Plain & Simple GDPR Updates

The data protection act is being updated. This update is known as GDPR, and impacts the way you treat data in your business. We'd love to send you updates as they come through so that your business is compliant. Add your details here, and we'll send you email updates about GDPR

We won't add your details to any other list or share them. You can unsubscribe at any time. For more information see our Data Privacy Policy  

The Chief Elf Officer Reports on Santa’s Business

I cannot confirm or deny that this is the official CEO business statement from Santa’s business as it would indicate that he’s had a data breach. A fine of 4% of Santa’s turnover may change the face of Christmas forever and you won’t have a smiling loved one waiting for you under the mistletoe!

A Santa’s CEO – that is  Chief Elf Officer  I am here to report on how this year has gone and our plans going forward for Christmas.

  1. The Eco project is still tough.  We abandoned the Reindeer outsourcing project.  If you remember sending them to India did result in a massive increase in output – but not of the kind anyone wanted.   A spicy diet was not a good plan.
  2. We have tried to use solar power – but Santa is a winter spirit who only works at night.  Not to put too fine a point on it, we couldn’t get him past SARF London on the first test run.   He got mugged while he was waiting for the Recovery and Charging team (RAC).  He is not impressed.
  3. Now, we are looking at electric sledges – much less methane output. There are not enough recharging points and our elves are rolling them out on chimneys everywhere.
  4. We have also decided to reduce the amount of plastic in our toys – good for the ocean but tough on the reindeer, since wood is so much heavier to fly around with.
  5. The Equality Elf apologises for his/her absence.   EE is in transition at the moment.  I am going to present a brief Equality summary before moving on.
  6. Our store franchising programme has been accused of favouring the old, pale, and stale males.  It is true most of our Santa’s are old white men.  The Equality Elf commissioned some research on whether the children would accept a female Santa.
  7. Children worry about whether a female Santa could carry a sack – some of them feel she will need an assistant to carry the toys around for her.
  8. Others are worried about whether she could reverse park a sleigh with all those reindeer.
  9. There are concerns about whether low-calorie mince pies will need to be ordered and whether we will even have to go gluten-free.
  10. The Equality Elf is going to set up an education programme on what women really do, to pave the way for a female Santa once these perceptions are overcome.
  11. We can report a success on another equality front. We now have our first black Santa in the USA – he is gigging in Atlanta. We have had black Santa’s in Africa for a  long time – but this is a first for Atlanta.
  12. The equality monitoring system is going to need to be overhauled – anonymising data is really difficult if you have only one black Santa in Atlanta. The Equality Elf is liaising with the HR and data compliance team to see what upgrades are needed.
  13. After the #metoo campaign, we’ve had to stop anyone from sitting on Santa’s knee. We can’t take the risk of complaints.
  14. We are relieved that none of the Elves has complained under #metoo.  All that work by the Diversity Elf is paying off.
  15. This brings me to the biggest project for 2018 – getting ready for GDPR – the General Data Protection Regulations.
  16. At first, Santa thought they did not apply to him as he is not based in the EU, but it turns out it applies to anyone who is keeping records on EU Citizens – even children.  Santa has work to do.
  17. I have started auditing our operation against the new standards and these are the issues I have found so far.
  18. Most of the data we hold directly is stored at the North Pole.
  19. The North Pole is not in the EU and the EU does not recognise us as having appropriate data standards. So we are in the same situation as the USA for this. Unlike the USA we don’t have a data privacy shield system – our Santa Shield is not recognised by the EU.   We have to consider going forward with appropriate model data processing clauses or keeping the data on EU citizens within the EU.
  20. We need to figure out where all that information is held. It is not as easy as it looks. Children write to us from all over the world and many of their letters are kept by local stores who franchise to the Santa brand.
  21. Lots of Elves have access to the children’s letters and it turns out we should only be storing them with a parent or guardian’s consent. This is not the way Santa’s operation has been set up and that is going to take a lot of thinking about to make it work.
  22. We have an online email system too. Kids are tech savvy these days and many of them email us with what they want Santa to bring. We use a lot of mainstream email platforms – we didn’t get the magic elves to invent something special for us – so pinning down where the data is stored and how it is stored is quite a mission.  And of course, we need to insert some kind of geolocation option so we know which children are in the EU.
  23. Then there is the whole question of the naughty list and the nice list. We share that information with our franchise Santa operation, but because they are third parties, it turns out we need consent. Not everyone on our lists is a child who needs a guardians consent, but everyone needs proper consent to having their data shared by a third party.
  24. We are testing sign up options and disclosures that children can understand. So far asking them if they want to go to a third party has caused a lot of tantrums as the children have complained they haven’t been to a first or second party and someone has missed them out.
  25. The elves are all self-employed so every elf who handles a letter from a child has to be properly contracted and know how to store and handle data properly. This is a massive mission as they are all denying it applies to them, or that it doesn’t apply to the information they hold.
