Data Risk Management and the SMB

Those of us who have worked in startups and small-to-midsized businesses (SMBs) sometimes gloat over our ability be more agile than our elephantine Fortune 500 competitors. It may take a company like IBM a year to roll out a new software feature. A startup can do it in two days! We “move fast and break things,” as the credo goes.

That’s great, until you realize there’s a reason IBM takes a year to develop a feature. They know they have to support that feature in market for 10 years. They move slowly and don’t break things. Is that better? Maybe, maybe not. However, the sad truth is that the credo is incomplete. It should really say, “Move fast and break things, one of the broken things perhaps being the law itself.”

The credo is incomplete. It should really say, “Move fast and break things, one of the broken things perhaps being the law itself.”

The tendency to create risk exposure is quite prevalent in the area of data privacy. Here, SMBs are bound by the same regulations as larger companies, but have fewer resources to cope with them.  An SMB still has to comply with new data privacy laws like the California Consumer Privacy Act (CCPA).

The CCPA provides consumers in California with new privacy rights. As a result, it sets up new obligations for companies doing business in California. For example, a California consumer now has the right to know what personal identifying information (PII) a business is collecting about him or her, along with how that information is being used and if it is being shared. They are entitled to get a copy of the PII being held by a company. They can also demand that their private data be deleted.

Complying with CCPA is challenging, even for big companies. However, a large enterprise can deploy people and budget resources to deal with consumer data requests and related compliance matters. An SMB will likely struggle to comply, partly due to lack of people and budget, but also because SMBs tend to have fewer enforceable data management policies.

An SMB may be aware that it has PII hidden away in unstructured data, such as PDF files, which may be strewn about among servers, backup volumes, cloud repositories and mobile devices. The SMB may also not realize that it is storing PII from third parties, such as mailing list providers. It’s a messy, risky situation, one that SMBs may not know how to confront—if they’re even cognizant that they have a problem.

A new generation of data privacy solutions is beginning to address these difficulties. Aparavi, for instance, uses automation and machine learning to discover PII wherever it’s hidden in an SMB’s infrastructure. The solution even has optical character recognition (OCR) capabilities that can spot PII on written forms.

“It can be something of a shock when managers start to see how much private data they’ve amassed without knowing.” – Beth Winters, JD, Solution Manager at Aparavi

“It can be something of a shock when managers start to see how much private data they’ve amassed without knowing,” explained Beth Winters, JD, who serves as Aparavi’s Solution Manager. “Yet, the law may be quite unforgiving of a company that cannot address itself to the legal requirements of the CCPA or comparable regulations. We enable our clients to know what they have, and be able to deliver data privacy on a cost effective basis.”

Automation is critical to making the process work, explained Gary Lyng, Aparavi’s Chief Marketing Officer. “Data never stops moving or changing,” he said. “From yesterday to today, your people could have copied files to laptops and then, without realizing it, you’ve lost track of someone’s PII. Compliance takes constant, automated discovery and classification of data. That’s what we do.”

Solutions like Aparavi’s are probably going to become indispensable for SMBs. Their busines strategies rely on the “move fast” ethos, but the law is the law. Compliance is still mandatory, even if the SMB doesn’t think it has the resources to deal with the issue. And, laws like CCPA are early in their lifecycles. The legal environment appears on track to become a lot more restrictive and unforgiving. SMBs will need a coherent, practical data privacy compliance strategy moving forward.