Back to all blog posts

Privacy and the SMB

With the introduction of new privacy laws, I frequently am asked “what do I need to do?” by business owners. Recently, the question is coming from SMB owners who are unclear if the emerging privacy laws apply to them.

The challenge for an SMB is that establishing a privacy program with policies, procedures, compliance testing, and one or more staff members to oversee this may be cost prohibitive. Often, the SMB’s leadership will ignore privacy requirements under the premise that they are too small for regulators to target. However, recent enforcement actions suggest that this is not a wise or proactive approach to privacy law.

Looking at the laws

For this discussion, let’s categorize the laws into those that apply to all organizations and those that do not apply to SMBs. Generalizing, the laws that apply to all organizations are national laws; think HIPAA and GLBA in the US and GDPR, LGPD, and PIPL internationally while the US state data protection laws, for example, have minimum thresholds for revenue or the amount of personal information the business must possess in order for the law to apply.

An SMB should review the laws that apply to the jurisdictions in which they are doing business, the jurisdictions in which their clients and customers reside, and the business sectors in which they participate to understand their privacy obligations.

Are you a B2B company?

Let’s assume that the review of the laws determines your organization has no legal privacy obligations. Even if you are a B2B organization, you need to go one step further as your clients may have legal privacy obligations of their own.

Your relationships with your customers may require you to process the personal information each of your clients provides about their employees or their customers. Your clients will require you to meet the privacy obligations with which they are required to comply. So, while you as an SMB have no legal obligations to meet, you must still meet them indirectly for your business clients.

A hypothetical

For example, a 20 person business in a US state does less than $20 million in revenue each year. The company provides branded products to their business clients for promotional purposes. Let’s assume that there are no legal privacy obligations that this business needs to meet under current law.

One of the business’s clients, a large consulting firm doing hundreds of millions of dollars in revenue from US and international sources, asks the business to create an online store to allow all of their employees to purchase branded materials and ship them directly to their prospects and customers.

Our little 20 person SMB now has to protect the personal information of thousands of individuals identified by the consulting firm, both staff and external and both from the US and international, while meeting the privacy obligations of that consulting firm.

What is an SMB to do?

The SMB owner is seeing visions of a huge revenue boost in their head. After talking to their outside counsel, they are also seeing the potential of a huge investment in establishing a privacy program.

An alternative is to engage an operational privacy consultant, essentially outsourcing your privacy team, to establish your privacy program. This approach will allow an SMB to gain the expertise of experienced privacy resources at a fraction of the cost of building a privacy program on their own.


Reach out to Privacy Ref with all your organizational privacy concerns, email us at info@privacyref.com or call us 1-888-470-1528. If you are looking to master your privacy skills, check out our training schedule, register today and get trained by the top attended IAPP Official Training Partner.