Philip Brining at Data Protection People explains how to get off Santa’s data naughty step
The festive period is a busy time of year, not just for shoppers, but also for businesses looking to connect with their customers in meaningful ways. From offering dazzling Christmas deals to sharing heartfelt holiday wishes, the season is brimming with communication opportunities.
Through creative marketing campaigns, thoughtful gestures, and community engagement, businesses can embrace the spirit of giving and joy. It’s the perfect moment to spread festive cheer and build stronger, lasting connections with their audience.
However, it’s also a time to stay extra vigilant about protecting your data, after all, no one wants to end up on Santa’s naughty list.
Let’s explore some common danger areas for businesses during the festive season, ranging from something as simple as sending greetings cards to managing the details of new customers gained from increased activity.
Who doesn’t love to send their best wishes to all we know at Christmas? In the olden days, physical cards were sent through traditional mail, but more recently there has been a move to send festive emails, emails with fancy cards attached. I have even seen executable files delivered via email to enable animated advent calendars to be accessed. But these new methods are fraught with danger.
Firstly, the attachments could be malicious. “Hi Phil, here’s what I got you for Christmas… malware!” So, be very wary of what you click on.
Secondly, we have data protection laws to navigate
The General Data Protection Regulation (GDPR) doesn’t interfere with the sending of festive greetings for our own purely domestic, personal, household purposes, but it does affect the sending of festive greetings in a work setting. So, engage in good practice and be sure to BCC all recipients. No one wants to be accused of misusing data or of a data breach.
Another aspect of data protection law we need to be very mindful of is if we choose to send e-cards. The Privacy and Electronic Communication Regulations (PECR) sit alongside the GDPR and regulate the sending of unsolicited direct marketing by electronic methods such as email and SMS. The PECR is a complicated beast that you need to tread carefully with. Reach out to a privacy expert if you are unsure of its provisions.
In summary, the PECR would only apply if your festive message was promotional so be careful when it comes to the creative and avoid designing anything that could be construed as being salesy and promotional. “Hi, have a great Yuletide” is fine, “Hi, here is a 5% voucher to help you enjoy Yuletide” is probably not.
The PECR only applies to unsolicited direct marketing messages but it is unlikely that anyone would actually ask for you to send them a Christmas card so it seems most likely that anything you sent out would be considered to be unsolicited: i.e. not specifically requested.
The PECR also demands that you have consent to send unsolicited direct marketing by email/SMS – although there are some narrow exemptions, such as where you are sending to a corporate subscriber: a business email address, for instance. And as consent must be informed and specific to be valid, a general agreement to receive “marketing” is not considered to be specific enough. So beware. Challenge the consent that you think you have to see if it stands up to scrutiny.
This is not to say that you should not send promotional festive messages – just be aware that you must comply with the PECR if you decide to do so.
If you collect information on new customers or prospects during Christmas promotions, be sure to provide suitable privacy information setting out how and why you intend to use the information. Don’t hamstring yourself by drafting the privacy notice too narrowly. Collecting data for a Christmas promotion means just that and it may be that you are unable to use it beyond Christmas. Be sure that the privacy information accurately describes how you intend to use the data.
Finally, with holidays and skeleton staffing, make sure that your security incident and data breach processes are capable of working with restricted staffing. If data breaches must be reported to your Data Protection Officer who has chosen to spend Christmas in Barbados – what are the alternative provisions? Remember that personal data breaches must be reported to the Information Commissioner within 72 hours of their detection unless it is unlikely to present a risk to people’s privacy and other fundamental rights.
Christmas is a time of increased activity, making businesses more vulnerable to data and security breaches. While sending Christmas cards and campaigns is a great way to build and retain your customer base, it’s essential to comply with data protection regulations. Stay vigilant and avoid ending up on Santa’s naughty list!
Philip Brining is a Director at Data Protection People
Main image courtesy of iStockPhoto.com and tumdee
© 2025, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543