0800 435 772

News and views

Home > News > Data Protection - Points To Consider At Christmas...

Latest news

Data Protection - Points To Consider At Christmas...

Posted on 6 December 2017SharePrint

Keep your data well-wrapped this Christmas and stay on the ICO’s good list...

This time of year is very important for those organisations that use the opportunity to add to their marketing database or make use of their existing customer data to sell more products during peak sales periods.

It is also a crucial period for parts of the manufacturing and technology sectors, especially as many new products that are Internet enabled will feature highly on Christmas wish-lists across Europe.

As the spirit of goodwill spreads throughout the holiday season, it presents perhaps the most important fund-raising opportunities of the year for those organisations that rely on charitable donations.

This will be the last Christmas before the new EU General Data Protection Regulation (GDPR) becomes fully enforceable on 25th May 2018. The GDPR places many new restrictions on the way personal data can be collected and processed. It will have significant consequences for all of the above.

There are many issues that crop up at this time of year, which may raise some tough questions regarding your levels of compliance with this new Regulation. We have included just a few key examples to start you thinking…

A festival of shopping...

A quick glance at the planning calendar of any retail marketing professional will highlight several very important dates in a very short space of time. Black Friday in November is quickly followed by Cyber Monday. Both of these are particularly important to online retailers. Then there is the relentless run-up to Christmas throughout December and from Boxing Day to January sees the start of the big sales.

Retailers are spending millions of pounds on promotional campaigns to push their products at these festivals of shopping. A lot of the promotional activity will be targeted towards specific individuals based on existing data or data gathered in the coming weeks.

It is important that the data controllers are able to demonstrate that the data they are using has been collected in an honest and transparent manner and that they have the necessary consent, or other legal basis, for contacting people about their goods or services.

When it comes to collecting data under the new rules, one consideration might be data retention. GDPR requires that you keep data ‘only for as long as is necessary’. Christmas brings out a lot of once-a-year shoppers. How long is it appropriate to store their data? How many times should they be contacted when they are only interested in making a purchase on an annual basis?

Profiling and remarketing...

A very powerful tool for marketers at this time of year is online profiling. This enables retailers to promote certain goods based on the end user’s online choices or internet usage. We have all looked online for a Christmas present at some point, only to find ourselves bombarded by adverts for the same or similar products over the following days and weeks.

Another form of profiling is ‘remarketing’ where you visit a site but fail to make a purchase. The retailer can use Google’s Adwords service to continue showing you adverts for the item you almost bought for an extended period of time and on a wider variety of websites.

This form of advertising is going to be severely restricted under GDPR and if you are going to continue to use it then you will need to have explicit consent and have a system for preventing profiling from happening when somebody raises an objection.

Furthermore, if you use profiling on a large scale then you are likely to fall into scope for the mandatory requirement to appoint a Data Protection Officer (DPO), which raises many more complex issues.

The internet of things...

Many of the exciting gifts that people will receive for Christmas will be Internet enabled. These could include wearable technology, household items, white goods or even children’s toys. The technology can transfer data to and from the device, including health information, behaviour patterns, photographs, audio or video. In some other EU countries, the use of these devices by children is already severely restricted.

If you are a manufacturer of any product that is capable of being connected to the Internet then you will need to be aware of restrictions affecting relevant data controllers when GDPR is fully enforceable.

This kind of information is considered sensitive and as such requires explicit consent from the individual to be processed in this way.

You will also need to pay great attention to the security of that data and take appropriate technical and organisational measures to prevent hacking attacks. If any of this data actually leaves the EU then there are additional safeguards to be taken.

It is also likely that your organisation would also be mandated to appoint a statutory DPO, a role which carries many onerous obligations.


Christmas is a very important time for charities. It is a time of year when we give extra thought and consideration for those in poverty or need all around the world. Many people wish to show goodwill or share the Christmas spirit with charitable gifts or donations.

However, charities have been hard hit by the Information Commissioner’s Office in recent times, with several well-known institutions being subject to substantial fines.

If charities are going to collect the personal data of donors they must be clear that they have explicit consent for processing that data and are open and transparent about how the data will be used. They should not buy, sell or share personal data without explicit permission. Nor should they use unlawful profiling techniques to try and identify donors who may be deemed more generous. They should also limit the amount of time they keep the data and make efforts to keep it up to date and accurate.

If the charity processes personal data on a large scale then it is likely that it will also be required to appoint a Data Protection Officer. This could be an expensive problem for an organisation relying on charitable income.


If you are already addressing some of these issues then you are likely to be aware of the general requirement of the GDPR year-round and perhaps well on the road to compliance.

If not, then time is running out and you really need to bring yourself up to date very quickly. There is a lot to do in a shortening space of time.

Remember the sanctions are going to be potentially huge – up to €20 million or 4% of global turnover. You really don’t want to find yourself on the Information Commissioner’s naughty list…

If you haven't already attended our market-leading full day GDPR course, you can find all the upcoming presentations here...