Letters to Santa, from a privacy consultant
Dear Santa, I have got older and recently discovered that you are not real, and so, I would like to ask you to delete all my personal data from your files. Best regards and my greetings to Rudolph, Tuisku.
Of course, that is all made up, but how should Santa approach GDPR? How should his personal data processing information be presented when his audience is children? Is he required to carry out DPIAs (Data Protection Impact Assessment)? Is his annual privacy program in good shape?
GDPR requires all information provisions about data processing to be clear and concise, transparent and intelligible. It should be written in plain language. These requirements should produce a notice that is easy to understand and quick to digest. This can be particularly challenging when the audience is children. We are advising Santa to layer his complex privacy notice, giving a simple overview and highlighting the most significant impacts to children on the first layer, and then providing the detail behind the links, something like this:
If you are interested seeing more examples of important issues put in child-friendly language, check out the Unicef’s resources. Adults benefit from clear and plain language too, especially in the context of privacy notices.
Another very interesting question is, has Santa carried out a DPIA? Santa quite clearly carries out data processing that would be subject to a DPIA under the GDPR. Let’s have a look at the indicators:
Having carried out the DPIA, Santa should definitely update his privacy notice, as it doesn’t include enough information on automated decision making among other things. Santa should also update any internal policies and guidance and run updated privacy trainings to his staff.
Santa will have a tough task to do when he weighs the rights and freedoms of his data subjects against the interests of his business. It seems that children cannot rely on the right to private life at Christmas when elves are around. Should Santa think about narrowing the locations, times or situations in which children are monitored? Where does the border of privacy lie?
Santa might argue that such monitoring is necessary and proportional to the processing, and that the children have a full control over the main effect of the processing and can choose to behave naughty or nice. How true and fair is this? A child has no real choice over monitoring because it is a condition of getting presents and being left out is not an option. ‘Naughtiness’ is also a very vague concept and there is a danger that Santa’s monitoring would start slipping from monitoring to control by monitoring. The term privacy includes the concept of being control of one’s own data.
Santa’s data processing sounds like a case best to be left with privacy professionals, which we have at Nixu. Be sure to check out our DPIA and Continuous Privacy Support services in case you are facing similar issues to Santa, from transparency to monitoring and complex decision making – these days most companies are.