Memes and Misunderstandings About GDPR

There is a meme doing the rounds which says that, because of his ‘Naughty and Nice list’, Santa is in breach of GDPR! But is it true?

To me, this meme encapsulates all of the misconceptions that people still have regarding GDPR and this blog aims to set out a process by which ‘The List’ could be legitimately be used for the intended purpose.

Legal Basis for processing

There are six legal bases for processing identified in GDPR. Of these, it is difficult to see how Legal Obligation, Fulfillment of a Contract, Public Interest or Vital Interest could apply here, so that just leaves Consent or Legitimate Interest.

Consent

It might be assumed that every child would consent to being on the nice list, but under GDPR Consent has to be of a high order. The most obvious way to gain consent would be the grottos in shopping malls all over the world when children get a one-to-one with the big man. However, there is no evidence of any record keeping, either paper or electronic, of when and where consent was obtained, or how it was obtained. Given the size of the database, this would be a huge and challenging task, so we should probably also rule out Consent in this case.

Legitimate Interest

This basis can be used if the data subject has a reasonable expectation that their personal data will be used in this way, and that they will not be hurt or inconvenienced by this processing. An assessment must be undertaken to balance the needs of Santa in drawing up the list against the expectations of privacy for the child. Somewhere at the North Pole the results of this assessment should be recorded in order to use this as the basis for processing, and some time before Christmas Eve, a privacy policy will need to be published explaining this legal basis, how data will be processed and how to opt out from ‘The List’.

NB. Although the North Pole is not in the EU, the regulations apply to the processing of data belonging to all EU citizens, and so still applies for these children.

Child Data Subjects

Although Legitimate Interest appears to be the best option, great care needs to be taken when performing the balance, because Article 6 of GDPR, 1(f), (Lawfulness of Processing) explicitly states:

[where] processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

One factor in favour of Santa’s use of Legitimate Interest is the expectation of personal data being used in this way. Since every child who is over a year old has previously had their data processed in this way, it is reasonable to assume an expectation that the processing will be repeated this year.

When using Legitimate Interest, as with other legal bases, it is important to provide the data subject with a clear and easy way to opt out, or to be forgotten. Letters to the North Pole or visits to a Grotto could be used in this way.

Maintaining ‘The List’

‘The List’ will contain large amounts of historical data, since it has been used every year prior to the implementation of GDPR on May 25^th.

How long to keep the data

As always when using Legitimate Interest it is important to decide, and record, how long personal data will be kept for. An annual cleanse of the database is recommended to identify dates of birth and removal where this is 18 years or older, and to allow deletion of duplicate records (not twins!)

The naughty vs nice profiling must be provided by someone with access to the child, such as Mum, Dad, grandparents or Carers, presumably by letter or Grotto visits.

Keeping ‘The List’ updated requires the collection of personal data on all babies born since the last processing. Given the explicit warning about protecting the data for children, it would not be advisable to try to purchase a list from a data broker, since the broker would have had to identify whom the list was being sold to. Since the list has always included this information - perhaps Santa helps to support the NHS in return for the information, it is recommended that whatever method currently used be assessed to determine whether it is compliant and if so its use continued.

Automated individual decision making

Children on the naughty side may object to being filed there, but there will be legitimate reasons why. GDPR does not prevent such decision making but puts down restrictions on automated individual decision making. Section 4, Article 21, 1 of the GDPR (Automated individual decision-making, including profiling) states:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

This means that if a naughty child objects to such processing, as long as it is carried out by a person, elf or reindeer, rather than an automated system, the profiling is legitimate.

Article 4

Finally, a pedantic point. Article 4 of the Regulations is simply a list of 26 formal definitions of terms which are used in the rest of the document, ranging from (1) ‘Personal Data’ to (26) ‘International Organisation’. It is impossible to contravene article 4 because that article doesn’t cite any law or place any obligations.

Executive Summary

As it is for the rest of us, with a little careful planning it is easily possible for Santa to stay on the right side of the law.

Do you agree?

Merry Christmas, from all at Data8