Compliance is everybody’s businessRegulatory Compliance

SMBs must be just as concerned with compliance as enterprises

Regulatory compliance is a big focus for big businesses today. Privacy concerns are driving government regulation, and some industries are proactively adopting their own privately enforced rules in an effort to head off further government interference.

Enterprises are in the spotlight and can’t afford to have their household names associated with violation of government and industry requirements. But what about small and medium sized businesses?

Small and medium sized businesses face special challenges and situations as new laws bring more and more of them into the regulatory arena, where they must navigate a maze of mandates laid out in confusing and sometimes vague legal jargon that makes it hard to even understand what the requirements are and whether they apply to you, much less how to meet them.

But meet them you must. Fines for failure to comply with federal and international regulations such as The U.S. Health Insurance Portability and Accountability Act (HIPAA) and the European Union’s General Data Protection Regulation (GDPR) can cost your company thousands or even millions of dollars.

The GDPR imposes fines for non-compliance that can be as high as 20 million Euros (almost $23 million USD as of the date of this writing) or 4 percent of your annual global turnover (revenues), whichever is highest.

The damage to your organization’s reputation may be even more expensive, and the disruption of business operations with resultant lost productivity and lost revenues can be costly, as well. According to a Ponemon Institute study, The True Cost of Compliance with Data Protection Regulations, “The consequence of not managing compliance risks include a loss of trust that will jeopardize customer loyalty, and the inability to deliver services and products causing revenues to decline. Beyond the economic impact, non-compliance increases the risk of losing valuable information assets such as intellectual property, physical property and customer data.”

Unfortunately for SMBs, both the likelihood that your organization will fall short in complying with regulatory requirements and the ramifications of being out of compliance can be even greater than for large enterprises.

The increasingly long arm of the regulatory law

In the past, many small and medium sized organizations – unless they were in health care, financial services, or a few other highly regulated industries – didn’t have to deal with compliance issues.

The GDPR changed that. Taking effect in May 2018, its broad applicability had many small businesses scrambling to come up with a compliance strategy. When the GDPR replaced the 1995 EU Data Protection Directive, it greatly expanded the territorial scope of the law. The new law applies even to organizations that have no physical presence or employees inside the EU, if they collect, store, or process any personal data related to anyone who resides in the EU (not just EU citizens)

Under the GDPR, “personal data” includes much more than just sensitive information such as credit card and bank account numbers, government identification numbers, birth dates, and medical and financial information, addresses and phone numbers. It can also include such things as location data, online identifiers (such as user names or IP addresses), political opinions, job history, and “any information relating to an identified or identifiable natural person.”

But it’s not just about the GDPR. More and more states, nations, and international bodies are passing laws that impose privacy protection and other requirements on organizations within their jurisdictions. Within the U.S., those laws can differ from state to state, making it particularly difficult to keep up with which ones apply to you and whether you’re compliant.

Big multi-national corporations have entire departments and many employees devoted exclusively to keeping abreast of compliance issues and ensuring that the company meets the standards. Most SMBs don’t have that luxury.

Are the rules different for SMBs?

Does your small or medium organization have to meet the same requirements as those huge companies that can afford to hire an army of compliance officers? Although it might not seem fair, in most cases the answer is yes.

The GDPR does differentiate between small and larger businesses when it comes to record-keeping requirements. Organizations with fewer than 250 employees don’t have to keep records with the same level of detail – unless “”the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data… or personal data relating to criminal convictions and offences referred to in Article 10″.as those companies whose personnel exceed that number.” In that case, your records will need to go into the same level of detail.

You might think if your business is small, you don’t need to appoint a data protection officer to comply with the GDPR. Think again. This is a case where size doesn’t matter; the determining factors are how much and what kind of personal data you collect, store, or process. Regardless of the size of your org, you need a DPO if you engage in “regular and systematic monitoring of data subjects on a large scale” or if you collect records on a large-scale pertaining to:

  • Criminal convictions
  • Ethnicity
  • Religious or philosophical beliefs
  • Political opinions
  • Trade union membership
  • Health
  • Sex life or sexual orientation

Let’s take another example: the HIPAA security rule. The U.S. Department of Health and Human Services (HHS) has recognized that small healthcare entities have different circumstances and needs, and allows covered entities to implement appropriate solutions based on size, complexity, and capabilities, as well as your technical infrastructure and cost considerations.

These slight modifications to the rules for smaller entities don’t exempt you from meeting the base requirements of the respective regulations.

The SMB compliance challenge

It’s easy to see why compliance is particularly challenging for small and medium businesses. While  you’re held to the same or almost the same requirements as the biggest conglomerates, you have to accomplish the same thing with far fewer resources. A company with 30 – or even 300 – employees can’t afford to assign dozens or hundreds to full-time risk management and compliance like an enterprise that employs 30,000 or more.

The consequences of non-compliance are more likely to have a devastating impact on SMBs, too. A $100,000 fine that is pocket change to a major corporation may be a significant chunk of a small firm’s profit margin. And not only are you likely to lose the trust of some of your customers if they discover that you haven’t complied with regulations, but you could even be sued for breaching their privacy.

The good news is that there are third party compliance management companies to which you can outsource the compliance function. The bad news is that these services are often quite costly, and thus may be beyond the budget of a small company, and you lose some control over your compliance strategy (but remain solely responsible for your compliance).

It’s not all gloom and doom, though. SMBs actually do have some advantages over enterprises when it comes to compliance. You probably have fewer data subjects to worry about, less data to protect, and fewer employees, contractors, and others who have access to that data.  It’s (theoretically, at least) easier to protect the data of hundreds or thousands of customers than of millions.

Privacy, policy, and security

From an IT perspective, compliance is primarily about security. While compliance guidance usually focuses on privacy and policy, security measures are the means by which you protect privacy and enforce policy.

On another happy note, there are many good compliance management software solutions that you can implement to meet compliance requirements, some of which may not scale to enterprise levels but will work well for your small or medium sized business. These include auditing and security scanning solutions, threat management, access control, network monitoring, patch management software, and more that can be deployed to meet your specific compliance needs.

Cloud services provide built-in tools such as encryption options, identity and access management (IAM) systems, virtual network isolation, and other security tools that help to protect personal data as required by privacy regulations. When combined with on-premises tools mentioned above, achieving your compliance goals becomes much more doable.


The requirements for securing data, protecting privacy, responding to customer requests regarding their personal data, and reporting to regulatory oversight agencies is growing rapidly and so is the cost of meeting these demands. SMBs are not exempt, and in fact it’s even more important for small and medium organizations to get and stay compliant as they don’t typically have the cash reserves to easily pay the large fines that can be assessed for non-compliance, or to withstand the loss of customers’ trust that can result.

Complying with all of the applicable government and industry regulations that may apply to  your business today is neither easy nor cheaper – but it’s not as difficult nor as expensive as the consequences of failing to do so.


You might also like:


Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.