Small-Medium Sized Business Data Myths – Part One

We were fortunate to present at the B2SMBi Conference last week, which gathers small and medium sized businesses (“SMB”) and the service providers that allow them to grow and function at scale.  It was a great event, with everyone from micro-startups to Google in attendance, and it provided great insights into the concerns SMBs and their partners have about strategy, growth, and data.

Our discussions, unsurprisingly, centered on how data strategy and data privacy integrate into the SMB model, and how to find an efficient and effective approach to managing information.  In particular, we focused on the two biggest myths common among SMBs and their partners.  We’ll discuss both myths in turn, but today’s is one that is far more commonly heard among those who work with SMBs — often those providing SaaS services, platform solutions, or direct sales.

Myth One: “I Only Do B2B, I Don’t Have Any Personal Data.”

So, let’s be honest: you’ve either heard this or said this at some point.  Given GDPR’s focus on “personal data,” the view is fairly common that, as long as all you’re doing is working in the B2B space, or if your data flows are exclusively from other companies and not from consumers, you’re safe and complicated data regimes like GDPR don’t apply.  The only appropriate response to that theory is this:

Related image
I always imagined GDPR having spiky hair.

The reality is that, even in the B2SMB realm, there is an enormous amount of personal data.  To take just one example, think about SaaS providers.  They create the ecosystem in which the SMB houses all of the data they own about their customers and clients, including account information, payment processing, and any profiling or tracking data the SMB has.  That means the SaaS provider is a processor of all of that personal data.  They also have reams of information about their SMB partner–email addresses, phone numbers, financial information (especially for small companies, where the ownership uses their own credit cards), photos, business cards, etc etc.  So one SaaS provider can be processing 1) indirectly obtained personal data of their SMB partner’s clients and 2) directly obtained personal data about the SMB partner itself.

“No personal data,” eh?

The problem is partly a definitional one.  American businesses in particular are used to thinking of “personal data” as synonymous with “PII,” the well-established list of data fields like “name, address, credit card number, SSN” that state laws and privacy policies have discussed for decades.  The mistake in that thinking is that regulators have begun to recognize the distinction between a definition based on legislation and a definition based on reality.  While the old concept of personal data may be limited to PII (and, in that sense, kept B2B data from being at issue), newer laws like GDPR base their definition of personal data on the real-life issue of whether a data point can identify a natural person, regardless of context and irrespective of source.

There’s also a philosophical issue here, one that has a larger impact in the SMB context.  By thinking of SMBs solely as business partners, it is simple to ignore the fact that they represent a trove of information that is, itself, valuable.  In fact, Josh Melick, CEO of Broadly, explained at B2SMBi that small business actually behave a lot more like consumers than other businesses in the way that they search out and use goods and services, an insight which has helped propel Broadly’s growth as a one stop-shop for marketing, SEO, and review-generation.  And, in a way, if you’re in the B2B space, an SMB may actually be your primary consumer, so we’re often talking about a distinction without a difference.

How to Dispel the Myth

This “privacy for thee but not for me” way of thinking is dangerous, not least because it is

Image result for gandalf i release you gif
Oh Gandalf.  If only.

flatly wrong. There are a few steps to help dispel its misconceptions, and they all comfortably fit in with the DataSmart Method. Changing your approach to incorporate these ideas will take time to process and implement, of course, but it’s a far better strategy than simply holding to a view of your business partners thats a) counterproductive and b) potentially a source of liability.  And given the potential to unlock the value of the data your business partners create (what we call “extrinsic data,”), you may find that better compliance leads to a better profit margin as well.

So, some tips:

  • Understand your data. We keep harping on this idea that you need to identify all of your datasets because it really matters, including in this context.  If you discover that, although you only do B2B, you have data profiles on ten thousand B2B clients, you’re a large-scale personal data controller.
  • Understand the law. Get a good lawyer and listen to them.  If you don’t understand what your obligations are, you’re going to sleepwalk into liability.  Don’t.
  • Talk with your SMB (or B2B) partners. One of the best ways to understand the type of information you’re bringing in is to talk with your SMB partners to find out what data they share with you, and why.  Sometimes it is easier to recognize the information that’s going outside of your business than it is to see what’s coming in, particularly when the data inflows are simply refreshing a database or are otherwise not directly observable.
  • Treat SMB data like consumer data.  It may sound counterintuitive, but if you have a single-stream method for handling all data inflows, you’re far less likely to make a serious mistake in categorizing, storing, or using business partner data. Do business partners need the same kind of disclosures or have the same ability to object to processing as a consumer might?  Sometimes yes and sometimes no, but the amount of time wasted on channeling data flows, in many cases, outweighs the putative benefit to treating business and consumer data in different ways.  Ask yourself this: have you ever actually saved any time or money by hunting down B2B data, segregating it, and treating it with a lower level of security than “personal” data?

Leave a Reply