The GDPR is Coming to Town

Date posted:
Tue 28 November 2017

You better watch out, you better comply,

The ICO are coming I’m telling you why,

G.D.P.R’s coming to town! 

The long anticipated John Lewis advert has officially aired as if a warning sign that it’s THAT time of year again. The time of year where minors are subjected to profiling, and non-transparent data processing of a certain North Pole resident.

THE most notorious data profiler in the world has just over 6 months to get his house/ grotto in order, ahead of the GDPR being enforced.

The ‘naughty or nice’ list has long been the typical yard stick against which most children around the globe are measured. Santa will be required to alter his data processing actions in the next 6 months, complying with the GDPR. 

The GDPR was released last year and is set to be the most important change in data privacy in 20 years and will come into effect from the 25th May 2018.


So what’s this GDPR stuff?

GDPR is a much needed update to the existing data protection regulations across Europe. It’s going to impact everyone, that’s you at home as well as at work.

The focus is on privacy and transparency of the data you collect from your customers/audience. You will need to be transparent with your audience about what data you collect and how you use that information.

You are going to prove you have consent from your audience to collect, process and manage their data, and people will also have the right to be forgotten.

Additionally, the definition of personal data has been expanded to include cookies as well as the normal name, address, telephone, email and demographic data you may collect.

So quite a bit is going to change!


Global Reach

Processing personal data of ANY subjects anywhere around the globe by a controller established inside the EU will be subject to this Regulation.

As readers (and reindeers) will be aware, significant areas of the North Pole, protected by Norway, are recognised as forming part of the European Economic Area, so the new regulations will apply to such processing. From our reading of this provision, any “Naughty List” (or “Nice List” to that end) will therefore be considered as ‘Profiling’ where it is being used to monitor the behaviour of EU citizens of any age. 


So, what does Santa’s DPO have to do?

As it turns out Santa will need to review the credibility and accuracy of his list – this has always been a contentious issue, with data traditionally being acquired from completely fly-by-night sources. Stressed out parents, general monitoring of social media, and, most unreliable of all, the children themselves through a completely inadequate process of hand-written notes placed on fire-places the world over. Santa’s processes are an awful long way from even the ISO27001 requirements.

There is no way to dress this up – Santa’s list will be in the ICO’s cross-hairs by the time this legislation kicks in on 25th May 2018. Both Santa and his service providers – again, most of whom are resident within or on the frozen periphery of the EU, have a relatively short time to get their house in order and find a compliant basis for data processing in the future.

There are many concerns – Santa will likely look among his workforce for candidates to become his Data Protection Officer (maybe Mrs Claus?) – as an organisation which systematically monitors the behaviour of underage members of the public, there is no doubt that he is on the mandatory list for this obligation.

To date, compliance within data protection legislation has always been covered by the “Elf and Safety” departments within the North Pole organisation, but he may now need to consider a more stand-alone role. Therefore, appointing an independent function with a sole purpose within the organisation. The new DPO could be obligated to shift from being Santa’s little helper to the North Pole Whistle Blower.

Merely possessing ‘The List’ in the first place requires justification referencing ‘Lawful Processing Conditions’. Real world dangers are afoot in some countries with harsh repercussions for being on the ‘Naughty List’ – coal in the shoes of Germans, a visit from Krampus for Austrians, or being kidnapped and removed to Spain for Italians. The risk of getting the lists wrong is, therefore, both high and problematic. Just as well he’s checking twice! 😉

Customarily, Santa is monitoring the behaviours, interests, and performance of the data subjects (Children), and does not seek any form of consent from these under-age subjects.

Pressure will be mounting on Santa to maintain an accuracy of his list once the ‘Right to be Forgotten’ comes into play.  I can only imagine the enthusiasm of Santa to remove any record of poor performance, or vandalism committed between now and December in order to transfer to the ‘Nice List’.

That’s all for now folks…

DXR are looking forward to working with Santa, and other Data Controllers, (not just those in the seasonal logistics and global delivery industry), to prepare their data management practices for compliance under the new Regulation. As for Santa’s more worrying data gathering activities, “he sees you when you’re sleeping, he knows if you’re awake”, etc. We will maybe cover that in a secret surveillance blog another day.


The summary above is David’s own interpretations of GDPR as of November 2017. Things are changing all the time and there are many grey areas, with much still to be formalised. It’s a massive and complicated change so please seek the appropriate advice.

If you have any questions please do get in touch with David Ollerhead at, and he’ll arrange for one of their GDPR consultants to answer any questions you may have.