Compliance with the European Union’s General Data Protection Regulation (GDPR)
For the National Western Stock Show, National Western Complex, Rodeo All Star Weekend, Denver County Fair, Coors Western Art, and Honoring The Legacy Campaign. (Referred to as NWSS within the context of this document)
This document provides an overview of the National Western Stock Show and all of its entities compliance with the European Union’s General Data Protection Regulation, or GDPR, which became effective on May 25, 2018. It provides a summary of the areas covered by the GDPR, NWSS’s high-level compliance in terms of governance and responsible parties, a general discussion about NWSS’s IT Security and Privacy environment, and specific information regarding the nature and legitimate business need for processing the data.
The GDPR applies to organizations involved in the processing of personally identifiable information (PII) of individuals located in the EU. An organization may or may not maintain an “establishment” in the EU and be covered by GDPR.¹ Without determining if or when NWSS maintains an establishment, we recognize that GDPR applies when, acting as a controller or processor, “the processing activities are related to offering goods or services to data subjects in the [EU],” even when the goods and services are offered for free.² Further, GDPR protections apply when NWSS processes the PII of data subjects in the EU, and that processing is related to the “monitoring” in the EU of the “behavior” of data subjects as their behavior takes place within the EU.³
Web pages and other forms may, through the use of forms, collect PII as well as by recording IP addresses or recognizing cookies4 from the end user. All such PII that we collect is extremely well protected, and NWSS desires to be transparent about how we secure and protect such data. Therefore, all NWSS governed web pages that are offering services to individuals which process PII shall include a URL reference to this document on the home web page offering such a service.
Provisions of the GDPR
The GDPR subtends three areas involving individual’s personal data, each provided in a subsection below.
General Principles for Processing Data
Personal Data shall be:
- Processed (i.e. collected, handled, stored, backed up, made accessible, disclosed and destroyed) fairly, lawfully and transparently. An organization must have a ‘legal basis’ for processing an individual’s personal data (e.g. the individual has consented to the processing, or the processing is necessary to operate a contract with them, or the processing is necessary to fulfil a legal obligation).
- Processed only for specified, explicit and legitimate purposes.
- Adequate, relevant and limited to only what is necessary or for which consent has been given.
- Accurate (and corrected if it becomes inaccurate).
- Not retained for longer than necessary – data retention periods.
- Processed securely.
An Individual’s Rights under the GDPR
- The right to be informed of how their personal data are being used. This right is usually fulfilled by ‘privacy notices’ (or ‘privacy policies’) which set out how an organization will use an individual’s personal data, who it will be shared with, etc.
- The right of access to their personal data.
- The right to have their inaccurate personal data corrected.
- The right to have their personal data erased (right to be forgotten).
- The right to restrict the processing of their personal data pending its verification or correction.
- The right to receive copies of their personal data in a machine-readable and commonly used format (right to data portability).
- The right to object: to processing (including profiling) of their data that proceeds under particular legal bases; to direct marketing; and to processing of their data for research purposes where that research is not in the public interest
- The right not to be subject to a decision based solely on automated decision-making using their personal data.
Responsibilities of NWSS under the GDPR
The GDPR introduces a range of accountability requirements to encourage a proactive and documented approach to compliance.These accountability requirements include:
- Implementing policies, procedures, processes and training to promote ‘data protection by design and by default’.
- Having appropriate contracts in place when outsourcing functions that involve the processing of personal data.
- Maintaining records of the data processing that is carried out across the organization.
- Documenting and reporting personal data breaches.
- Defining GDPR Controllers as the points of contact for questions regarding the GDPR for data and services from the units covered.
- Identifying and acting on data retention periods for its data, and acting upon that (i.e. purging data) when the retention period is exhausted.
The GDPR sets out various exemptions from compliance, two of which are pertinent to institutions structured similarly to NWSS.
- Personal data processed for journalistic, artistic, literary or ‘academic purposes’ are exempt from the principles and almost all of the rights, though not the accountability requirements.⁵
- Personal data processed for ‘scientific or historical research purposes’, ‘statistical purposes’ or ‘archiving purposes in the public interest’ are exempt from two of the principles (those stating that personal data shall be processed solely for specified purposes and not kept for longer than necessary) and most of the rights, though not the other principles, the right to be informed (unless providing the privacy notice would be impossible or would involve ‘disproportionate effort’), or the accountability requirements.⁶
An individual’s consent is not required under the GDPR to process personal information for legitimate business purposes. Fortunately, almost all of the data we collect falls into this category, and direct, affirmative consent is not required. However, activities which are peripheral to the NWSS’s learning environment, research environment, and outreach environment are exempt from having to obtain affirmative consent.
Finally, it is noted that NWSS is required to collect, secure, keep, and maintain PII data under a wide variety of mandatory rules, regulations, and policies, including:
- State of Colorado records retention policy mandates keeping various types of documents and information for various time periods, as required by the State of Colorado Records Retention Manual (http://www.colorado.gov/pacific/archives/state-agency-recordsmanagement).
- GLBA – the federal Gramm-Leach-Bliley Act of 1999 (12 USC §1811) is synergistic with the GDPR, and requires certain protections to be put into place regarding IT Security and privacy of an individual’s financial records.
- SOX – the federal Sarbanes-Oxley Act of 2002 (116 USC §745) mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud, specifying reporting and retention clauses for financial data.
