Privacy Ref Blog

SMB privacy: no free pass

Like larger enterprises, small and medium businesses (SMBs) collect personal information about their customers, employees, vendors and other stakeholders; it is just part of doing business. Establishing an SMB privacy program would be very beneficial for these businesses, but for the majority of SMBs the thought of protecting personal information is not a priority. At least one recent survey  found that over 70% of the SMBs questioned did not realize they had regulatory obligations to protect personal information.

While  legislative bodies, the Payment Card Industry (PCI) Security Council, and other regulators recognize that SMBs have limited resources and “cut them some slack”, SMBs do not have a free pass on protecting information. For example,

SMB privacy challenges and risks

Stemming from limited financial and labor resources, an SMB cannot afford to dedicate staff to a privacy function. In fact the informal research I have done has shown that it is not unusual that the responsibility for privacy in an SMB is unassigned. As technology, regulations, and your business evolve the practices you have established need to evolve as well. Without responsibility assigned, an SMB’s privacy practies cannot respond to changes and improve if they even existed in the first place.

Also, SMBs are often operated with a limited number of formal policies and procedures. Without direction on privacy matters employees must make their own judgments. Frequently a staff member will think they are doing the right thing, but it may put the business at risk.

For example, I often see the practice of an employee keeping a list of credit card numbers for frequent customers. Placing a credit card on the list makes it easier for that customer to place an order. If the paper with that list or the computer on which the list is stored is stolen you have a data breach.

Clearly risks to an SMB’s bottom line exist due to fines from regulators or attorneys general. There is also a top line risk due to to the brand damage done from the news of a data breach. A large enterprise may be able to sustain this downturn in business, but an SMB may not.

Even without a data breach there is a risk that an SMB will lose business to a competitor due to the lack of a privacy program. The frequency that larger businesses are asking for information about their vendor SMBs privacy program is increasing. If an SMB privacy program is not in place the customer may look for another vendor.

A new discussion group…

I invite you to join a recently started discussion group on LinkedIn called Privacy for SMBs. This group has been set up to share conversations, ideas, and concerns to help the SMBs protect their stakeholder’s personal information. Sharing ideas, concerns, and news will help us all to improve the protection of personal stakeholder information across SMBs,

…and a webinar

Also, a highlight of Privacy Ref’s Data Privacy Day Champion activities is a webinar the firm will provide on “Kick-starting a Data Privacy Program.” The webinar will take place on January 28, 2013 from 1:00 PM to 2:00 PM EST. Those with strong interest are urged to register early as limited seats are available. For more information, or to register for the webinar, please visit

  • author's avatar

    By: Bob Siegel

    Bob Siegel, the founder and President of Privacy Ref, Inc., has extensive professional experience in the development and improvement of privacy policies and procedures, the definition of performance metrics to evaluate privacy maturity, and the evaluation of compliance. He utilizes a combination of alignment, adaptability, and accountability strategies to guide organizations in achieving their privacy goals.

    He is a Fellow of Information Privacy (FIP) and a Certified Information Privacy Professional, awarded from the International Association of Privacy Professionals, with concentrations in U.S. private-sector law (CIPP/US), US public sector law (CIPP/G), European law (CIPP/E), and Canadian law (CIPP/C). He is also a Certified Information Privacy Manager (CIPM) and Privacy Technologist (CIPT).

    Siegel is a member of the IAPP faculty, has served on the Certification Advisory Board for the CIPM program the Publications Advisory Board.

    Siegel also writes the blog “Operational Privacy” on

  • author's avatar

  • author's avatar

    Preparing your customer-facing staff
    Automation for Privacy
    Don’t Forget Basic Communication
    Top 6 Things For GDPR Procrastinators To Do
    Using GDPR as a framework for your privacy program (even if you are not in scope)

    See all this author’s posts

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at

Posted on January 12, 2013 by Bob Siegel
Tags: , , , , ,

« »

No Responses

Comments are closed.

« »

Subscribe to our mailing list

Please fill out the form below.


Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to or call (888) 470-1528.


April 16, 2018

IAPP Training Classes
Privacy Ref is proud to announce that we are an official training partner of the IAPP. You now have the opportunity to learn from one of our knowledgeable privacy professionals using the most respected training content in the industry. The robust interactive training offered, aids in the understanding of critical privacy concepts. The contents of the courses are integral to obtaining your privacy certifications and to educate your new team. Learn more here.

Latest Blog Posts

September 21, 2018

Is Your Biometric Clock Ticking?
I recently read an article published on the Society for Human Resource Management’s website on the prevalence of biometrics in the employment context. Specifically, the author referenced a Spiceworks’ survey of IT professionals from February 2018 that provided, in my mind, surprising results. Continue reading this post...

Other Recent Posts