IAPP-GDPR Web Banners-300x250-FINAL

Privacy 101 for SMEs: The Best Defense is a Good Offense

Imagine you are a major retailer and have to disclose a few days before Christmas that hackers stole credit card details and personal data on about –oh, 110 million shoppers –from your secure safe. Or that just as your app is experiencing hockey stick growth, leading tech blogs and media blast you for uploading users’ contact lists to your servers without permission.

Hearing news like this, you probably cringe at the thought that this might happen to you. But, of course, you are not a major retailer or global corporation, or even an app with tens of millions of users commanding media attention; you are a small or medium enterprise (SME), so you don’t have to worry, right? Wrong! Privacy and data security must be strategic considerations for every business, including garage entrepreneurs developing cool apps or analytics companies with half a dozen employees.

Half a day of privacy training can do wonders and should be seen as a critical investment for any start up.

If you touch data –and who doesn’t these days? –you need to think about responsible information management from cradle to grave. The risks include not just security breaches but also a variety of privacy glitches, such as FTC enforcement actions alleging insufficient or inaccurate notice in a privacy policy, violation of user expectations or architectural design flaws in hardware or apps. The consequences can be grave, including enforcement actions by regulators, class-action lawsuits or worst of all, reputational injury just as you are trying to grow your business and seek funding from investors. Given the high-profile privacy issues over the past several months, you can expect angel investors and strategic partners to seek confirmation that you are privacy-savvy from the start.

Last week, marketing technologist and Ion Interactive CTO Scott Brinker released version 3.0 of his “marketing technology landscape supergraphic.” Nearly a thousand companies, many of them SMEs, were categorized into 43 sectors of an increasingly elaborate market awash with data. And as Brinker writes, “this graphic is not comprehensive … There are many more companies—indeed, entire categories —that were not included merely due to the constraints of time and space. And by the time you read this, it will inevitably be out-of-date due to new launches, re-launches, expansions, exits and mergers. The pace of change in this field is breathtaking.”

Do all of these players have their houses in order? What should you do as an SME to help manage privacy and data security risks?

Employing expensive consultants and law firms may not be an option right out of the gate. To get it right, remember that the best defense is a good offense. Attack the problem early; be proactive; prepare in advance; implement Privacy by Design; follow industry best practices. Most important, you need to have rudimentary issue-spotting skills. Half a day of privacy training can do wonders and should be seen as a critical investment for any start-up.

Here are some down-and-dirty tips to help you safeguard your data, build trust and avoid boosting newspaper sales with sensationalist business titles:

First, simply recognize that privacy and data security are not to be ignored and appoint a person responsible for both. It doesn't necessarily need to be an IT person or a lawyer but rather somebody in the organization has to own the issue. In privacy-lingo, we call it “accountability.”

Second, understand your business model, and know what data you are collecting. Don’t settle for open-ended or vague responses like "nothing sensitive" or “no personal data.” Someone needs to understand exactly what data is being collected and why. The distinction between “PII” and “non-PII” can be very fine and highly technical. Don’t use intuition. It doesn’t work here. As an example, if you are collecting consumers’ birthdates, examine what data you need and for what purpose—is year sufficient, or month and year or do you require an exact date? As with most data elements, the less data you collect and store, the lower the risk of identity theft or other harm in the event of a breach. And knowing the exact age of a consumer may create other risks of liability for your entity.

Third, sensitize your entire staff to the issue. It’s not that your employees need to become privacy professionals who “live and breathe” privacy, but they need to know why it's important, what they can do about it and whom they should address with questions or concerns. You want to flag the topic and encourage issue-spotting by your staff. It's about the bottom line and reputation—a hard-core business issue not an arcane compliance matter. Give examples—nothing works better than a few examples of a privacy disaster or data security incident to wake people up.

Fourth, find out if your business model touches any areas with sensitive data that may be subject to specific laws. Are you dealing with health data, financial data or children's data? Are you moving data around between the U.S. and Europe? If so, it may be time to call counsel.

Fifth, look for self-regulatory associations in your industry and check what they require. Consider joining, but if it isn’t feasible in the early stages of your business, you can benchmark your practices against the requirements of the self-regulatory framework. Strive for more but make sure that you at least comply with industry best practices.

Sixth, take this test: Do I want my company's name to appear in The Wall Street Journal next to this business practice? Does this line of business generate enough revenue to justify the risk? If you pause, think again.

Let’s get a bit more specific.

  • Be careful about just cutting and pasting a privacy policy from a similar business model. To be sure, it’s very common for small businesses to do so. But it’s also a good way to get in trouble. No case is easier for regulators or individual litigants to prove than one based on inaccurate or deceptive promises in a privacy policy. Make absolutely sure the representations accurately reflect your business practices. Don’t over promise in your privacy policy. It's a legal document, which creates liability. Avoid terms like "never" unless you are 100-percent certain you will "never" do that.
  • Have a data retention policy? Don't just keep data because it’s there. And that includes e-mail, documents, etc. You can't lose what you don't have. And yes, we know you are all high-tech, but don't forget about paper. Get a shredder and use it to grind employee files, confidential data from audits, anything sensitive. Regulators have brought enforcement actions against companies for data breaches based on the failure to properly dispose of paper records.
  • In the marketing business? Do some due diligence on your data sources. The NAI code, for example, has a "reliable sources" requirement that directs companies to do basic homework on business partners and sources of data. When examining a business partner, companies should look for membership in a self-regulatory association or seek a representation that the data provider has the necessary authority or permission to share the information.
  • If you offer any type of choice mechanism—for e-mail, catalogues, interest-based ads, telephone calls, data sharing—make sure that it works. Again, don't over promise here.
  • Most SMEs today have a website. Do you know what data is collected across your site? How? If you have forms or a shopping cart on your site, are they secure?

For more useful resources and in-depth analysis, we suggest you use the business resources page on the FTC website. It’s a great place to start with some very sound basic tips regardless of your business model or the size of your company. And of course, go to the IAPP’s Resource Center, which has practical tools, checklists, templates and more in-depth research from the Westin Research Center.

Written By

Omer Tene

Written By

Marc Groman, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»