- Statewide reporting into the Colorado Department of Higher Education is required of student unit records into the statewide SURDS (Statewide Unit Record Data System) is required by state law.
- Mandatory Record Retention Policies required by the IRS on all financial transactions.
General IT Security and Privacy Environment, and NWSS’s GDPR Environment
Over about the last five plus years, there is no area in central IT to which we have paid more attention and devoted more effort than IT Security and Privacy. Over this time period, we have put many additional protections in place to enhance IT security and preserve individuals’ privacy, especially in regards to Personally Identifiable Information (PII). Specifically, in response to the GDPR, we have
- Identified Controllers for PII data for all of our relevant IT systems and services. Controllers are generally knowledgeable about the data collected, the business needs for the data, data retention and disposal periods, and other factors pertinent to their areas. Controllers may also refer individual requests to others with greater knowledge than they have, especially concerning reporting and business intelligence needs.
- Reviewed all of the PII we collect, and verified a business need to collect it.
- Reviewed storage and preservation of PII in our internal systems, and established necessary retention periods from a business needs perspective.
- Identified which information can be purged from which systems, over which time periods.
- Reviewed, revised and put into place contractual terms for all of our external vendors to comply with the GDPR who hold our PII. Most especially important here are added terms and conditions for data retention and disposal.
- Included an affirmative acknowledgment for GDPR for staff, and our affiliates agreeing to participate as an NWSS patron under our GDPR compliance in our Acceptable Use Statement that all users must accept.
- Worked with our Institutional Review Board to understand that there must be both data retention and disposal clauses in all IRB-approved protocols.
- While requests may be made for an individual’s PII data to be removed from out systems, this will only be possible in very limited circumstances, as we are required by federal and state statues, state fiscal rules, and other strictures to retain data for
1) required reporting, including retaining data for sufficient periods of time to respond to questions or queries regarding the data, and to allow us to recreate reports from multiple data sources, and
2) employ the use of data for business analytics to inform strategic and operational directions for NWSS to provide both more efficient and more effective IT services. The systems used for these purposes are our most well-protected systems, deep behind firewalls and access control lists, with granular access for individual users to only the data they need for business purposes.
How to Use the Information in This Document
Individuals residing in the EU who are covered under the GDPR may query the GDPR Controller for their area of particular interest, identified in Table 1 below in section “GDPR Areas and Controllers,” for specific questions regarding the processing of their personal data. General questions may be directed to the Facility’s General Controller for the GDPR, also identified in Table 1 in the section “GDPR Areas and Controllers.”
Right to Petition for Redress
Individuals residing in the EU who are covered under the GDPR who have contacted a Controller in their area of interest, and received an answer with which they are unsatisfied, or have not received an answer within a reasonable time period may petition for redress⁷ to the Facility’s General Controller for the GDPR, identified in Table 1 in the section “GDPR Areas and Controllers.” The Facility’s General Controller for the GDPR shall caucus with the Vice President of Finance, and respond to the request, normally within one week of receipt of the request. Should the individual be unsatisfied with that answer, or have not received an answer within two weeks of submitting the request, the individual may contact Facility’s General Controller for the GDPR and request that the response be reviewed by the Facility’s Senior Team, whose response shall be final.
General Approaches to Special Circumstances
There are several areas that merit special circumstances for services of a general nature, as described below.
General data collection – NWSS collects very little information of a personal nature, except as needed to fulfill a required business function. In most cases, we will not be able to accommodate “right to be forgotten” requests, as we must maintain complete and comprehensive information in order to facilitate efficient and effective operations in our environment. We simply do not have excess capacity to ingest and/or process extra information, nor do we ever sell your personal information to any provider for a fee. All of our sensitive data is maintained behind very robust firewalls, and intrusion inhibitive services, and therefore kept very secure and highly private.
Cookies – Cookies are small files contained on your personal device, computer, laptop, table, smart phone, etc. that are particular to specific web pages you visit. Cookies are processed by the web page to maintain your connections and your identity as you browse across web pages (the web is stateless, meaning that the. web by itself will not remember who you are as you browse through pages, “cookies” are required for this purpose). You have complete control of cookies on your device and you can choose to disable them. However, if you do so, you may then be unable to receive services from NWSS, especially ones that require your identity and maintaining your place in the hierarchy of the web.
System and network logs – NWSS is required by several laws (referenced above) to maintain system and network logs for specified periods of time. In most cases the retention period for the data is determined by the software/application, and we have little or no say in that. As these logs are a legal requirement, we cannot support the “right to be forgotten” in these logs. However, we can assure you that these logs are only used by us internally for purposes of analyzing and tuning (optimizing) our service delivery. We never distribute these, so that they are extremely secure and very private.
GDPR Areas and Controllers
Below, we indicate separately for each system and/or service the GDPR Controller (the “Controller”) for the system and/or service. Each Controller has reviewed the data collected for their system and/or service, removed from collection any data items not needed for reporting or business purposes, established a data retention period, and agreed to serve as the point of contact for individuals who may have questions about GDPR compliance.
¹ GDPR Art. 3(1) and Recital 22
² Rec. 23
³ Art. 4(2)(b) and Rec. 24
⁴ Rec. 30 states:
“Natural persons may be associated with online identifiers provided by their devices… such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
⁵ Art. 85(2), Rec. 153
⁶ Art. 89(1), Rec. 159
⁷ Art.47, Rec.108