Privacy Ref Blog

SMB privacy: no free pass

Like larger enterprises, small and medium businesses (SMBs) collect personal information about their customers, employees, vendors and other stakeholders; it is just part of doing business. Establishing an SMB privacy program would be very beneficial for these businesses, but for the majority of SMBs the thought of protecting personal information is not a priority. At least one recent survey  found that over 70% of the SMBs questioned did not realize they had regulatory obligations to protect personal information.

While  legislative bodies, the Payment Card Industry (PCI) Security Council, and other regulators recognize that SMBs have limited resources and “cut them some slack”, SMBs do not have a free pass on protecting information. For example,

SMB privacy challenges and risks

Stemming from limited financial and labor resources, an SMB cannot afford to dedicate staff to a privacy function. In fact the informal research I have done has shown that it is not unusual that the responsibility for privacy in an SMB is unassigned. As technology, regulations, and your business evolve the practices you have established need to evolve as well. Without responsibility assigned, an SMB’s privacy practies cannot respond to changes and improve if they even existed in the first place.

Also, SMBs are often operated with a limited number of formal policies and procedures. Without direction on privacy matters employees must make their own judgments. Frequently a staff member will think they are doing the right thing, but it may put the business at risk.

For example, I often see the practice of an employee keeping a list of credit card numbers for frequent customers. Placing a credit card on the list makes it easier for that customer to place an order. If the paper with that list or the computer on which the list is stored is stolen you have a data breach.

Clearly risks to an SMB’s bottom line exist due to fines from regulators or attorneys general. There is also a top line risk due to to the brand damage done from the news of a data breach. A large enterprise may be able to sustain this downturn in business, but an SMB may not.

Even without a data breach there is a risk that an SMB will lose business to a competitor due to the lack of a privacy program. The frequency that larger businesses are asking for information about their vendor SMBs privacy program is increasing. If an SMB privacy program is not in place the customer may look for another vendor.

A new discussion group…

I invite you to join a recently started discussion group on LinkedIn called Privacy for SMBs. This group has been set up to share conversations, ideas, and concerns to help the SMBs protect their stakeholder’s personal information. Sharing ideas, concerns, and news will help us all to improve the protection of personal stakeholder information across SMBs,

…and a webinar

Also, a highlight of Privacy Ref’s Data Privacy Day Champion activities is a webinar the firm will provide on “Kick-starting a Data Privacy Program.” The webinar will take place on January 28, 2013 from 1:00 PM to 2:00 PM EST. Those with strong interest are urged to register early as limited seats are available. For more information, or to register for the webinar, please visit

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at

Posted on January 12, 2013 by Bob Siegel
Tags: , , , , ,

« »

No Responses

Comments are closed.

« »

Subscribe to our mailing list

Please fill out the form below.


Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to or call (888) 470-1528.


May 10, 2017

Predictive Breach Cost Model
Download our predictive breach cost modelhere.

Latest Blog Posts

March 17, 2018

Looking forward to the IAAP Global Privacy Summit
It's that time of year again; time for the IAPP's Global Privacy Summit. Yes, I pack up this weekend to head to Washington, DC for training, seminars and, of course, networking. Continue reading this post...

March 8, 2018

Do It Your Self Rights Requests
On our last webinar (as of this writing) I discussed how a company can handle data subject’s rights requests under GDPR. Many of these requests are going to require attention, such as those ‘right to be forgotten’ requests. Others may seem daunting but can be handled easily and may not require any direct participation from your end. Continue reading this post...

Other Recent Posts