Small- and Medium-Sized Businesses


Often, a privacy and data protection “team” in a small organization means one individual, who may have other responsibilities, doing their best to follow the laws, and implement policies and practices that protect consumer and employee privacy. Particularly in the digital age, following the laws of all the jurisdictions in which a small business operates can be a complex undertaking.

The IAPP understands these people need all the help they can get. This topic page aims to help with tools, tips and guidance. The IAPP Resource Center has these additional topic pages that can provide useful resources for small- and medium-sized businesses:

Looking for a vendor to help with your privacy and data protection program? Take a look at the IAPP Privacy Vendor Marketplace.

Featured Resources

Vaccine credential systems: US employer guidance

This article brings US employers up to speed on what it will take to ensure vaccine credential systems comply with federal and state laws while also pointing out the inevitable privacy concerns that may be raised.
Read More

Privacy fatigue and how to combat it

Organizations are facing fatigue across multiple fronts, including the onslaught of new privacy legislation and enforcement, while trying to balance these risks with skyrocketing interest in data around the world. While it is not an easy task, Amy de La Lama explains how a well-developed strategy can help privacy professionals combat organizational privacy fatigue.
Read More

Business PDS Adoption

Personal data stores, which are central access points for individuals to upload, share, store, update and delete their personal information, are viewed as a means to best-serving business and customer needs. Ali Talip Pinarbasi and Jay Pavagadhi explain three positives that come with employing PDS models.
Read More

Latest News and Resources

Starting-up privacy: How to facilitate privacy in smaller companies

Regardless of the size of a company, allocation of resources is of the utmost importance. Early-stage startups may not realize the possible consequences of not having a privacy program. This may be because management believes its resources are better allocated elsewhere. It took time, numerous conversations, and education for Irene Koulouris, CIPP/US, to get her team to understand why privacy was so important to the economic success of the company. In an article for The Privacy Advisor, Koulouri... Read More

ICO publishes guide for small businesses to respond to data protection complaints

The U.K. Information Commissioner’s Office issued a six-step guide for small businesses that receive data protection complaints. The steps are to acknowledge receipt of the complaint, find out the specific issue related to the complaint, provide updates to the data subject, record actions taken in response to complaint, formally respond to the individual with the outcome of the investigation, and review lessons observed.  Full Story... Read More

Report: 67% of small US businesses don't have incident response plan

A report by Stericycle’s information security service Shred-it found 63% of high-ranking executives and 67% of small U.S. businesses do not have an incident response plan, while 75% of large U.S. businesses have experienced a data breach, Venture Beat reports. Also, one in four North American businesses expressed concerns a data breach is likely in the next 12 months. For consumers, nearly 70% of those surveyed were impacted by a data breach in 2021.Full Story... Read More

Tech vendor looks to fill market gap by targeting SMEs

Ryan McErlane knows the challenges small- and medium-sized enterprises face on a daily basis, as he is the co-founder of one himself. McErlane heads up Dataships, a privacy technology vendor based out of Ireland that has created a solution specifically geared toward SMEs. While privacy tech vendors have focused on large, multinational organizations, McErlane said SMEs have not received the same level of attention. Now that those companies are starting to catch the eye of regulators, McErlane be... Read More

SMEs speak out against Apple's ad-tracking changes

The Wall Street Journal reports small- and medium-sized businesses are voicing concerns over how Apple's App Tracking Transparency framework will affect business models and competition. Facebook previously spoke out on negative effects for businesses stemming from ATT, and now SMEs are becoming equally skeptical. John Merris, CEO of startup retailer Solo Stove, said he is "not in the camp that privacy doesn’t matter" but does question "where is the right place to draw the line? And why is Apple ... Read More

Privacy Shield invalidation poses problems for SMEs

Axios reports the potential impact of the invalidation of the EU-U.S. Privacy Shield agreement may differ depending on business size. While larger companies may be able to rely on the more complex and expensive standard contractual clauses to continue data transfers, small- to medium-sized enterprises may face a tougher road. "As with any compliance concern, it's a matter of capacity for small and medium businesses," said Better Business Bureau National Programs Deputy Director, Privacy Initiati... Read More

Small business guide to data protection
(Comparitech, September 2022)
Privacy Shield invalidation poses problems for SMEs
(IAPP, August 2020)
What US companies without EU assets should know about business contracts
(IAPP, May 2020)
Study: 10% of SMEs are GDPR compliant
(IAPP, March 2020)
Cisco Report: Small Business Cybersecurity Report
(Cisco, March 2020)
8 Cyber Security Best Practices For Your Small To Medium-Size Business
(Cox Blue, May 2019)
Data Protection law compliance: Assessment for small business owners and sole traders
(UK ICO, October 2018)
Manage Risk by Protecting the Apps and Data That Drive Business Productivity
(Citrix, July 2019)
Data Privacy and Security Basics for Protecting Your Small Business
(The Small Business Radio Show, May 2019)
Study finds small businesses struggling with cyberattacks
(IAPP, June 2018)
White Paper – How Privacy Awareness Builds Trust
(IAPP, January 2018)
Data Protection & Business Facilitation Guiding Principles for Small and Medium Enterprises
(Hong Kong Privacy Commissioner for Personal Data, January 2018)
Looking at how our small business uses data: A GDPR perspective
(IAPP, September 2017)
European Commission’s GDPR Infographic
(European Commission, May 2017)
How startups can beat breaches on a budget
(IAPP, September 2016)
Starting Up Privacy at a Startup – Article Series
(IAPP, July 2016)
What’s a nonprofit to do? How to create the (best) privacy program, on the cheap
(IAPP, April 2016)
Privacy 101 for SMEs: The Best Defense is a Good Offense
(IAPP, January 2014)
Tips for minimizing human privacy errors
(IAPP, June 2013)
Kick-Starting a Privacy Program
(IAPP, February 2013)
We learned our data privacy basics in high school
(IAPP, January 2013)
A practical guide to IT security—Ideal for the small business
(British Information Commissioner’s Office, January 2013)
View More Resources

Guidance, Compliance and Assessment