Will your Christmas cards cause a GDPR breach?

It might sound like a Daily Mail headline, but don’t dismiss this as political correctness gone mad just yet. Your company Christmas cards could very well result in a data protection violation.

Santa Claus checks his list twice, and so should you. Keeping marketing lists up to date is vital for GDPR compliance and sending out the annual Christmas card is no different than any other mass mailing. Are there people on the list who’ve objected to receiving marketing information, or former customers your business hasn’t dealt with in years? Strike them off. The last thing you’ll need in the new year is a flurry of data protection complaints.

Only send one Christmas card to each person

Marketing efforts must also be coordinated across the business. Getting a Christmas card from a company you spend money with can be a nice little reminder during the holiday season. Getting five from the same company, not so much. Account managers, marketing, the board and the CEO don’t need to bombard the same address with their own separate festive greetings.

Be mindful of religion

If your company sends out cards to certain people for different religious holidays, such as Hanukkah or Diwali, be careful about how those decisions are made. Religious belief is sensitive personal data, requiring more care as well as an additional lawful basis for processing. Openly sharing sensitive personal data across different departments without appropriate safeguards could result in a data protection breach. Plus, making assumptions about a person’s religion based on factors like their name could cause an embarrassing gaffe.

Have an unsubscribe option for marketing emails

Sending out seasonal e-cards can be even more fraught with thorny data protection issues. In addition to GDPR, electronic marketing must also comply with the Privacy and Electronic Communication Regulation (PECR), which tightly regulates email communication. The recipients must have actively opted in to receiving direct marketing by email, although there are potential exceptions for existing clients and prospects. As with all electronic marketing, the Christmas card must offer a clear option for recipients to unsubscribe.

While the ICO is unlikely to act like the grinch who stole Christmas cards, poor data management for festive greetings could be indicative of wider breaches or procedural failures across the business. There’s no need to take a bah-humbug approach and cancel corporate Christmas cards, but when making your list, just make sure to check it twice.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”