What small and medium businesses need to know about digital policies

Lately, I’ve been feeling a lot like Dorothy from The Wizard of Oz. I’ve spent most of my career helping enterprise-level organizations develop digital policies designed to help them take advantage of all of the benefits of operating in the digital world while minimizing the risks. With a few exceptions, most of them had a pretty good idea of what they wanted us to do together.

However, over the last few months, I’ve been talking to a lot of small- and medium-sized businesses, and it’s become clear that I’m not in Kansas anymore. When I introduce the topic of digital policies, it’s apparent that many of them (through no fault of their own!) don’t know what the heck I’m talking about!

And why would you? Many of you are working your tails off just to keep the doors open and make enough profit to support your families. In fact, in Salesforce’s second annual “Small and Medium Business Trends Report,” 66% of SMB leaders said that they’re personally responsible for at least three of the following functions: Customer Service, Finance, HR, IT, Marketing, Operations, or Product Development.

Wake up, Kristina…SMBs don’t have time to spend hours scouring the internet searching for information on something they don’t even know exists!

SMBs may not have the resources or experiences that enterprise-level organizations have, but that doesn’t mean you’re not important. In fact, small businesses account for 99.9% of all business in the U.S, which makes you a pretty big deal.

So let’s move on and let me lay out some of the basics of digital policy — bare bones of the information you didn’t know you should be searching for.

What the heck are you talking about?

I’m saying that, while it’s almost impossible to be in business today if you don’t have an online presence, having that online presence comes with some risks. And those risks come in several different forms:


If you’ve been in business for a while, you may have started building your email list and your CRM based on the philosophy of “the more data, the better.” Even if you didn’t know what you would ever use it for, you collected it because, well…Big Data. You might need it someday, right?.

The EU’s General Data Protection Act (GDPR), which went into effect in 2018, was the first chink in that plan. Since then, countries around the world have passed privacy legislation to protect their citizens’ personal data. While the U.S. has no federal law, a number of states have taken action (like California’s CCPA). And the kicker is that you don’t have to be physically located in a particular jurisdiction; you’re bound by the law if you have data on a citizen of that particular country or state.

While there are some differences in the various laws, they all require you to get separate consent for each use of a consumer’s data. So if a customer enters their email address to download some content, for example, you can’t take that information and add it to your mailing list unless the customer gives you explicit consent to do so.


In 2018, a whopping 2,258 businesses were sued for violating the Americans with Disability Act. The ADA has been around for a long time, but these businesses weren’t sued over lack of physical accommodations; these lawsuits were about lack of digital accessibility…something the businesses had no idea they should be worried about.

In no way do I want to downplay the importance of website accessibility. In a time when so many activities of daily life are conducted online, things like websites that aren’t compatible with e-readers, or videos that don’t have captions, present huge obstacles for many individuals. Businesses need to become accessible for that reason alone — it’s the right thing to do. (Besides, Americans with disabilities have a collective $175 billion in discretionary spending).

With that being said, however, many of the lawsuits filed over the past few years were more about making a quick buck by filing lawsuit after lawsuit over accessibility issues. If you’re a small business, lack of accessibility makes you a very attractive target.


Cybercrime is a worldwide threat, and smaller businesses need to take note: 43% of all cyber attacks are directed at small businesses. Cybercriminals likely assume small businesses will be less secure than large organizations — and they’re right. Only 14% of SMBs are adequately protected, and 66% of senior leaders mistakenly think they’re unlikely to be targeted.

That’s a mistake that can have huge consequences. The average successful breach costs the victim organization $200,000. And then there are the regulations about notifying authorities, as well as any customers whose data may be at risk. It’s little wonder that 60% of these businesses wind up shutting their doors within six months.

Brand integrity

Everything you do online affects your brand integrity. And with the virality of online communication, even the smallest “oops” could have a disproportionate result:

  • A snarky retort on social media by an exhausted employee could spark a raging “Twitterstorm.”
  • Failing to copyright your site content puts you at risk for having all of that work — and the knowledge behind it — scooped from your site and posted on a competitor’s site.
  • Inconsistent branding — colors, typography, etc. — could make it harder for your social media community to recognize your posts when they see them.

