LAS VEGAS — Data privacy legislation has haunted companies, requiring businesses to reevaluate what data they collect and why.
But for some, the compliance process went smoothly.
"Handling GDPR was a little bit easier because we are a global company already," said Stacey Halota, VP of information security and privacy at Graham Holdings Company, speaking Wednesday during a keynote at the Interop IT conference in Las Vegas.
Formerly The Washington Post Company, Graham Holdings is a conglomerate, which owns online magazine Slate and cybersecurity training company CyberVista. The size and breadth of its portfolio meant Graham Holdings already had to comply with regulation that preceded last year's European data rules.
Graham Holding biggest company, educational services company Kaplan, has two major divisions in Europe and was regulated by 1995 Data Protection Directive, which set rules for the processing and movement of personally identifiable information (PII) in the EU.
GDPR is a "supercharged version of the directive," Halota sad.
The challenge with GDPR and the follow on California Consumer Privacy Act is meeting the documentation requirements and ensuring the company casts a wide net around what it considers PII.
"It's really just being very careful about understanding and making sure that your definition of PII is broad enough to basically encompass all of that," Halota said.
Regulators can consider everything from social security numbers to emails, phone numbers and device information PII. Graham Holdings errs on the cautious side, and follows a broad definition.
Counting on compliance
Compliance with a sprawling network of data privacy laws — 14 states have or are working on data privacy laws — is not guaranteed. But a first step toward meeting standards is understanding what data a business is collecting.
Every year Graham Holdings has a mandatory data inventory, which it reports to the board, Halota said. It's "an enormous job but it's really critical to us to know what we have."
As part of the data audit, the company asks business units:
What data is collected
Where does the data go
What reports are generated based on the data
Where is it stored
Where is the back up
Because a keystone of the business is information, Graham Holdings must understand the data it has.
But technology modernization efforts and the ease of spooling up additional storage makes over-collection a breeze.
What the business collects is "precious," Halota said, "it's really important to only collect what we need."
Through the data inventory, Graham Holdings works to minimize its data collection, keeping its sensitive data footprint to a minimum. As part of the process, business groups are also asked if any data was deleted. If not, they are asked, "why not?"