SMBs fret about the cost of data privacy compliance

Photo by  Alexander Mils  on  Unsplash

The United States is slowly edging toward establishing a federal data privacy law, based on the European Union’s General Data Protection Regulation (GDPR). Meanwhile, some states such as California have made more rapid progress by already passing similar legislation. Despite Congress’ relatively slow start, several proposals have been tabled, with expectations that new regulations could be place by 2020.

While consumers may view this as good news, whatever form the national legislation takes, small and medium-size businesses (SMBs) are apprehensive about the true cost of compliance with new data privacy regulations, according to a recent survey.

America’s 30.2 million SMBs are the biggest innovators, job creators and employers, while contributing almost 10 billion of private non-farm National Gross Domestic Product (GDP). Since this is a monetary value for all products and services produced domestically, GDP is universally acknowledged as an effective way of measuring a country’s overall wealth and economic growth.

However, like any debate that pits public and private interests against each other, there are justifiable competing interest to consider here. A new consumer privacy law that focuses on the consent of individuals inevitably means that there will be accompanying compliance costs. And, as we have seen in Europe, these costs can be considerable. While this may not a problem to tech giants such as Microsoft, Google or Apple, it represents a much greater financial burden to small and medium-sized businesses.

What are small businesses in the U.S. worried about?

The Connected Commerce Council (3C) is a non-profit digital technology industry organization that supports and empowers small businesses with the digital resources they need to succeed faster and more profitably. 3C recently published a report entitled ‘Small Businesses Data Regulation and Responsibility’, based on the findings of a national survey of SMBs across the U.S.

3C surveyed a mix of businesses to sample ideas concerning new and stronger privacy regulations. The selection involved companies in 12 categories, ranging from agriculture to finance. The size of businesses ranged from 5 to 500 employees, with approximate annual revenues of $25,000 to $1 million. The respondents were either small business owners, or senior decision makers.

Interestingly, 80 percent of the respondents admitted that they had very little knowledge of data protection law, but 72 percent said they were in favor of improvements to privacy regulations. A majority concern, however, was the possibility that changes to existing privacy laws might cause significant disruption to the day-to-day running of the business. This concern translated into 56 percent of respondents believing that changes to current regulations will cause an adverse effect on their business. Only 15 percent believe that lawmakers will pass regulations that will not negatively impact small businesses.

Further to this feedback, the survey also indicates that most SMBs in the U.S. understand that privacy regulations need to evolve, following the many incidents of mishandling of personal data by tech giants like Facebook, Instagram and Google. However, 40 percent of these respondents do not believe in a “one size fits all” approach for small businesses, and only 16 percent are confident that policy makers possess the know-how to adequately regulate social media platforms.

It is no small secret that, just like the majority of small business owners, Congress has little, or no knowledge, of data privacy. Less than 4% of Congress members are from an IT background, which comes as no surprise when one considers the poor display of tech-savviness put on during last year’s data breach hearings. In fact, Senators Patrick Leahy and Orrin Hatch openly confessed, during the Facebook hearings, that they come from the pre-internet era and do not intend to make any efforts to catch up with technology.

Other concerns voiced by the polled SMBs included:

  • senators’ apparent lack of understanding of the importance of online marketing;

  • the inability of regulators to stay up-to-date with current threats, and;

  • a basic lack of trust in the government.

Data privacy legislation + insufficient knowledge

The survey found that levels of knowledge and preparedness is greatly influenced by size of company.
51 percent of businesses with 250+ employees were confident that they possess a high level of knowledge of data privacy and data protection regulations. Only 12 percent of the smallest companies were equally confident. Responding to financial influences, businesses that are more profitable appear to have a greater degree of confidence in their ability to implement compliance measures.

State or federal regulation? That is the question

The survey revealed a small preference for federal, rather than state regulation - only 1 percent. SMBs expressed concerns about comparing unique privacy regulations for each state. Also, a number of respondents feel that small businesses might consider relocating to states where privacy regulations are comparatively relaxed - something that could potentially encourage some states to intentionally fail to properly address consumer privacy and data protection.

Across the board, it was very clear that respondents welcome the idea of new privacy regulations. However, many have a strong conviction that the commercial and operational needs of SMBs must be addressed, in order for this to succeed. Although these SMBs were open to the idea of new regulations, they felt that they should apply only to larger companies at first, then applied to all businesses at a later stage. The majority also said there should be unique sets of rules for tech giants and for SMBs.

The small to medium-sized businesses selected to participate in the survey were asked to submit direct quotes on the subject. The concerns that were raised included:

  • Lack of budget to implement necessary changes forcing companies to simply go offline.

  • Concerns about new privacy regulations necessitating a complete overhaul that can’t be handled without losing business.

  • Worries that the new regulations could impede growth.

  • Fears of entrepreneurs’ inability to start a business due to the burden of regulatory compliance.

  • Concerns that even if SMBs are not unfairly burdened, the increased costs for larger tech companies could be passed on to SMBs that rely on their services.

When we consider that businesses with less than 500 employees represent 99.7 percent of the U.S. economy, it would seem that alleviating the concerns of SMBs will be the key to data privacy and protection regulations that will satisfy the needs of all organizations.

 Are you the owner, or senior exec of a small to medium-sized U.S. business? Let us know your concerns, or opinions on this topic.

Sources: Connected Commerce Council, U.S. Small Business Administration