Its that time of year again – where did 2019 go? – time for the time-honoured tradition of Fort Privacy taking on the role of the grinch and spoiling Christmas for all the boy and girls out there who are putting far, far too much trust in Santa’s operations.

All those letters going up chimneys – don’t get me started on safe transfers of personal data, I won’t stop until Christmas morning! And what about that so called Naughty and Nice list? Those ominous words “he knows when you’ve been sleeping, he knows when you’re awake”. That sounds like round the clock surveillance to me.

This year, I am upping the game for Santa and challenging him to get his operations audited against the Fort Privacy Maturity Model Framework. With an extra day in 2020, Santa has no excuse for missing his data protection compliance goals next year.


Santa needs to structure his GDPR Compliance programme.

Santa needs to define a clear data protection strategy that is reflected in policies and procedures and in the roles and responsibilities assigned to the organisation’s processing activities. I would suggest Mrs Claus as the Ideal Data Protection Officer – and I am in no doubt that Santa’s operations would benefit from a DPO.

Santa’s North Pole Operations need to be able to demonstrate compliance and Santa needs to account for all data processing activities. Is Santa keeping good records? Is he training his elves?

Santa needs to provide clear statements to data subjects (the boys and girls) and communicate all required information about his extensive processing activities. I would advise Santa to make this very simple and clear keeping in mind that his processing operation almost exclusively involves little people – children and elves.

Santa must ensure he can identify a reliable lawful basis for each processing activity undertaken. The processing of the millions of letters from children is very likely to stand up to a legitimate interest assessment but I am not as sure about the naughty and nice list.

I have always felt Santa’s processing is weak when it comes to implementing policies and processes to facilitate and respond to data subjects who invoke their rights. His contact details are vague and I personally never received a response to any of my letters to the North Pole.

Santa has always been quite guarded when it comes to whether he may disclose personal data outside the organisation. If he does, he must ensure its only for the purposes identified and that he has all required transfer mechanisms in place.

How Santa manages personal data processing activities to ensure consistency with the principles of purpose limitation, data minimisation, accuracy and storage limitation is a secret he guards as closely as his contact details.

Santa certainly hasn’t hit the headlines in 2019 for any reported data breaches, but I wonder if his data breach management is up to scratch? Santa should be implementing policies and procedures for reporting and managing personal data breaches and most importantly he should be tracking and analysing the near misses to avoid some future repeat of a near miss turning into a serious incident

I’ve already made my thoughts on security clear – we are looking for Santa to manage the security of the personal data and of systems that he uses to process the personal data and I am just not buying that letters up the chimney are adequate measures in this day and age.

Finally, I’d love to get Santa to take an active interest in privacy by design. I think between Mrs Claus (as DPO) and myself (as Privacy by Design expert advisor to the North Pole) we would kick…. Santa’s operation into really good compliant shape – ready for the next generation of boys and girls to enjoy his generosity and general jolliness.

Happy Christmas and wishing you all the best for 2020!

This lighthearted article took a serious look at Santa’s North Pole operations using the Fort Privacy Maturity Model Framework.

Your organisation may benefit from a similar exercise in 2020. Fort Privacy carry out audits against the framework producing comprehensive audit reports that tell you exactly where you need to focus your compliance efforts.

If you are interested in exploring audit as an option with us, please get in touch. We promise not to operate any “naughty or nice” lists.

Fort Privacy processes your personal data in order to respond to your query and provide you with information about our products and services. Please see our Privacy Statement for further information.

Related Blog

Santa — Jolly Old Man or Privacy Risk?

Introducing The Fort Privacy Maturity Model Framework – Your Go-To Tool for Compliance!

Join Our Newsletter

Sign-up to receive news and information from Fort Privacy
Fort Privacy processes your personal data in order to respond to your query and provide you with information about our products and services. Please see our Privacy Statement for further information
Like what you've just read? Give us a bualadh bos (that's Irish for clap!) and let us know! 👏👏👏
Marie Murphy
Co-Founder & Operations Director

Marie's interest is in data protection operations focusing on people and process to manage personal data processing risk in large and small organisations with a special interest in privacy by design.