6 Steps to Small Business Privacy Compliance

I’m Jean L. Eaton, your Practical Privacy Coach and Practice Management Mentor. I help healthcare providers and clinic managers implement privacy best practices, like pulling together the right forms and paperwork to use with their employees and patients and implementing privacy best practices.

Whether it’s improving privacy workflow, understanding the impact of breaches, working with privacy legislation, privacy impact assessments, or mentoring privacy practices among staff, I make privacy in healthcare simple and straightforward.

I have found that when small business use these 6 steps to small business privacy compliance:

  • your privacy management program operates smoothly every month
  • you avoid nasty privacy and security incidents
  • your business operates more efficiently

When you focus on proper privacy and security practices, compliance falls into place.

Here are my 6 steps to help you right away.

Step 1. Name a privacy officer

In a healthcare practice, it might be the lead physician. In a dental practice, it might be the dentist owner.

In a not for profit, it might be the executive Director.

Or, you can delegate the role of the privacy officer to your administrative or technical lead.

But somebody must take responsibility for the privacy management program.

And everyone else needs to know who the privacy officer is.

Naming a privacy officer is a requirements of privacy legislation in every industry and quite frankly is just simply good business practice.

Step 2. Know What You Have

What information do you collect in your business?

  • maybe employee, client or patient information
  • financial, payment, health information

Remember to include all types of information wherever it resides

  • paper, electronic devices, local software, software as a service on a cloud or application

What is included in the information that you collect

  • first name only or first and last name?
  • why do you need that information? How will you use it? Be very specific and make sure that you have the legal authority to collect it.

Remember: If you don’t need it today, don’t collect it!

And lastly, where is it stored? And backed up?

Knowing what information that your business collects, and where it is kept will make it easier to monitor and manage these assets and to recover or restore them in the event of a disaster.

Step 3. Keep It Safe

Information is a critical asset to your business.

So make sure that you have good controls and safeguards to keep it safe.

You will hear many tips from The speakers at today’s conference to improve your administrative, technical, and physical safeguards of the information in your business.

This will support the privacy compliance goals in your business.


Step 4. Train Your Team

I’m often asked how frequently you need to provide privacy training.

Privacy compliance best practices recommend formal privacy training annually.

But privacy doesn’t happen just once a year.

Plan short informal activities every month to discuss with your team common privacy scenarios in your business. This is one of the jobs of the privacy officer,

Use near misses or privacy incidents as opportunities to review and improve on your procedures, workflow, and technology.

Remember, too, that people with special jobs, like your Privacy Officer, should have access to training to help them stay current with privacy compliance.

Step 5. Be Prepared for a Privacy Or Security Breach

Recent survey from IBM indicates that  privacy and security breach may cost you $160 per record of  personal information.

So, if you have a business with 1000 client files that is breached, it may cost you $160,000 to manage and respond to that breach.

Instead, invest in preparing for a privacy and security breach so that you can avoid a costly incident.

Plan in advance how you will respond to a privacy incident!

Regular fire drills will help your incident response team spot and stop a privacy breach before it becomes a business crisis.

Step 6. Document and complete your PIA

You make good decisions for your business every day.

Make sure that you document your risk assessment, those good questions that you ask, the answers that you received, and the safeguards that you implement to prevent a risk.

Record your plans.

Write you policies and procedures. Use screen capture to make it easy.

Train your team members.

When needed, prepare your privacy impact assessment.

Review your privacy management plan annually and update the documents when there are changes.

I believe that When you focus on proper privacy and security practices, compliance falls into place. Compliance is there to prove your privacy and security program. It’s not just a bunch of paperwork.

Today, I shared with you 6 steps to small business privacy compliance.

  1. Name a privacy officer
  2. Know what you have
  3. Keep it safe
  4. Train your team
  5. Be prepared for a privacy or security breach
  6. Document / PIA


To help you remember these 6 Steps, I have prepared for you a one-page summary for you to download and use in your business.

If you have any questions please reach out to me by email or LinkedIn.

One page check list of 6 steps to small business privacy compliance

Would you like more Practice Management Success Tips?

Enter your email address for more privacy compliance and practice management success tips to your email in-box.