Skip to main content
close search
site logo

For Graham Holdings, GDPR compliance was a breeze

Every year Graham Holdings has a mandatory data inventory, Halota said. It's "an enormous job but it's really critical to us to know what we have."

Published May 23, 2019
Naomi Eide's headshot
Managing Editor
Naomi Eide for CIO Dive

LAS VEGAS — Data privacy legislation has haunted companies, requiring businesses to reevaluate what data they collect and why.

But for some, the compliance process went smoothly.

"Handling GDPR was a little bit easier because we are a global company already," said Stacey Halota, VP of information security and privacy at Graham Holdings Company, speaking Wednesday during a keynote at the Interop IT conference in Las Vegas.  

Formerly The Washington Post Company, Graham Holdings is a conglomerate, which owns online magazine Slate and cybersecurity training company CyberVista. The size and breadth of its portfolio meant Graham Holdings already had to comply with regulation that preceded last year's European data rules.

Graham Holding biggest company, educational services company Kaplan, has two major divisions in Europe and was regulated by 1995 Data Protection Directive, which set rules for the processing and movement of personally identifiable information (PII) in the EU.

GDPR is a "supercharged version of the directive," Halota sad.

The challenge with GDPR and the follow on California Consumer Privacy Act is meeting the documentation requirements and ensuring the company casts a wide net around what it considers PII.

"It's really just being very careful about understanding and making sure that your definition of PII is broad enough to basically encompass all of that," Halota said.

Regulators can consider everything from social security numbers to emails, phone numbers and device information PII. Graham Holdings errs on the cautious side, and follows a broad definition.

Counting on compliance

Compliance with a sprawling network of data privacy laws — 14 states have or are working on data privacy laws — is not guaranteed. But a first step toward meeting standards is understanding what data a business is collecting.

Every year Graham Holdings has a mandatory data inventory, which it reports to the board, Halota said. It's "an enormous job but it's really critical to us to know what we have."

As part of the data audit, the company asks business units:

  • What data is collected

  • Where does the data go

  • What reports are generated based on the data

  • Where is it stored

  • Where is the back up

Because a keystone of the business is information, Graham Holdings must understand the data it has.

But technology modernization efforts and the ease of spooling up additional storage makes over-collection a breeze.

What the business collects is "precious," Halota said, "it's really important to only collect what we need."

Through the data inventory, Graham Holdings works to minimize its data collection, keeping its sensitive data footprint to a minimum. As part of the process, business groups are also asked if any data was deleted. If not, they are asked, "why not?"

Filed Under: IT Strategy, Security

Editors' picks

Company Announcements

View all | Post a press release
Smart City Expo USA 2025 Speakers Announced
From Smart City Expo USA
December 11, 2024
Arcus Power Launches Power Market Data Solutions on Snowflake Marketplace
From Arcus Power Corp
December 04, 2024
Only Cynet Delivers 100% Protection and 100% Detection Visibility in the 2024 MITRE ATT&CK Eva…
From Cynet Security
December 11, 2024
Celonis Appoints Benoit Fouilland as Chief Financial Officer to Drive Next Phase of Growth
From Celonis
December 05, 2024
Editors' picks
Latest in IT Strategy
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.