Despite all the external signs – the red coat and the white beard, the magic sleigh, the teams of reindeer and the well-stocked toy workshop run by a team of hardworking elves – Santa Claus himself is a pretty traditional guy.
He likes doing things the way he has always done them – and let’s face it he has been running a tight ship generally. Toys get delivered on time, despite the very small window of delivery slots on Christmas Eve.
But Santa employs a team of progressive elves. They want to smarten up his operations and they aren’t happy standing still.
One senior elf (lets call him AI-Elf) has just been promoted and wants to make his mark. He has been eyeing up Santa’s Naughty and Nice list. Santa spends the best part of September to December poring over the list, adding names, crossing out names and moving names around.
AI-elf thinks the Naughty and Nice list could benefit from some software automation. A sprinkle of facial recognition mixed with some software that can interpret emotions and behaviours would free up Santa’s time to perhaps take over some of the Easter Bunny’s turf or bring some of that Christmas flair to lesser holidays such as May Day.
Santa has agreed to take a look at AI-Elf’s plans. He has just one stipulation – no boys or girls must lose out on their present rights as a result of automating the Naughty and Nice list. Santa has a reputation to protect and any hint of unfairness would have pretty serious repercussions in the North Pole.
AI-Elf is up for the challenge. He has roped in Compliance-Elf, IT-Elf and a whole team of software development elves and he has decided that this requires a Data Protection by Design approach.
What would Fort Privacy advise Santa and his elves – had we landed that dream job?
First off we would say well done. You are off to a good start. We have heard stories of senior managers asking their teams to “Find an AI Project because everyone is doing AI and we don’t want to be left behind” which is not a great approach. Santa’s team have started by identifying the problem they need to solve. By doing so, they are focusing on the right thing – the problem. Instead of trying to make a selected software solution fit their needs, they have identified their needs and they can focus on finding the best solution. It may not even involve AI but Santa will be happy if it frees up his time and all the deserving children still get presents.
We say well done again on the next step. Santa and the Elves have identified clear measures of success for this project. One, Santa can spend September to December on toy development instead of managing that pesky list. Two, no boys or girls will end up on the wrong list and lose out on Christmas Eve.
So far so good. But now we get to the sticky bit.
We are going to advise Santa and the Elves that AI technologies are very powerful. They are not for the fainthearted and you really do need to know what you are getting into. That means you need to risk evaluate and mitigate and sometimes even look for alternative solutions. Sometimes those solutions might cost more and require extra resources to implement and it mightn’t be quite the quick fix that was envisaged. But that’s the only way to do it right in the long run.
We don’t think this is black and white : AI = Bad, no AI = Good. We are likely to find some really useful AI out there that could help Santa manage that list very effectively. After all it’s a very, very large dataset and we actually don’t know how Santa has managed to keep on top of it all these years without some mechanical help.
We will brief Santa and his elves on the upcoming AI Act in the EU which is the first really significant piece of AI legislation globally. We will warn him to steer clear of mass surveillance and facial recognition technologies because these will only be permitted in very limited, controlled law enforcement circumstances.
We will suggest Santa can let his new software solution do the heavy lifting for him but he will need to have oversight of the output. With a nod to GDPR as well as the AI Act, he will need to implement checks and balances to ensure that the outputs are as expected. We will suggest tracking some tight metrics on the Naughty and Nice list as well as human or rather “Elven” checks particularly on the naughty list.
Whatever Santa does, he’s going to need to demonstrate compliance with GDPR. We will advise him to deploy all the GDPR tools in his toolkit – formally document the options considered, show that data protection by design has been implemented, complete a risk assessment and document risk mitigation activities and controls. In short, show that this implementation has been carefully considered and how good choices that protect all children have been made.
Fort Privacy wishes all our clients, colleagues and friends a very Happy Christmas and a peaceful and prosperous 2024.
P.S We don’t believe that Santa has any names on his Naughty list come Christmas Eve 😊
Marie Murphy
Marie's interest is in data protection operations focusing on people and process to manage personal data processing risk in large and small organisations with a special interest in privacy by design.