14 min read
Jan 10, 2019

Small business data security: 50 percent of SMBs still don't know what GDPR is

We surveyed 190 small businesses to see how they're handling data security. The overall picture is positive, but there's room to grow if small businesses want to become leaders in data security.

Suzie BlaszkiewiczContent Analyst

Note: This article is intended to inform our readers about the current data privacy and security challenges experienced by companies in the global marketplace. It is in no way intended to provide legal advice or to endorse a specific course of action. For advice on your specific situation, consult your legal counsel.

Data hacks and cyberattacks were big news in 2018. Facebook, Best Buy, Delta, Kmart and Under Armour are just a few examples of companies that left millions of users and their data exposed to cybercriminals over the past year.

These corporate giants survived, but the recovery process was long and costly. Small businesses, which account for 58 percent of targeted cyber attacks, aren’t always as lucky. Smaller IT teams and less PR power mean that a single data breach spells the end for 60 percent of SMBs.

Given this sobering statistic, we wanted to see how seriously small businesses are taking their data security. We ran a survey with 190 small business respondents to find out.

The results were surprising, not because small businesses are flouting data privacy, but because they are doing precisely the opposite. In an era of data-hungry hackers, small businesses are hunkering down to keep their data (and, by extension, their customer’s data) safe.

What we'll cover:


  • The results of the survey

  • 3 ways small businesses can up their security game

  • Tips on how a CRM can help securely manage customer data

Group 3@1x Created with Sketch.

The results

The majority of SMBs are making the effort to protect their customer data. They’re hiring the right people, considering security in their software buying decisions, and not only creating and implementing data security policies but revisiting them on a regular basis.

According to our research:

  • Sixty-one percent of small businesses have an individual or team within their organization dedicated to security, privacy, or compliance.

  • Thirty-four percent of small businesses revisit their data collection policies annually, while 26 percent revisit their policies as often as twice a year.

  • Data storage and security is one of the most important considerations for small businesses when choosing software, second only to user reviews.

That’s the good news. But it’s not all padlocks and password protection paradise for small businesses.

Despite their efforts, 47 percent of small businesses say they don’t have enough time or resources to improve on their data security practices.

This lack of time and resources means there's still some room for improvement:

  • Only 16 percent of small businesses have a data classification policy that provides different levels of access based on its sensitivity.

  • Only 28 percent of small businesses have an acceptable use policy that governs how its network, data, and applications can (and can't) be used.

  • Fifty percent of SMBs are unfamiliar with GDPR and the EU-U.S. Privacy Shield , which govern the use and transfer of customer data for customers based in Europe.

Notably, 73 percent of small businesses see themselves as average when it comes to their level of data privacy compliance.

If small businesses want to get ahead of their peers and become leaders in data privacy compliance, they need to implement a data classification policy, enforce an acceptable use policy, and become familiar with regulations including the GDPR and EU-U.S. Privacy Shield.

Group 3@1x Created with Sketch.

3 ways small businesses can up their security game

1. Implement a data classification policy

You don’t want your sales intern to have access to the same sensitive data as your sales executives. To make sure that sensitive data is not flying freely around your organization, you need to bucket data using a data classification policy.

Consider a data classification policy like your company’s own Encyclopedia Britannica of data. It defines the different types of classification that data can fall under on a scale of sensitivity.

According to Gartner

(research available to clients), a data classification policy "outlines the companywide responsibilities for identifying sensitive data through classification. Many organizations include a basic framework in this top-level policy and define classification levels that must be used."

Example data classification structure

To effectively classify data, research from CEB, now Gartner (available to clients) suggests considering the following five factors:

  1. Criticality: How critical is the data for the operation of the business?

  2. Sensitivity: How would the unauthorized publication of this data affect the business?

  3. Availability: How timely and reliable is access to and use of this data?

  4. Integrity: Has this data been handled and stored properly?

  5. Retainability: Is it within your rights to keep this data, and for how long?

Once you decide on this classification, the next step is to outline how this data should be handled. This includes who has access to it, when, and for what purposes.

2. Enforce an acceptable use policy

People make mistakes-a lot. According to data from IT Governance, 4 out of 5 data breaches happen because of human error. Outlining how employees can use a company’s data and devices can help quell that threat.

An acceptable use policy, sometimes abbreviated as an AUP, covers employee use of both hardware and software. Instead of strictly outlining how to use what, Gartner recommends making the policy behavior-focused (research available to clients).

