Santa, You Need a Data Protection Officer

With a global operation and a massive data collection program, Santa, you need to be on the lookout for regulators.

By: Stephen Graham @ AnonTech

Dear Santa,

I know you’ve been in business for a while and your intentions seem altruistic, but did you know that you are in violation of every data privacy law… on the planet? Where to start?

First off, some assumptions. In order to visit every child’s home, you must be keeping location information and since you only provide services to minors, you must be tracking date-of-birth information as well. We already know for sure that you are keeping two distinct databases — the Naughty & Nice lists. Technically, that’s a form of data processing, which puts you in a whole different category under GDPR. If I get myself on the Naughty List and want to understand why you profiled me that way, are you prepared to respond to a DSAR to provide me with details or reconcile that profiling decision? And, I don’t know for sure, but I assume that you are compiling all of this data up in the North Pole, which violates all data residency & transfer provisions under these laws. Unfortunately, there’s more…

All of this data you process & store is about children. While I’m sure most parents implicitly give you consent for doing this, I know for sure I haven’t signed anything giving you explicit permission to process information about my children, which is technically a violation of parental consent in COPPA. And to determine if a child is naughty or nice, you must be keeping track of their performance at school. Did you know those records are protected under FERPA? I’ve also heard that you know when children are sleeping and you know when they’re awake. I hate to say it, but technically, tracking children’s sleep patterns could be constituted as protected health information, which makes you liable under HIPAA.

Santa, did you know that 69% of countries have Data Protection or Privacy Legislation worldwide? You might think you’re ok operating here in the US since we don’t have a federal data privacy law, but three states have signed data privacy legislation already, and many more are in the works.

Now, I know that you’ve been operating for thousands of years, but to be honest, that comes with some risks as well in terms of dealing with legacy systems. You refer to the Naughty and Nice databases as “lists”, am I to assume that your operation is still paper-based? What sort of security protocols do you have around these lists? Since your employees clearly have open access to these lists so they know whether to produce toys or coal for children, am I to understand that there are no restrictions or role-based access controls regarding who can reference these lists? This sounds like a data breach just waiting to happen. And, did you know that ransomware is now 10% of all breaches? As far as I know, your operation is 100% non-profit, do you have cyber insurance to protect your organization from a ransomware attack? Have your employees received proper information security training? I suspect not.

Listen Santa, I know I paint a gloomy picture here, but all hope is not lost. What you need is a qualified data protection officer to help you navigate your global posture on privacy & security. And when you’re ready to modernize & automate your privacy operation, let’s talk.

Thanks for all you do,

The Team @ AnonTech

Merry Christmas, happy holidays, and best of luck to all in the new year!