Privacy Ref Blog

SMB privacy: no free pass

Like larger enterprises, small and medium businesses (SMBs) collect personal information about their customers, employees, vendors and other stakeholders; it is just part of doing business. Establishing an SMB privacy program would be very beneficial for these businesses, but for the majority of SMBs the thought of protecting personal information is not a priority. At least one recent survey  found that over 70% of the SMBs questioned did not realize they had regulatory obligations to protect personal information.

While  legislative bodies, the Payment Card Industry (PCI) Security Council, and other regulators recognize that SMBs have limited resources and “cut them some slack”, SMBs do not have a free pass on protecting information. For example,

SMB privacy challenges and risks

Stemming from limited financial and labor resources, an SMB cannot afford to dedicate staff to a privacy function. In fact the informal research I have done has shown that it is not unusual that the responsibility for privacy in an SMB is unassigned. As technology, regulations, and your business evolve the practices you have established need to evolve as well. Without responsibility assigned, an SMB’s privacy practies cannot respond to changes and improve if they even existed in the first place.

Also, SMBs are often operated with a limited number of formal policies and procedures. Without direction on privacy matters employees must make their own judgments. Frequently a staff member will think they are doing the right thing, but it may put the business at risk.

For example, I often see the practice of an employee keeping a list of credit card numbers for frequent customers. Placing a credit card on the list makes it easier for that customer to place an order. If the paper with that list or the computer on which the list is stored is stolen you have a data breach.

Clearly risks to an SMB’s bottom line exist due to fines from regulators or attorneys general. There is also a top line risk due to to the brand damage done from the news of a data breach. A large enterprise may be able to sustain this downturn in business, but an SMB may not.

Even without a data breach there is a risk that an SMB will lose business to a competitor due to the lack of a privacy program. The frequency that larger businesses are asking for information about their vendor SMBs privacy program is increasing. If an SMB privacy program is not in place the customer may look for another vendor.

A new discussion group…

I invite you to join a recently started discussion group on LinkedIn called Privacy for SMBs. This group has been set up to share conversations, ideas, and concerns to help the SMBs protect their stakeholder’s personal information. Sharing ideas, concerns, and news will help us all to improve the protection of personal stakeholder information across SMBs,

…and a webinar

Also, a highlight of Privacy Ref’s Data Privacy Day Champion activities is a webinar the firm will provide on “Kick-starting a Data Privacy Program.” The webinar will take place on January 28, 2013 from 1:00 PM to 2:00 PM EST. Those with strong interest are urged to register early as limited seats are available. For more information, or to register for the webinar, please visit

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at

Posted on January 12, 2013 by Bob Siegel
Tags: , , , , ,

« »

No Responses

Comments are closed.

« »

Subscribe to our mailing list

Please fill out the form below.


Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to or call (888) 470-1528.


April 16, 2018

IAPP Training Classes
Privacy Ref is proud to announce that we are an official training partner of the IAPP. You now have the opportunity to learn from one of our knowledgeable privacy professionals using the most respected training content in the industry. The robust interactive training offered, aids in the understanding of critical privacy concepts. The contents of the courses are integral to obtaining your privacy certifications and to educate your new team. Learn more here.

Latest Blog Posts

July 9, 2018

Don’t Forget Basic Communication
Most of us have been wrapped up in GDPR preparations for several months. While there are many organizations "not quite there yet", many others have made great strides towards compliance. As we continue to do assessments for clients, both GDPR and General Privacy,  I have been surprised at the frequency of the gap between a privacy official describing their organization's data subjects, information collected, and business processes  with the reality of what is happening. Continue reading this post...

California – The Next GDPR?
Starting January 1, 2020, if you are a for-profit company doing business in California, you may have new data privacy compliance obligations. Specifically, California just enacted the California Consumer Privacy Act of 2018 (the country’s strictest data privacy law to date), placing new privacy mandates on certain businesses with respect to the personal information of consumers (defined as natural persons who are California residents). Many aspects of the new law smack of EU-GDPR influences, such as a new and improved (in other words, broader) definition of personal information and the inclusion of guaranteed consumer rights with respect to such personal information. If your business is already in compliance with the EU’s GDPR, the California law will be nothing new to you. For other businesses, however, you have 18 months to get with the program. Continue reading this post...

Other Recent Posts