Will your Christmas cards cause a GDPR breach?

Company Christmas card
Are your company’s Christmas cards GDPR friendly?

It might sound like a Daily Mail headline, but don’t dismiss this as political correctness gone mad just yet. Your company Christmas cards could very well result in a data protection violation.

Santa Claus checks his list twice, and so should you. Keeping marketing lists up to date is vital for GDPR compliance and sending out the annual Christmas card is no different than any other mass mailing. Are there people on the list who’ve objected to receiving marketing information, or former customers your business hasn’t dealt with in years? Strike them off. The last thing you’ll need in the new year is a flurry of data protection complaints.

Only send one Christmas card to each person

Marketing efforts must also be coordinated across the business. Getting a Christmas card from a company you spend money with can be a nice little reminder during the holiday season. Getting five from the same company, not so much. Account managers, marketing, the board and the CEO don’t need to bombard the same address with their own separate festive greetings.

Be mindful of religion

If your company sends out cards to certain people for different religious holidays, such as Hanukkah or Diwali, be careful about how those decisions are made. Religious belief is sensitive personal data, requiring more care as well as an additional lawful basis for processing. Openly sharing sensitive personal data across different departments without appropriate safeguards could result in a data protection breach. Plus, making assumptions about a person’s religion based on factors like their name could cause an embarrassing gaffe.

Have an unsubscribe option for marketing emails

Sending out seasonal e-cards can be even more fraught with thorny data protection issues. In addition to GDPR, electronic marketing must also comply with the Privacy and Electronic Communication Regulation (PECR), which tightly regulates email communication. The recipients must have actively opted in to receiving direct marketing by email, although there are potential exceptions for existing clients and prospects. As with all electronic marketing, the Christmas card must offer a clear option for recipients to unsubscribe. 

While the ICO is unlikely to act like the grinch who stole Christmas cards, poor data management for festive greetings could be indicative of wider breaches or procedural failures across the business. There’s no need to take a bah-humbug approach and cancel corporate Christmas cards, but when making your list, just make sure to check it twice.