Business Law

Data Privacy Guide for Small Businesses

In the age of technology, data privacy has become the latest layer that small businesses need to understand in order to build and operate a successful business. Not only are small businesses required to adhere to data privacy laws, but the better they do so, the stronger, more reputable the business will be. But how … Continued

In the age of technology, data privacy has become the latest layer that small businesses need to understand in order to build and operate a successful business. Not only are small businesses required to adhere to data privacy laws, but the better they do so, the stronger, more reputable the business will be. But how exactly does data privacy work and how should you interact with it? In our data privacy guide for small businesses, we’ll look at some of the major aspects that every small business owner should know. 

What Is Data Privacy

Data privacy in its most stripped-down sense is the understanding that businesses have a duty to properly and responsibly hold data collected from individuals. Regardless of how big or small a business is, it is understood that when an individual shares personal data, especially vulnerable information with a business, that information is kept secure. Likewise, if a customer asks that business to update or remove their stored personal information, that must be acknowledged as well. Any violation of how data is handled, stored, used, and shared can easily cross over to a violation of data privacy. And when this happens, small businesses can find themselves in a world of legal trouble.

Data Privacy vs. Data Security

While these two terms are sometimes used interchangeably, they are not the same thing. The term data privacy refers to properly and responsibly collecting, using, sharing, and disposing of an individual’s data. Data privacy is not reserved just for paying customers either. Take for example a small business that has a website. Any visitors on that website are entitled to data privacy if that website collects any sort of information on that individual.

The term data security simply refers to tools like software that are used to prevent any leaks of that private data. Issues such as data breaches, ransomware attacks, and hacks all fall under the umbrella of data security. While both terms offer different meanings, it’s important to understand the distinction between the two in order to properly secure and utilize an individual’s data. 

U.S. Privacy Laws for Small Businesses

With the boom in technology and the profound impact it’s had on the growth of small businesses, it may be surprising to know that there is not a comprehensive federal law that governs how data privacy should be handled. There has been a push for a federal measure to be put forth yet it’s unclear how or when the current administration will enact such a law. 

In lieu of a federal law, the Federal Trade Commission (FTC) does bring forth data privacy claims under allegations of “unfair or deceptive acts or practices.” In 2019 alone, the FTC acted on over 210 claims of data privacy and data security violations. For the time being, U.S. privacy laws are regulated in part by state legislation and industry specific legislation. 

State Governance of Data Privacy

Regardless of what type of business you have, your small business should adhere to the data privacy laws in your state. In addition to knowing your State’s data privacy laws, you should have a familiarity with data privacy laws that exist in other states as well. The general consensus of data privacy revolves around protecting an individual’s data regardless of which state they live in. If there’s a misuse of an individual’s data and that individual does not live in the same state you operate in, you may still be held liable. As the importance of securing data privacy grows, more states are pushing through comprehensive legislation. Currently, only California, Maine, and Nevada have comprehensive data privacy laws. 

There are data privacy laws that exist outside of the U.S. as well. On a global scale, The General Data Protection Regulation (GDPR)  is one of the more notable acts, but there are more than one. If your business operates with consumers in a specific region or country, it’s important to understand what that region’s data privacy laws are as well. 

Industry Specific Data Privacy 

Your industry also plays a role in what types of laws govern your small business. Some industries are more stringent with rules and regulations than others. For example, small businesses operating under the health industry may be subject to HIPAA, the  Health Insurance Portability and Accountability Act. Likewise, businesses that operate around children such as daycares and educational businesses may need to adhere to the guidelines under COPPA, the Children’s Online Privacy Protection Act

How to Prioritize Data Privacy

Understanding data privacy laws and how they impact your small business is half the battle in running a successful operation. The other half is implementing strategies that will help your small business adhere to data privacy. Here are some basic steps every small business should take.

Consult with a Privacy Attorney

While it might seem costly and burdensome, consulting with a privacy attorney can help you craft a plan for implementing effective data privacy strategies. Privacy attorneys can help you do the following:

  • Put together a strategy to minimize data privacy violations
  • Educate you on relevant and emerging data privacy laws
  • Help you understand the laws of specific states if that’s where a majority of your client base is located
  • Help you understand methods of collecting data and storing it securely 
  • Notifying you of emerging data breaches 
  • Direct you towards the latest data security resources
  • Help craft meaningful and effective business policies that help maintain data privacy. These business policies can cover a range of topics including workplace climate and employee training.

Secure Stored Data

When a business collects data, that information is usually stored in files on a disk, drive, or a database. Data that is stored is considered to be “at rest.” Depending on where you store the data, the method of securing it will differ. If your data is stored in house, such as a computer in an office of your business, then you want to give access codes and passwords only to individuals who should have access. Encrypting data at rest depends on whether or not you routinely used the data. If you don’t, it’s best to have the information encrypted to prevent unauthorized access.

Secure Data in Transit

Data that is “ in transit” is free flowing data that moves from a web browser to a web server. If a customer inputs their credit card information onto your website, it’s important to make sure that their credit card number can securely make it from their web browser to your web server. The easiest and most effective method to secure data in transit is by using an SSL certificate. An SSL encrypts information as it transfers through the internet. In doing so, your sensitive information does not get into the wrong hands while it is in transit.

Use a Small Business VPN

A VPN or virtual private network is a network that is secure for all individuals on it. In the era of remote work, coffee shops, hot spots, and other locations where free Wi-Fi exist can be great, but the dangers lie in the fact that these types of internet connections are typically unsecured and can be a great place for sensitive information to get into the wrong hands. By using a small business VPN, data that is transferred can always be encrypted. 

Implement Two-Factor Authentication

Two-factor authentication (2FA) or two step verification is another added layer of security used to prevent data leaks from happening. 2FA requires an individual to use two different forms of authentication in order to verify their credentials. The first step is usually a password while the second step will require verification through a phone number, email address, or a biometric factor such as a fingerprint or facial skin. 

Additional Steps to Secure Data Privacy

There are always emerging methods on how to secure data privacy. Here As these methods continue to emerge, some non-negotiable security methods include the following: 

  • Enable email encryption
  • Stay up-to-date on the latest anti-malware programs
  • Encrypt data before you send it, especially on unsecured networks
  •  Keep up with software and hardware updates for the latest protection
  •  Utilize firewalls
  •  Provide proper employee training

Final Thoughts on Data Privacy

As technological innovation continues to grow, so does the threat of data security breaches. If you’re a small business owner, a slip-up with data privacy can result in a world of headache and monetary loss. By doing your part and knowing the basics of data privacy and how to work within data privacy laws, your due diligence will leave you prepared and confident in how you interact with collected data. Let us know in the comments section below how your company protects data privacy. 


Legal Guide to Starting a Non-Profit Organization

Back to Business Law

Things to consider when creating a supply chain management contract