THREE MAJOR PRIVACY COMPLIANCE FALSE BELIEFS OF SMALL BUSINESS OWNERS THAT WILL CAUSE BUSINESS FAILURE

By: Dr. Ross Federgreen, CIPM, CIPP/US, CIPP/G, CIPP/E, CIPP/C, Fellow, European Privacy Association, Fellow of Information Privacy
CEO, CSR Privacy Solutions, Inc.

 

And What to DO!

Most privacy and security experts believe that every business has suffered at least one data incident in the last year. Whether by accident or intention there is simply no escape from these events.

Today, personal information (PI) data is gold to every and all organizations. It equally puts each of these organizations at high risk for violation of Privacy regulations and therefore survival. So, what to do?

CSR has been privileged in the past several months to present at major conferences in the United States, Australia and Ireland. We continue to gather significant information about the need for companies to specifically and effectively comply with the various and growing regulations in the Privacy space.

In addition to the valuable information that we have gained at these global meetings, our expanding global user base of business clients and channel partner base have allowed us a unique insight into the actual operations of tens of thousands of companies of all sizes, globally.

One of the major findings of our work has recently been confirmed by the conclusions of the Ponemon Institute Study sponsored by IBM. They state, “The financial consequence of a data breach can be particularly acute for the small and midsize business”. Many of the consequences of a data breach can be crippling and have a trail of financial exposure for upwards of three years.

CSR has identified three major trends in our work with the largest base of small and medium size enterprise (SME) clients globally. SME is defined as the 98% of companies with less than 500 employees, the vast majority of which have less than 50 employees.

First and foremost, the vast majority of SME have no validated plan in place. Most feel, incorrectly, that they would not be the target of a privacy event because they are too small. This is false. Most events effect this population of companies despite the headlines.

Second, once an event has occurred, the vast majority have no understanding of what to do, who to report an event to, or if an event requires reporting at all. Many of these events often go unreported, or when they are reported, are done outside of the regulatory requirements. Many SME believe that the cost of compliance outweighs the consequence of noncompliance. This is false.

Third, that the newer requirements of regulations such as the General Data Protection Regulation, the California Consumer Privacy Act and many others do not affect them because they are too small. This is false.

New regulations, which every company regardless of size must be concerned with, include data subject access (people), request handling, controller processor conflicts (vendor) and data flow mapping. Solutions to these issues, where they do exist, are not directed to the SME population. They are expensive, complicated and simply inappropriate for the 98% of businesses that are not global enterprises.

CSR has created a series of services that are designed specifically for the SME population, and have proven to work effectively to answer the needs of Privacy regulation in a cost sensitive environment. CSR products are now utilized in North America, Europe and Australia by over 100,000 SME businesses through more than 100 channel partners.

Our products include the Breach Reporting Service, Readiness and the new V3. These services provide a comprehensive family of services that allow the end user SME to respond accurately, appropriately and timely to the many complex privacy rules and regulations.

Readiness Privacy Self Assessment provides an interactive SaaS based analysis to show where the SME currently is, and provides the user with a prioritized remediation schedule to move towards compliance within regulations.

The Breach Reporting Service provides the end user with an analysis of an incident and the means to determine if the incident should be reported, to who and how.

V3 responds to the most demanding requirements of the new regulations, such as DARS (Data Subject Access Request), Data Flow Mapping and Controller Processor issues and conflicts.

With a global, proven suite of products, designed to directly benefit the SME population in a cost sensitive environment, it absolutely makes sense for every business to prepare for the inevitable with CSR!