Small- and Medium-Sized Businesses


Small- and Medium-Sized Businesses Topic Page

Often, a privacy and data protection “team” in a small organization means one individual, who may have other responsibilities, doing their best to follow the laws, and implement policies and practices that protect consumer and employee privacy. Particularly in the digital age, following the laws of all the jurisdictions in which a small business operates can be a complex undertaking.

The IAPP understands these people need all the help they can get. This topic page aims to help with tools, tips and guidance. The IAPP Resource Center has additional topic pages that can provide useful resources for small- and medium-sized businesses, including Workplace Privacy, Crafting a Privacy Notice and Organizational Privacy Policies.

Featured Resources


How machine learning can help small businesses deal with data privacy compliance

From understanding applicable regulations to balancing customer experience and data collection, it’s not easy for smaller companies to complete all compliance measures within budget and expectations. This article covers how automation tools and solutions can help simplify compliance
Read More


Vaccine credential systems: Considerations for US employers

This article brings employers up to speed on what it will take to ensure vaccine credential systems comply with federal and state laws while also pointing out the inevitable privacy concerns that may be raised.
Read More


Privacy fatigue and how to combat it

This article explains how a well-developed strategy can help privacy professionals combat organizational privacy fatigue.
Read More


How to facilitate privacy in smaller companies

Early-stage startups may not realize the possible consequences of not having a privacy program. This article provides helpful methods on how to begin implementing a proactive privacy program with an early stage startup.
Read More


Looking at how our small business uses data: A GDPR perspective

This article analyzes how a small business excavated the personal data it collects to better understand how to comply, created a checklist of things to consider, and gained insight into managing customer consent.
Read More


Starting Up Privacy at a Startup

This article addresses starting a privacy program at a startup, with observations provided on the differences and similarities between privacy programs and roles at a large multinational versus a small tech start-up.
Read More

Additional News and Resources

Study shows data breach impacts on US SMEs

Nonprofit Identity Theft Resource Center's "2023 Business Impact Report" showed 73% of 551 U.S.-based small and medium-sized businesses were impacted by a data breach this year, Infosecurity Magazine reports. Breach preparedness was high among respondents at 85%, but less than 50% adopted cybersecurity best practices, including multifactor authentication, mandatory password strength and authorized employee access.Full story... Read More

ICO publishes guide for small businesses to respond to data protection complaints

The U.K. Information Commissioner’s Office issued a six-step guide for small businesses that receive data protection complaints. The steps are to acknowledge receipt of the complaint, find out the specific issue related to the complaint, provide updates to the data subject, record actions taken in response to complaint, formally respond to the individual with the outcome of the investigation, and review lessons observed.  Full Story... Read More

Report: 67% of small US businesses don't have incident response plan

A report by Stericycle’s information security service Shred-it found 63% of high-ranking executives and 67% of small U.S. businesses do not have an incident response plan, while 75% of large U.S. businesses have experienced a data breach, Venture Beat reports. Also, one in four North American businesses expressed concerns a data breach is likely in the next 12 months. For consumers, nearly 70% of those surveyed were impacted by a data breach in 2021.Full Story... Read More

Tech vendor looks to fill market gap by targeting SMEs

Ryan McErlane knows the challenges small- and medium-sized enterprises face on a daily basis, as he is the co-founder of one himself. McErlane heads up Dataships, a privacy technology vendor based out of Ireland that has created a solution specifically geared toward SMEs. While privacy tech vendors have focused on large, multinational organizations, McErlane said SMEs have not received the same level of attention. Now that those companies are starting to catch the eye of regulators, McErlane be... Read More

SMEs speak out against Apple's ad-tracking changes

The Wall Street Journal reports small- and medium-sized businesses are voicing concerns over how Apple's App Tracking Transparency framework will affect business models and competition. Facebook previously spoke out on negative effects for businesses stemming from ATT, and now SMEs are becoming equally skeptical. John Merris, CEO of startup retailer Solo Stove, said he is "not in the camp that privacy doesn’t matter" but does question "where is the right place to draw the line? And why is Apple ... Read More

3 benefits for businesses to adopt PDS

Collection and analysis of personal data on a mass scale are essential for businesses to enhance their decision-making processes, better understand their customers and serve them personalized services. While individuals enjoy reaping the benefits of personal services, there is a growing concern over privacy. According to Pew Research, 81% of Americans report they feel a lack of control over their personal data and are highly concerned about how their data is used and shared. To give individual... Read More

Privacy Shield invalidation poses problems for SMEs

Axios reports the potential impact of the invalidation of the EU-U.S. Privacy Shield agreement may differ depending on business size. While larger companies may be able to rely on the more complex and expensive standard contractual clauses to continue data transfers, small- to medium-sized enterprises may face a tougher road. "As with any compliance concern, it's a matter of capacity for small and medium businesses," said Better Business Bureau National Programs Deputy Director, Privacy Initiati... Read More

What US companies without EU assets should know about business contracts

Since the EU General Data Protection Regulation went into effect, most American companies have been inundated with contract addenda from vendors, customers and just about everyone else with whom they do business, intended to respond to the privacy requirements of the GDPR. In this piece for The Privacy Advisor, Hinshaw & Culbertson Partner David Levitt explains why American companies without significant EU-based assets may not need to sign such addenda.Full Story... Read More

Study: 10% of SMEs are GDPR compliant

A study by the Data & Marketing Association found 10% of small- to medium-sized businesses in the U.K. are fully compliant with the EU General Data Protection Regulation, while 25% are only in the early stages, MediaPost reports. Of the 293 marketing executives surveyed, 68% said their company has a moderate to good understanding of the GDPR, while 74% rated their company’s knowledge as high. “There is a concern about knowledge gaps and training made available in medium-sized businesses” reg... Read More

Data Protection law compliance: Assessment for small business owners and sole traders

This self-assessment tool, released by the U.K. Information Commissioner's Office, helps outline the level of data protection compliance your small business or organization adheres to. Also, after completing the self-assessment checklist, you are provided with a report suggesting practical actions you can take and providing links to additional guidance you could read that will help you improve your data protection compliance. Click To View ... Read More

Study finds small businesses struggling with cyberattacks

A study conducted by insurer Hiscox found while small businesses suffered cyberattacks, many of them did not take action to prevent further incidents, USA Today reports. The study found 47 percent of small businesses suffered one cyberattack in 2017, while 44 percent said they experienced between two and four incidents. Despite the amount of cyberattacks, approximately half of small businesses said they had a cybersecurity strategy, with two-thirds admitting they did not enhance security followi... Read More

How startups can beat breaches on a budget

Data security and privacy concerns are everyone’s challenge because any modern business is dependent on technology in some way. However, security and privacy is not an equal challenge for every business. For established companies, addressing the issue of data security may be a nuisance, but their vast resources can make compliance easier by facilitating the hire of a sophisticated IT security vendor or an experienced data security expert. For cash-strapped startup companies that prioritize growt... Read More