This means providing guidance about what is considered fair use or abuse, as opposed to enforcing hard and fast rules. Employees are then responsible for making the call based on guiding principles and sound judgment.

A behavior-based AUP might say something like, “Avoid the excessive use of third-party streaming sites,” instead of, “We prohibit the use of YouTube.”

An AUP should include legal, security, ethical, and productivity considerations. A framework for creating an AUP might look something like this:

The policy itself should include guidance that helps employees answer these kinds of questions.

It should also be accessible enough so that every employee in the company, not just the IT department, can easily wrap their head around it.

3. Familiarize yourself with regulations

The GDPR is a regulation governing how the data of European customers must be handled. The EU-U.S. Privacy Shield is a framework for regulating how the data of European customers is transferred to U.S. entities for commercial purposes.

Both are enforced to help protect a customer’s personal data.

These regulations apply to any company with customers based in the European Union, regardless of whether or not the company is physically located there.

Note: For implementation changes regarding policies and regulations, we recommend working with the individual or team within your organization dedicated to data privacy, and consulting outside counsel where appropriate.


The GDPR, or General Data Protection Regulation, made big headlines in 2018 as a more rigid replacement for the 1995 Data Protection Directive. The new regulation aims to provide stricter guidelines about how to handle customer data for customers based in the EU.

There are eight customer rights, which include the right to:

  1. Be informed about the personal data that a company holds about them

  2. Access their own data

  3. Rectification of personal data that's incorrect

  4. Erasure of personal data from your database

  5. Restrict processing of data

  6. Object to the processing or use of data

  7. Data portability to reuse personal data

  8. Reject automated processing

These rights are meant to protect customer data while also making companies more accountable for why they collect data and how they use it. You can find more detailed information about what each of these rights entails here.

Knowing about GDPR is a lot easier than implementing the data collection and handling practices that signal compliance. Many companies actually opted to stop providing their services to EU-based customers instead of taking the necessary steps to adjust their data handling practices.

This, however, is only a temporary solution. A European market of 500 million customers can’t be ignored forever.

If you have fewer European customers or have plans to expand to the European Union, it’ll be easier to make the necessary changes to handling European customer data while the data pool is still relatively empty.

EU-U.S. Privacy Shield

The differences between how customer data is handled in the U.S. and the EU means having a framework in place to make sure that it doesn’t lose its protection once it’s transferred.

Specifically, EU data has stricter protections (see GDPR above) and should not lose these if and when it gets transferred to the U.S.

Notably, the EU-U.S. Privacy Shield protects only EU data going into the United States, not U.S. data being transferred into the European Union.

As a replacement for the International Safe Harbor Privacy Principles (ruled invalid in 2015), this certification allows companies to transfer European customer data to the U.S. for commercial purposes based on a defined “adequate” level of protection.

A list of information that a company needs to provide in order to self-certify with the EU-U.S. Privacy Shield can be found here. (You can also hire a third party to help with certification.)

While not mandatory, the EU-U.S. Privacy Shield signals that a company is taking the necessary steps to offer data protection to its European customers. It also aligns with the customer rights mentioned in GDPR for handling customer data.

Even if you don’t have customers in the EU (yet), these regulations are important to familiarize yourself with, if only as a best practice for handling customer data.

Group 3@1x Created with Sketch.

Manage your customer data with a CRM

Becoming a leader in data privacy means being proactive about protecting your customer data. A single slip-up can cost a company up to $148 per record lost, or even worse, shut it down for good.

Aside from a dedicated security individual or team leading protection and compliance efforts, the software that you use can play a huge role in how you keep data safe and stay compliant.

A CRM, which often acts as a hub of customer data, should be at the top of the priority list when it comes to organizing, maintaining, and securing customer data.

Here are few ways that your CRM can help keep you on the right track toward customer data protection:

  • Create an organized data structure: Your customer data will be the most sensitive in your data classification policy. By starting with the right data structure in your CRM, you'll make it easier on yourself (and your employees) to figure out which data is more sensitive than others. Find out how to organize your data structure here .

  • Keep your data clean: It's difficult to protect data if you don't know what you have. Doing a data clean up and maintaining its integrity will ensure that you're taking the necessary precautions with the data that you have. Learn more about data scrubbing here .

  • Find a CRM that can help ensure GDPR compliance: A CRM won't make you GDPR compliant, but it can help ensure that you're storing data in the correct way. You can read more about the CRM features that'll ensure GDPR compliance here .

Back to top