Small- and Medium-Sized Businesses


Often, a privacy and data protection “team” in a small organization means one individual, who may have other responsibilities, doing their best to follow the laws, and implement policies and practices that protect consumer and employee privacy. Particularly in the digital age, following the laws of all the jurisdictions in which a small business operates can be a complex undertaking.

The IAPP understands these people need all the help they can get. This topic page aims to help with tools, tips and guidance. The IAPP Resource Center has these additional topic pages that can provide useful resources for small- and medium-sized businesses:

Looking for a vendor to help with your privacy and data protection program? Take a look at the IAPP Privacy Vendor Marketplace.

Featured Resources

Machine learning & small business privacy compliance

This article covers how automation tools and solutions can help simplify data privacy compliance for small businesses.
Read More

Vaccine credential systems: US employer guidance

This article brings US employers up to speed on what it will take to ensure vaccine credential systems comply with federal and state laws while also pointing out the inevitable privacy concerns that may be raised.
Read More

Privacy fatigue and how to combat it

Organizations are facing fatigue across multiple fronts, including the onslaught of new privacy legislation and enforcement, while trying to balance these risks with skyrocketing interest in data around the world. While it is not an easy task, Amy de La Lama explains how a well-developed strategy can help privacy professionals combat organizational privacy fatigue.
Read More

Latest News and Resources

Starting-up privacy: How to facilitate privacy in smaller companies

Regardless of the size of a company, allocation of resources is of the utmost importance. Early-stage startups may not realize the possible consequences of not having a privacy program. This may be because management believes its resources are better allocated elsewhere. It took time, numerous conversations, and education for Irene Koulouris, CIPP/US, to get her team to understand why privacy was so important to the economic success of the company. In an article for The Privacy Advisor, Koulouri... Read More

ICO publishes guide for small businesses to respond to data protection complaints

The U.K. Information Commissioner’s Office issued a six-step guide for small businesses that receive data protection complaints. The steps are to acknowledge receipt of the complaint, find out the specific issue related to the complaint, provide updates to the data subject, record actions taken in response to complaint, formally respond to the individual with the outcome of the investigation, and review lessons observed.  Full Story... Read More

Report: 67% of small US businesses don't have incident response plan

A report by Stericycle’s information security service Shred-it found 63% of high-ranking executives and 67% of small U.S. businesses do not have an incident response plan, while 75% of large U.S. businesses have experienced a data breach, Venture Beat reports. Also, one in four North American businesses expressed concerns a data breach is likely in the next 12 months. For consumers, nearly 70% of those surveyed were impacted by a data breach in 2021.Full Story... Read More

Tech vendor looks to fill market gap by targeting SMEs

Ryan McErlane knows the challenges small- and medium-sized enterprises face on a daily basis, as he is the co-founder of one himself. McErlane heads up Dataships, a privacy technology vendor based out of Ireland that has created a solution specifically geared toward SMEs. While privacy tech vendors have focused on large, multinational organizations, McErlane said SMEs have not received the same level of attention. Now that those companies are starting to catch the eye of regulators, McErlane be... Read More

Small business guide to data protection
(Comparitech, September 2022)
SMEs speak out against Apple’s ad-tracking changes
(IAPP, April 2021)
3 benefits for businesses to adopt PDS
(IAPP, September 2020)
Privacy Shield invalidation poses problems for SMEs
(IAPP, August 2020)
What US companies without EU assets should know about business contracts
(IAPP, May 2020)
Study: 10% of SMEs are GDPR compliant
(IAPP, March 2020)
Cisco Report: Small Business Cybersecurity Report
(Cisco, March 2020)
8 Cyber Security Best Practices For Your Small To Medium-Size Business
(Cox Blue, May 2019)
Data Protection law compliance: Assessment for small business owners and sole traders
(UK ICO, October 2018)
Data Privacy and Security Basics for Protecting Your Small Business
(The Small Business Radio Show, May 2019)
Study finds small businesses struggling with cyberattacks
(IAPP, June 2018)
White Paper – How Privacy Awareness Builds Trust
(IAPP, January 2018)
Looking at how our small business uses data: A GDPR perspective
(IAPP, September 2017)
How startups can beat breaches on a budget
(IAPP, September 2016)
Starting Up Privacy at a Startup – Article Series
(IAPP, July 2016)
What’s a nonprofit to do? How to create the (best) privacy program, on the cheap
(IAPP, April 2016)
Privacy 101 for SMEs: The Best Defense is a Good Offense
(IAPP, January 2014)
Tips for minimizing human privacy errors
(IAPP, June 2013)
Kick-Starting a Privacy Program
(IAPP, February 2013)
We learned our data privacy basics in high school
(IAPP, January 2013)
A practical guide to IT security—Ideal for the small business
(British Information Commissioner’s Office, January 2013)
View More Resources

Guidance, Compliance and Assessment