Santa’s coming to town, but is he GDPR compliant?

We’re in the third week of December which means only one thing. Every child’s favourite man in red (you know, Santa, the one with the white beard and velvet onesie) will soon be flying his sleigh from rooftop to rooftop on the most important night of the year.

Hundreds of millions of wish lists have been received at the North Pole, and over the past few months, a team of Elves has been extremely busy inputting the data into Santa’s customer database, SantaSuite.

Since almost the beginning of time, SantaSuite has been evolving year on year as more personal information is captured. What likely started out as a small idea to spread kindness and Christmas cheer has undoubtedly turned into an all-consuming task for the managers employed at Santa’s workshop. Capturing data like names, ages, genders and postal addresses through to favourite toys and secret admissions as to who has been naughty or nice, Santa and his helpers certainly have access to an enormous amount of global personal data.

All we want to know this Christmas is whether Santa is GDPR compliant?

It’s a big question given the number of children (and possibly adults?) who relentlessly send their letters each year, but it’s an important one as doomsday approaches (May 25 2018 is the date that all organisations must comply with the GDPR by).

Whether a colossal operation like Santa’s, or not, all organisations (businesses AND charities) are responsible for the data they capture and it’s crucial that they follow the Regulations put in place.

If Santa’s managers have been doing their job properly, they should be in a strong position in knowing how many Elves handle their customer data, whether they have consent to keep personal details on file, if historical records have been erased, and so on.

As we don’t have a direct line through to the workshop (☹), we can only advise Santa about the GDPR in this blog post and hope that he sees it in time.

Top 4 Things To Do Ahead Of 25 May 2018:

  1. Using children’s data – When using data relating to children (like the details collected from wish lists) and communicating with a young audience, it’s necessary to use clear and plain language that is easily understood. There are also other aspects relating to using children’s data covered by the GDPR (details of which can be found here).
  2. Train the workers – Santa, once Christmas 2017 is over, make sure that all of your Elves, Reindeer and helpers are given adequate GDPR training. With the right support and training, all grotto employees will be confident when faced with any data protection-related issues. Staff training is one of our strong suits (we’ve been teaching GDPR to people on the Isle of Man since 2016) and we can help with small team training through to larger numbers.
  3. Do some data mapping – It’s easy to collect data about people, but less easy to manage it. Data mapping is a way of finding where every piece of data is being stored and used across Santa’s workshop (from shared databases to desktops to print-outs to physical files and more). It helps to see the whole picture, before considering solutions. Our Business Essential package offers a range of services, including data mapping.
  4. Draft your way to compliance – So that Santa’s workshop can run legally and efficiently in 2018, it’s crucial that accurately drafted policies are introduced. This means considering various data protection angles, including data retention. For example, a retention policy explains the process for using and erasing old, unused data (whether it was collected 100 years ago or last year). One easy and effective way to ensure total compliance is to sign-up to our cost-effective GDPR online portal.

Whatever the state of your organisation’s data, it’s not too late to seek help. The earlier you make an enquiry for advice, the quicker your concerns about the GDPR can be resolved. Quinn Legal’s Business team is on-hand to help Isle of Man companies and charities. Get in touch with us by calling 665522, emailing or making an enquiry here


Here’s a snap of our GDPR specialist, Peter Cannell, rocking the traditional Santa hat. Peter is a Manx advocate, certified Data Practitioner and our resident GDPR speaker/trainer.

Merry Christmas and happy New Year from the team at Quinn Legal!