Small and medium-sized businesses often understand the critical importance of compliance, but just as often don’t have the resources to manage it like larger organizations. Campbell Hutcheson, CCO at Datto, offers guidance to help close that gap.
As of 2018, there were 30.2 million small and medium-sized businesses (SMBs) in the U.S., which account for 99.9 percent of all U.S. businesses. Despite their size and perceptions about what it means to be an SMB, small businesses are not immune to compliance requirements and regulations. Industry standards, such as the Health Insurance Portability and Accountability Act (HIPAA), Canada’s Anti-Spam Law (CASL) and Sarbanes-Oxley (SOX), dictate what a company can and cannot do with its customers’ data.
While standards obviously vary by industry and company size, the two regulations that have garnered widespread attention over the past year are the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018, which goes into effect on January 1, 2020. Both regulations are designed to enhance privacy rights and encourage businesses of all sizes to take every necessary step to protect consumers’ personal information.
Meeting compliance requirements such as GDPR and the California Consumer Privacy Act is challenging for several reasons – from associated costs to technology requirements. SMBs in particular need to think about the regulations that apply to the operation of their own business, and not in the context of how larger enterprise companies address them. SMBs aren’t just smaller versions of enterprise companies. They have their own operational processes and face unique challenges that are addressed with SMB-specific solutions. “Enterprise-grade” or “enterprise-light” solutions aren’t often suited to meet individual SMB needs.
While SMBs understand the critical importance of compliance, many don’t have the resources to manage it like larger organizations. While complying with these regulations often requires additional investments and resources, the cost of being noncompliant and the resulting impact are often much higher.
SMB Compliance Challenges
The majority of SMBs start or purchase their businesses because they are passionate about what they sell and/or the service(s) they provide. There’s not always enough time in a day to consider compliance requirements and managing the technology involved with running the business. So, to some SMB owners, it comes as an unwelcome surprise when navigating complex regulations becomes part of their daily activities.
Compliance rules can impact many areas of a small business, including marketing, IT and administration. Here are some of the challenges that SMBs face with stricter compliance laws:
- Data Sharing With Customers: If a customer requests what information a small business has collected about them, then the business may be obligated to share the data with them. Many businesses do not have the resources to handle such requests, nor the time to honor them.
- Data Breaches: After establishing guidelines for how data is used and stored, businesses will want to be able to prove they are protecting consumers’ personal information and that they are prepared to be held accountable if such information is compromised as a result of a security breach. SMBs may want to confirm that their internal processes allow them to notify the relevant parties of a data breach within 72 hours of learning about it.
How SMBs Can Remain Compliant with New Regulations
So, what can SMBs do to prepare for new regulations, such as the California Consumer Privacy Act? To start, they can learn from the experiences of other companies that went through the process of gaining GDPR compliance.
- Document Early: SMBs can get ahead of requests for data by documenting early what consumer data they hold. Having a greater understanding of what personal data they have, where it came from and who it’s shared with can streamline the process if a customer requests their data.
- Appoint a Data Protection Officer: While it may not seem like a data protection officer is necessary for an SMB, having a dedicated member on site to work with customer data and ensure that the business is in compliance may well be worth the cost of an additional employee or making this part of an existing role.
- Budget: SMBs will need to budget ahead of time for any new IT infrastructure and processes that will have to be put in place, including updating the website to add language that explains consumers’ rights when it comes to their data.
- Partnership: By partnering with a managed service provider (MSP) who manages IT needs, SMBs can lean on their partner to perform IT data checkups and help ensure the security of customer data. MSPs can look for things SMBs can do differently and help them develop a plan to fix any potential mistakes or vulnerabilities.
Compliance is as important for small businesses as it is for large, multinational corporations. A lack of knowledge of current requirements is not an adequate excuse for failing to comply. Every SMB needs to look at how they collect, process, share and store data in order to make sure they have the processes and policies in place to protect the integrity of data. Small businesses also need to put measures in place to facilitate data access requests and procedures in place to identify and report a data breach should one occur. By continuing to document, hire the right people, budget ahead of time and partner with IT experts, SMBs will be ready to meet any compliance requirements and regulations, both now and in the future.
Campbell Hutcheson is Chief Compliance Officer at 
