“Cease and desist”. Santa picked up the thick, official-looking letter from today’s post. He drew a deep breath and was about to open the letter when his phone suddenly blared out Jingle Bells, telling him that Mrs Claus was calling. He answered, “Hello-ho-ho”. But she wasn’t happy with her bumbling husband, “Could you explain why you are wanted for questioning about unsolicited communication with minors?”

Santa nearly fell off his rocking chair. Hanging up on his wife’s ongoing monologue, he redialled the bright red phone on his desk. “Better late than never”, he murmured into his beard, kicking himself for not dealing with this sooner.

Spreading joy and happiness to the children of the Earth had always been Santa’s dream job and as long as he could manage everything on Excel sheets, only BSODs could dampen his spirits.

Now there were all these “laws” to consider. First, the EU had forced him to reclassify the mountain of snowballs he had made for the annual snowball fight as snow decahedrons. Then the General Data Protection Regulation (GDPR) had caused his white beard to turn black again as an innate protest that only another beard could begin to comprehend. Alas, he couldn’t deny that his operations had been amateurish. The children of the world’s personal data was plastered all over Lapland and he had completely forgotten who had access to what.

Santa’s challenge seems deceptively simple at first: Keep track of all the children in the world, what they want for Christmas and whether they have been naughty or nice.

However, Santa couldn’t possibly read all the millions of letters he receives himself. He has to rely on executive summaries from his head elves. In fact, he can’t even keep track of who’s been naughty or nice by himself. He trusts that to a small group of different elves each year, to act on his behalf. This group then needs to delegate roles to their underlings and so on, to make sure no child gets left out.

This is why Santa sought out Identity Access Management (IAM). With the IAM system ensuring that everybody can see who has granted access to whom, he wouldn’t have to worry about GDPR compliance. And while Europeans are the pioneers of 21st century privacy law, others are following in hot pursuit. Japan and California recently passed their own privacy laws, affecting 166 million people, and other national- and state-level legislation is expected to follow.

Santa learnt the hard way that it pays to keep things simple by hosting data at a centralised location – unless otherwise mandated by national law (e.g. Russia, China). Particularly when using public cloud platforms, one needs to carefully keep track of where data is stored and processed geographically – and be prepared to migrate it in part or in whole when the relevant legislation changes. Centralised IAM helps to ensure compliance not only by managing who can access what, but also by preventing identities from sprawling to countless new systems.

The GDPR also mandates that only the minimal amount of personal data required is stored or processed. An IAM system can be configured to comply – for example, instead of returning every person’s exact birthdate, it could simply return: “The person is over 18 years old: (yes/no)”.

In addition, IAM saves Santa a tremendous amount of time and effort by letting parents manage their kids’ privacy permissions via a self-service portal.

Santa smiled and realised it felt like it had been ages since he last had done so. All his worries had been solved with one piece of software, and now he could focus on what he does best – presents!

A few weeks later, Christmas Eve arrived. At nightfall, he got up and hurried to saddle up Rudolph and the other seven reindeer.

It was time. He took off with his newly-digitalised and GDPR-compliant list in his hands, and as the sleigh soared into the night sky over Finland, he made sure to drop off an extra-nice thank you gift to Ubisecure in Espoo, for the best IAM system he could ever have imagined.