Is GDPR a Grinch?

Conceptual image of internet information technology and big data visualizationMost people know that GDPR went into effect in May 2018. For those of you who don’t know, GDPR was put in place to protect people’s PII (Personally Identifiable Information) Data.

This is the first holiday season with GDPR in effect, and addresses are included as part of PII Data. This is causing a few companies to scratch their heads this holiday season to see if they can still do the jolly holiday things that they have done in years past.

Some companies are questioning whether it’s okay to send holiday cards or gifts to their contact list. Many companies send a nice card to wish their clients a very happy holiday season. Very generous companies send good tidings in fruit baskets (or, my preference, wine baskets and chocolate) to their favorite customers.

GDPR says that individuals must opt into the ways that a company uses their information. A truly disgruntled customer that is unsatisfied with their fruitcake could report the abuse to the authorities.

GDPR also states that customers should be able to remove themselves from such lists. How do you take someone off the cookie list? And for that matter, who wants to be removed from the cookie list? You can send me their cookies. I’m happy to opt into that.

Does this mean that companies need to add to their terms and conditions in case of the possibility that the company may send you glad tidings during the holiday season? We could call it the Holiday Merriment Clause (not to be confused with that Santa Claus guy).

Since I just brought up that merry man, the UK allows children to send cards to the Post Office that will then be forwarded on to Santa (maybe it’s Father Christmas there, I’m not really sure, feel free to comment). Santa will then write the children back. A quick Google search shows that Santa will also send letters from Finland, Ireland, and Military in Europe (Yeah Santa! or Father Christmas or Kris Kringle – as long as it’s not Krampus we’re good!).

Unfortunately for that Jolly Man, GDPR states that the data processing is only lawful when a child is 16 years old or older. Children under that age must have their parent’s consent. Does this mean that Santa can get in trouble if a child writes to him and the parents don’t know about it and he then writes them back? We are talking about Santa here, and if he knows if kids have been bad or good, he probably knows whether parents gave their consent or not, but I’m just saying. It would also be a very naughty parent to turn Santa in to the GDPR authorities. But the question still remains.

Technically these are abuses under the GDPR regulations. While companies likely won’t get into trouble for these violations, it is prudent to think about these kinds of things in the brave new world of data protection.

And if GDPR went after these companies, I would be forced to say, “You’re a mean one, Mr. GDPR.”

Share this post

Kim Brushaber

Kim Brushaber

Kim Brushaber is the Senior Product Manager for ER/Studio Business Architect at IDERA. Kim has over 20 years of experience as a Business Analyst, Software Developer, Product Manager and IT Executive. Kim enjoys working as the translator between the business and the technical teams in an organization.

scroll to top