For those who observe it, the Christmas season (secular version 2.0) is definitely here. As a child, I cherished the thought of a man with a red suit accessing our house through the chimney. For those of us concerned about computer system security, we worry about a person with a black hat accessing our data through phishing, hacking, and malware. I hate to mention, well, you know who, but someone out there loves the thought of taking your Whoville roast beast.

Enjoy the next few days with your family and friends, but remember, it’s also time to consider your data security for 2016. Knowing you, once you’ve opened all the presents, eaten dinner, and just settled down for a moment of quiet sanity, your thoughts will inevitably turn to the new year. So, here are six holiday-themed recommendations for your consideration. If you don’t recognize the quotes below, that means you didn’t spend your childhood binge-watching classic holiday programs. Not a worry – simply unwrap the answer key at the bottom.

  1. Privacy Compliance Program: “I never thought it was such a bad little tree. It’s not bad at all, really. Maybe it just needs a little love.”

You should review your current privacy and data security compliance program and consider whether it fits your company’s risk profile and strategic plan. Your executives and your IT team should meet in January to discuss the upcoming year.

  1. Board Governance: “Why am I such a misfit? / I am not just a nitwit / You can’t fire me, I quit, Seems I don’t fit in.”

Do your board meetings include regular discussion of data security and privacy issues? Have you considered including a privacy expert on your board? Your company should make these questions a priority in 2016.

  1. Cloud Computing: “Friends call me Snow Miser/ Whatever I touch / Turns to snow in my clutch / I’m too much!”

As your company considers its IT plan for the new year, cloud strategies will likely be an important focus. You should consider the safety of the trade secrets and consumer data you put in the cloud and the risk of those items falling to the ground.

  1. Privacy Policies: “You’ll shoot your eye out.”

As noted in a previous blog post, your company needs to consider the restrictions contained in your privacy policy to avoid self-inflicted damage with your customers. Your legal team should note those restrictions in any agreement with third parties that have access to your data.

  1. New EU Data Protection Rules:  “It’s a difficult responsibility / That you accept from the number-one lawmaker, me / Have it known throughout the land from sea to sea / There’ll be no more toymakers to the King!”

If your company has a business presence in Europe, you should consider compliance with EU data protection regulations. These regulations are a moving target at the moment, and remain more restrictive than limitations in the United States.

  1. Breach Readiness: I passed through the seven levels of the Candy Cane forest, through the sea of swirly twirly gum drops, and then I walked through the Lincoln Tunnel.”

When your company is making plans for 2016, you should review your breach response readiness. The day after the breach is the wrong time to consider these issues. Coordination of the multiple activities needed for effective response is crucial, and without an effective response plan, sorting out who does what, when, and how can be more complicated than the Candy Cane forest.

I can assure you that my heart isn’t two sizes too small, but please start 2016 with thoughtful consideration of your company’s data security and privacy matters.