There’s a lot more to digital policies, but those are the bare-bones things that SMBs must do to protect themselves. I’d recommend that you review some of the resources published by the World Wide Web Consortium (W3C), an organization dedicated to “leading the web to its full potential.”

You realize small businesses have no budget for this, right?

Believe me, over the past few months, I’ve come to understand very clearly that small businesses don’t have the resources of enterprise-level organizations. My work

with them often takes months and can be quite costly.

However, there are many things you can do that aren’t all that expensive, and I can help in ways that won’t break the bank. The first few steps require nothing more than a heart-to-heart conversation with your organization’s leadership team.

What is your risk tolerance?

Assessing your risk tolerance is an important first step. A lot of entrepreneurs live on the edge, quite comfortable being in a state of noncompliance and hoping they don’t get caught. Other leaders are a lot more cautious and more inclined to take preventative steps to protect their businesses.

Where do you fall on that spectrum? The answer to that question will determine what you do from this point on.

What is your current status, especially when it comes to regulatory issues?

Does your website have an accessibility statement (and is it actually accessible)? Does your website have a privacy statement — a statement that’s backed by an actual privacy policy?

This is the point where it might be smart to bring in a digital policy consultant. I can help you identify your biggest, most dangerous gaps and help you prioritize what comes next.

What comes next?

What comes next is, after identifying the gaps you want to close first, figuring out the steps you need to take to get there.


Put a copyright statement in the footer of your website. It might not stop people from copying your content, but it does put you in a better position to ask for a “cease and desist” order.


  • Change all of your image alt-text to something descriptive. “Best practices” used to tell you to use that field as an opportunity for keyword-stuffing, but that’s over. Accessibility requires that you use descriptive text so that a visitor using an e-reader will know what the image is.
  • If you have videos, either use captioning or offer a transcript.
  • Make sure that the design itself doesn’t create accessibility problems: busy backgrounds, text that is too small or too light, etc.

Brand integrity

Make some rules about who can post on behalf of your company and what they can say (and can’t say).


Figure out which privacy laws apply to you and decide whether you want to become compliant or live with the risk. It’s a tougher decision than you may think. You may have contact information on thousands of consumers in your database. If you collected that information in a way that’s not compliant with current privacy requirements (getting separate consent for each use of a consumer’s data), you either have to contact each of them to ask for consent in a way that complies with current laws…or you have to dump your database and start over.

Data security

This is a big one, because it’s not just about you. Sure, it could cost so much that you’re forced to close the doors. But it also exposes all of your customers’ private information.

Most small businesses need help with this one. Some of it is all IT. Remember the huge Target breach? You probably remember that it happened, but you may not know the details: Someone stole the credentials of an employee of one of Target’s HVAC contractors. That was bad enough. But the real problem is that the thief was able to use those credentials to access Target’s payment information. That never should have happened. Target should have had its customers’ payment information cordoned off from all other systems. Do you?

And then there are the little things that most of us don’t think of:

  • Is there personal customer data in emails employees send to one another? If so, are they captured and stored?
  • Do employees jot customer’s payment information down on paper to enter later?
  • Do you grant tiered access, so that each employee has access to only the information they need to do their jobs?
  • What about physical access to your servers? Is that protected?
  • Do you have breach monitoring in place? If so, how long does it take for someone to detect a breach? And how long does it take for them to shut it down?
  • Do employees know what the reporting requirements are for your industry?

This is one area where you may have to spend some money. But it’s also the area that’s most likely to completely put you out of business, so I’d argue that it’s worth it.

You can do this.

Yes, big corporations spend many thousands of dollars on digital policies. But they also have many thousands of dollars at risk.

Your budget is smaller. But your business is also less complex. You don’t have a team of lawyers debating every single decision. And you probably don’t have functional area leaders engaging in turf wars over who gets to make what decision.

That makes developing digital policies a lot easier — for you and for me. Because I don’t have to deal with all of the red tape that’s part and parcel of global organizations, I can help you with a pricing model that works for both of us. And if you don’t work with me, work with another digital consultant. The world is at your feet right now, but you can only take advantage of that opportunity if you take proactive steps to protect yourself from online risks.

Originally published at Linkedin.