Here’s a common scenario for most businesses.
A potential customer visits your website, and instantly you have data about their browser and site interactions. At some point, that potential customer decides to share some information with you. For example, they give you their name and email address in order to receive your newsletter. Their personal information is now in your system. Next, the customer emails or calls about services or price levels. Your system saves these messages, too.
Now, let’s say the customer decides to buy a product and gives you their credit card details. From there, you expand your product offerings and email your customer to offer them discounts. And finally (it’s sad, but it happens), your customer might cancel their purchase of your product.
These are all things that you might do during the acquisition, retention, and management of a customer.
All of this sounds pretty reasonable as part of business operations, right? Generally, yes. But ask yourself these questions:
- Are you actually using everything you collected? Or are you collecting it just in case?
- Can any of the data you’re collecting be used to identify a specific person?
- If a customer asks what data you have about them, can you give them a list?
- Is anything you collected protected by law?
- If a customer wants to end their relationship with you and asks that all their data be deleted, can you do it? Are you actually required to do so?
If you struggled to answer these questions, don’t worry! They aren’t always easy questions to answer. By the end of this post, you’ll know exactly what you need to do to ensure proper data compliance in your small business. We’ll achieve that by answering these four questions:
- What is data compliance, and why do you need it?
- What are some major standards involved in data compliance?
- What’s unique about data compliance for small businesses?
- What are the right practices to put in place to improve data compliance in your small business?
What Is Data Compliance?
You collect data from customers in the course of running your business. After you collect it, you store, transmit, and process that data among computers you control. The servers that receive the data, the databases and files that store it, the network connections that transmit it, and all the processes that use it—these make up your scope for data compliance. Data compliance is an important success pattern as you grow your business.
Data compliance is a way for a company to show that all its handling and use of customer data is secure and proper. The exact information security controls you use tend to derive from your company’s need to demonstrate compliance. You typically must demonstrate compliance for one of four reasons:
- Laws or government regulations require compliance for you to operate.
- A company refuses to become your customer unless you comply with common standards.
- You want to build the consumer trust that comes with being in compliance with well-known standards.
- Your company has set internal policies for its own operations.
Let’s discuss these reasons in detail.
Compliance with government regulations is typically mandatory. Think about a restaurant that must comply with health codes. Failing a health inspection will result in the restaurant closing.
If you’re a senior leader in a business, you can go to jail for not being in compliance with some standards. At the end of 2001, Enron’s widespread accounting fraud became known, and it led directly to the Sarbanes-Oxley Act (SOX) of 2002. SOX is now a U.S. federal law that can lead to jail time for executives whose companies violate it, and companies must demonstrate compliance with it.
While no data compliance law is this harsh yet, governments aren’t messing around. You need to take government-mandated compliance seriously.
Some companies simply won’t do business with you if you aren’t in compliance with certain standards. After all, it’s less risky for them if they make everyone in their supply chain have the same compliance that they do.
If you’re the supplier for large companies, you’ll probably have little choice here. They’ll dictate the terms of the relationship if you want to do business with them. On the other hand, this can be an opportunity because compliance can give you a competitive advantage if your competitors lag behind.
The time is passing when customers trusted businesses to handle their data properly. There have simply been too many incidents of customer data leaking onto the internet. Also, customers are increasingly technology savvy. They’re more likely to use tools that keep them safe, and they’ll expect you to use similar tools. For example, the web browsers Chrome and Firefox alert you immediately if you browse a site the browser considers insecure. They go so far as to make it very difficult to even access the page. More and more, compliance is a necessary factor to attract and retain customers.
Generally when we talk about data compliance, we’re referring to third-party standards. However, those aren’t the only kind. Businesses create policies to control actions within a firm, and leadership expects others to follow those policies. In bigger firms, an internal audit or compliance group has the job of verifying that departments comply with these policies. For data compliance, an Information Security Office within a company sets data security policies, so they will normally verify compliance.
While it’s not possible to cover every standard that’s important in data compliance, a few are so significant that they need to be mentioned. Even if you don’t concern yourself with any others, you should be aware of these.
- Payment Card Industry Data Security Standard (PCI DSS) is generally required if you’re going to take credit cards. You’re in scope for it if any customer credit card information passes through any computer system you own.
- You’re subject to HIPAA if you handle customer healthcare data in the United States. For that reason, you’ll need to become well versed in HIPAA’s requirement if you’re in the healthcare industry.
- General Data Protection Regulation (GDPR) is a European Union regulation for customer data. The main goal of GDPR is to allow consumers to control their data. Consumers must consent to giving you their data. They have the right to know what data you have about them, to request a copy of all of it, and to have it be deleted. Failure to comply with GDPR can result in heavy fines. If you have any customers in the EU, you must understand GDPR.
