislative) functions
Activities supporting or promoting democratic engagement
In short, Mr. Claus is not involved in any of these activities but the ICO guidance goes on to say:
'...this is not an exhaustive list. If you have other official non-statutory functions or specific public interest tasks you can still rely on the public task basis, as long as the underlying legal basis for that function or task is clear and foreseeable.
You do not have to be a public authority.'
We thought this guidance interesting. Is the public task anchored in tradition and may in fact exist in Common Law? We decided to pursue this line of thinking a bit more, so we answered, “Yes.”
The ICO Guidance Tool then asked if we could point to a clear basis in law for Mr. Claus’s task. We already knew that there was nothing about this function in either UK or EU law, but much of the law in the UK is based on common law. The Oxford English Dictionary defines common law as 'the part of English law that is derived from custom and judicial precedent rather than statutes.'
Northpole’s data processing activity in order to deliver presents at Christmas is surely the custom across the entire EU based on a review of historic and contemporary literature, music, TV and film. On top of that, we could find no judicial precedent preventing the delivery of presents at Christmas nor the associated data processing to facilitate that activity. Lastly, the data processing is foreseeable. Just look at the chaos in the documentary The Year without a Santa Claus!
We answered this question, “Yes.”
The next question on this path was whether there is another reasonable way to perform the task (i.e. delivering presents) without processing the data. To answer this, we need to look at whether the data is targeted and proportionate. Firstly, we know that the data is not targeted (it’s a list of the entire world) but must ask whether the processing is proportionate. In other words, are we only using the data we need to accomplish the task?
Name - Needed to identify each member of the household
Home Address - Needed to get the right presents to the right people
Gender - Needed to deliver the appropriate gifts (This one may be a little old-fashioned and consumer attitudes to how this is used will be monitored)
Naughty/Nice Indicator - Needed to know who gets toys and who gets coal
We answered, “No, there is no way to complete the task without processing the data.”
The next question was whether we wanted to offer individuals the ongoing right to decide if Northpole Ltd. could process their data. Northpole was founded on the principle of choice. Individuals can choose to be naughty or nice. To let people who had already chosen to be naughty to further not consent to data processes would undermine the business model, not to mention leave the organisation with a surplus of coal (greener alternatives are being reviewed).
We answered, “No.”
The last legal basis that the ICO’s tool reviewed was Legitimate Interest. The first thing the guidance wanted us to ask ourselves was whether Northpole Ltd. was happy to take full responsibility for justifying their processing and protecting the interests of the data subjects. As this is one of the core values of the organisation, we proceeded to answer the questions.
First up was if we were processing the data to perform our tasks as a public authority. Northpole is an independent company and is not contracted to any public authority so we answered “No.”
Next was, have we identified a legitimate interest? Yes, Mr. Claus is The Guardian of Wonder, one the of the Guardians of Childhood. He founded Northpole Ltd. to make and deliver gifts to deserving people around the world. The organisation need to process the data in order to fulfill this mission.
Is there another way to accomplish this without processing the data? No, as we discussed above, there is really no way to accomplish their annual mission without processing the data.
Is North Pole’s legitimate interest compelling enough to justify any potential impact on the data subjects? We talked a lot about the impact on people who got coal. We concluded that as this was not decided through automated processing, they should be expecting the coal. We talked about the children on the list and decided that everything was being done to safeguard them. Then we discussed how the data is collected using the company’s proprietary “sees you when you’re sleeping; knows when you’re awake” methodology. We decided that the risk of using this methodology would in many situations not make Northpole’s legitimate interest compelling enough to justify any potential impact.
Based on our answers, the ICOs Legal Basis Guidance Tool said that the legal basis that is likely to be appropriate is performing a public task. We would have to notify individuals of that fact in the privacy statement and we decided to be completely transparent on how the data is collected.
The ICO tool was inconclusive as to whether we could use contract as the legal basis for processing the data. This could be an option if some of the issues around contracting with children and unborn children could be resolved.
The tool said that consent, legal obligation,vital interest and legitimate interests were not appropriate in our current situation. Consent could be a possibility in the future but would require some changes to the business model.
The process of course is not complete but progress has been made. Northpole’s compliance department and external council begrudgingly agreed to proceed with Christmas this year, but much more work would need to be done in January.
This post originally appeared on LinkedIn