  26. I have made it plain that it is not just Santa who can be fined and put on the naughty step for this, but the Elves too. That got their attention.
  27. Santa is the data controller – but the self-employed elves are all data processors when using Santa’s lists.
  28. Then there is ensuring the accuracy of the information. It turns out that some people on the naughty list have been good, and some people on the nice list have been bad. We have had to organise a whole team of Elves to update the data.   About 20% of our lists need updating every month as the children and adults change their behaviour.  It is not quite as easy as it looks.
  29. Some people end up not on St Nicholas’s naughty list but on Old Nick’s naughty list. That’s OK though because personal data only applies to living individuals. By the time Old Nick gets them they can’t complain.  The higher-ups are out of trouble too.
  30. Some bright spark had an idea and last year we shipped out lots of hi-tech wifi enabled toys so the elves could monitor everyone and keep the lists up to date. With a little bit of help from our friends at Google and Apple we managed to get those toys into about 1/3 of houses in the UK.
  31. We didn’t tell the parents or the children that we were monitoring their behaviour and accessing their wifi through the toys.  Santa have just been fined a massive amount for illegal data processing. This thing is not as easy as it looks.
  32. Then there are the Training and Speaking Elves. While they don’t officially handle children’s data – but sometimes people give them very sensitive information, even though they haven’t asked for it.
  33. The store event organisers help us put on training for Santa’s – along with the equality programme and the new GPDR programme. Some organisers automatically send delegate lists, with a lot of personal information to the Training Elf.
  34. We need to check that the people who signed up for the lists agreed that the Training and Speaking Elves should have their information.
  35. If not, that is going to put everyone on the naughty step. Even organising elves and our franchisees are not very clued about this. Only yesterday I was emailed a list of delegates from an event I spoke at.  I didn’t ask for it – they gave it to me anyway.
  36. Opening that attachment is going to be a breach of GDPR since viewing data is processing it.
  37. The Marketing Elves (ME) are up in arms. They like to use Elf magnets to attract new people onto their lists and then start selling them things. Getting those permissions right is a lot of work and it is a good idea to figure that out now so that everyone joining your lists knows what they are getting.
  38. If they thought they were just telling Santa what they wanted for Christmas and we bury them in loads of marketing emails (even if they are grown up) they have not made an informed decision.
  39. All this GDPR applies to the lists you already hold, so a whole army of data elves are sorting out auditing the data and figuring out if those people are only getting what they signed up for, whether the information is accurate today and whether we still need it.
  40. Santa is a bit of a hoarder and it turns out he kept all the annual naughty and nice lists for the last 1,000 years somewhere in the back of a cupboard in case it came in handy.
  41. I think I have persuaded him that we don’t need the lists for anything more than this year.
  42. We do have to keep a record of who was shipped which product – in case of complaints or product liability issues.
  43. It turns out we were all sharing logins so it was impossible to tell which Elf had done what. Not a good plan.
  44. We hadn’t encrypted our devices which is also a problem since the Gnomes are famous for phishing and it is almost impossible to stop them from phishing in our systems.
  45. While we were doing the data audit it turned out we had more data and lists than we thought. Santa has got an adult list. It’s not just about children anymore.
  46. Many of the adult boys seem to be asking for dolls. I suspect the naughty list and the adult list are getting a bit tangled up and it is really important we don’t get anyone on the wrong list and send them the wrong thing.
  47. We are caught in a big argument about whether everyone on the email lists should double opt-in. It’s a special kind of opt-in – so good they do it twice. Lots of people don’t get on either the naughty or the nice list because they miss the second opt-in.  The complain when they don’t get their toys.   We have set the Elves to work on that to see if there is some magic we can weave.
  48. The Information Commissioner Elf is going to give us the rules as a Christmas present.
  49. This will also tell us exactly how we need to deal with the people already on our lists who have not had the magic double opt-in.
  50. Some people have started on this already.
  51. We expect millions of complaints in the spring when every Elf emails every customer to ask them to opt-in again. Not totally convinced it is necessary.
  52. It is going to be a busy year for us Elves. We are drafting in the Tooth Fairy and the Easter Bunny to help. We know if we work together we can get it done.
  53. Meanwhile I wish you Season’s Greetings from Santa’s CEO and all the KoffeeKlatch team.

 

Annabel Kaye

The perfect business contract protects more than just your boundaries. The perfect business contract protects your clients in relation to things like Copyright, IP, GDPR, scope-creep and all the other things that eat away at your profitability. Book me to speak at your event or ask about becoming an affiliate. Check out our contract shop and GDPR support today and start earning what you should in your business.

Click Here to Leave a Comment Below

Leave a Comment:

contracts for VAs Favicon

Get GDPR Updates as they're announced. 

We won't add your details to any other list or share them. You can unsubscribe at any time. For more information see our Data Privacy Policy

x