Identifying Other Standards
You can identify other potential standards in one of three main ways:
- Many standards are industry-specific, so find ones that apply to your industry.
- Government standards are normally at the country level rather than the regional or local level. Consult with a lawyer with experience in privacy law for any country you do business in.
- Hire a privacy expert. Since many data compliance standards are related to privacy, a consultant can bring you the outside expertise you may lack.
As you look for a lawyer and a privacy expert, ask potential candidates how much experience they have with small businesses. Small businesses have needs and requirements in this area that large businesses don’t.
What’s Unique About Data Compliance for Small Business?
The internet offers plenty of advice about data compliance, but be aware of the particular needs of small businesses in this area.
Lack of Dedicated Personnel
Big companies have departments focused on compliance. They’re usually staffed with compliance professionals who have extensive experience. In contrast, small businesses may not have any permanent compliance staff. Instead, a single person is charged with those duties on top of other parts of their job. Often the CFO is the catch-all for compliance.
Balancing Compliance and the Needs of a Small Business
As a small business, you’re constantly hustling to attract new clients, keep existing clients happy, improve operations, and expand business capabilities. This is how you stay in business. Compliance doesn’t generate revenue as directly as those activities, so it’s easy to overlook. However, between government penalties, shallow business relationships, and little consumer trust, ignoring it will affect your bottom line one way or the other.
Now that you know what data compliance is and why it matters, what are specific steps you can take to ensure it happens in your business?
Practices to Adopt
First, let’s look at steps that just about every small business can take to improve data compliance. Then we can get into more specific areas.
- Sell the vision for data compliance companywide. Don’t assume anyone knows what you’re trying to comply with or why. Instead, show how it ties to company success. Explain to each employee how their role affects data compliance.
- Consider hiring a privacy consultant. Many of the data compliance standards are complex. If you have an in-house legal team, lean on them to help you. If not, or if they aren’t technically savvy, hire a privacy consultant who specializes in the standards you need.
- Minimize data compliance exposure over time. Compliance is expensive. If you can provide the same product to customers by working less, you should. To do so, partner with businesses whose core competency requires them to be in compliance. Design your systems and legal contracts so that their compliance becomes your compliance if at all possible.
- Appoint an internal owner for every data compliance standard. Make sure for each standard, there is one person at the company who has it in their job description. Then publicize that person’s name, empower them with the right level of authority, and support them from the senior leadership level. If you aren’t willing to do this, don’t expect your data compliance to go well.
- Appoint named individuals from departments to a compliance working group. Most of the standards require cross-functional efforts to demonstrate compliance. Charter a team, headed by the data compliance owner, to do the heavy lifting.
- Establish a cadence for compliance activities. Normally the compliance milestones are well-known. Generate a calendar that shows the entire year of activities necessary to submit the final artifacts on time, and publish it where all employees can access it.
- Assign a data owner for every piece of customer data you collect. The owner must be from a business group that needs the data, not from IT. GDPR requires that every piece of data you collect is necessary, and a data owner will ensure that’s the case.
- Create a team for data oversight. Having a data owner is the right first step. Next, form a team or working group that validates the business case for any new piece of data. In other words, if someone in the organization wants to collect a new category of data, there must be a justification for why collecting this information is necessary and how the company will protect it. This again helps with keeping the data focused on meaningful data while avoiding duplication.
- Keep your technology current. It’s no one’s idea of fun to spend a year upgrading servers from Windows 2000 to 2003. However, newer versions tend to fall in line with the necessary technology standards. It costs time and money to upgrade applications and hardware, so show management how this ongoing maintenance affects data compliance.
- Don’t assume the cloud is more secure—it’s easy to use it insecurely. More companies are moving to cloud-based technology solutions. The cloud platforms help you achieve some rough baseline of information security, but it’s shockingly easy to deliver technology services insecurely through them. You’re still responsible for your customer’s data in the cloud, so make sure you understand it. Some common mistakes companies make include cloud configuration errors that leave sensitive data publicly exposed, insecure connections between the cloud and on-premises infrastructure, and of course, general human error in such mundane areas as leaving open web browsers on shared computers or reusing passwords across sites.
Data compliance is an ongoing challenge in any business. But in a technology-centric world, it’s unavoidable. By following the practices in this post, you can ensure proper data compliance and increase consumer trust in your company.
This post was written by Daniel Longest. With over a decade in the software field, Daniel has worked in basically every possible role, from tester to project manager to development manager to enterprise architect. He has deep technical experience in .NET and database application development. And after several experiences with agile transformations and years spent coaching and mentoring developers, he’s passionate about how organizational design, engineering fundamentals, and continuous improvement can be united in modern software development.