In an exclusive interview with CanadianSME Small Business Magazine, Marilyn Sing, Certified Information Privacy Professional and Founder of IPP Consulting, discusses how small and medium-sized businesses can turn privacy compliance into a competitive advantage. She shares practical insights on aligning privacy with cybersecurity, overcoming common misconceptions, and building programs that protect both people and profits.
Marilyn Sing became a Certified Information Privacy Professional in 2017 through the International Association of Privacy Professionals (IAPP). Before that, she held senior management roles in private companies, non-profits, and regional government, in departments that included marketing, communications, business development, risk management, and operations. She also designed curricula and taught business courses at Langara College, Camosun College, and Royal Roads University.
Privacy laws are often seen as complex or intimidating for smaller businesses. From your experience, why do these laws exist, and how do they actually protect both individuals and businesses?
Privacy legislation was created first and foremost to safeguard personal rights. It gives people real control over their own data, shielding them from misuse, identity theft and unwanted profiling. When people know their information is protected, they’re far more comfortable interacting with companies, sharing data and staying loyal as customers.
At the same time, these laws level the playing field for businesses. By laying out clear rules for how data can be collected, stored and shared, they stop firms abusing personal information just to get ahead. That environment fosters fair competition and encourages innovation built on trust.
Finally, privacy compliance reduces both financial and reputational risk. Ignoring the rules can lead to regulator investigations with orders and fines, as well as expensive breach notifications, credit monitoring and lawsuits. Staying compliant not only avoids those penalties – it protects a brand’s reputation, which is far more valuable than any short‑term cost‑saving measure.
Many SMEs still believe privacy compliance is only for larger organizations. What are the biggest misconceptions you encounter, and how does a structured privacy management program change a company’s risk profile and reputation?
The most common myths I encounter are:
- ‘Our IT team or vendor already protects our data, so we don’t need anything else.’ Technical safeguards are just one of the three safeguards required by privacy law. IT can protect data within IT systems, but it doesn’t address personal information minimization and limitation throughout its lifecycle within the organization.
- ‘We don’t collect much personal information.’ In practice, almost every business gathers more personal information than it realizes. Once this is documented, the volume is usually quite surprising.
- ‘Only large organisations are attractive targets, so compliance isn’t a priority for us.’
Breach risk is universal. Small firms rely heavily on third‑party services and human error remains the leading cause of incidents, regardless of size.
A structured privacy management program implements a set of seven controls (personal information inventory, policies, risk assessment, training, breach response, service provider management and external communications). Once implemented, the controls are continuously monitored, and an annual formal review ensures the program is kept up to date and effective.
SMEs that dismiss privacy compliance expose themselves to legal, financial, and brand risks that far exceed the modest investment required to build a privacy program.
You emphasize the connection between privacy and cybersecurity. How can small and medium-sized businesses align these two areas effectively to build a resilient data protection strategy?
Both disciplines share the same goal to protect data. Cybersecurity blocks unauthorized access, while privacy makes sure any data we do have is used responsibly, respecting consent, purpose limitation and data minimization. When the two teams collaborate, controls are built to meet security standards and privacy requirements.
Security threat risk assessments can miss things that privacy impact assessments catch – like the misuse of data that was legitimately accessed – so risk can be mitigated more effectively. This is an example of how a joint approach reduces risk.
Regulatory alignment is another driver. Many privacy laws now mandate ‘appropriate security safeguards.’ When cybersecurity and privacy share ownership, we ensure those controls are technically sound and demonstrably compliant, which streamlines audits and cuts legal exposure.
During an incident, the synergy is more apparent. Cybersecurity specialists pinpoint the intrusion, while privacy professionals handle notification, remediation and regulatory reporting. Coordinated action speeds resolution, limits damage and preserves public trust.
Finally, embedding privacy‑by‑design into security and vice‑versa, creates a culture of accountability. Everyone in the organization sees data protection as both a technical necessity and an ethical responsibility.
Your practical courses through PrivacyOffice.ca have made privacy program development accessible to SMEs. What inspired this approach, and what kind of impact have you seen among participants?
When I collected feedback from my privacy compliance workshops, the same obstacles kept surfacing: SMEs said they lacked the budget for a consultant and didn’t have time to parse dense legal jargon; they feared that a DIY program would waste effort if it didn’t meet regulatory standards; and, with privacy management programs not mandatory and fines not imminent, they could postpone compliance. As an SME myself, I understood these concerns and realized the only way to lower the barriers was to break the compliance journey into bite‑size, self‑paced modules that are affordable and implementable on the job.
The development modules are built around the seven core program controls. Learners can purchase a single module, spread the cost over time, and receive editable Word/Excel templates that map directly to the regulator‑approved framework Getting Accountability Right with a Privacy Management Program. After completing a module, participants can immediately roll out that control. The final course focuses on continuous monitoring and an annual formal review of the whole program.
Students consistently praise the user‑friendly format, short quizzes that reinforce key concepts, practical tips, curated resource links, and hands‑on assignments that produce the actual documents they need. The experience delivers a tangible sense of accomplishment and peace of mind, knowing they now have a solid, compliant foundation.
For small business owners still hesitant to invest in privacy management, what final message or piece of advice would you share to help them view privacy not just as compliance, but as a foundation for business success and customer trust?
A solid privacy management program brings operational consistency. By implementing policies and attaching privacy to roles and procedures, every department handles personal information cautiously and with protection intention, eliminating ad‑hoc decisions that could create risk.
It also fuels trust‑driven revenue. Customers, partners and investors now expect proof of responsible data stewardship. A mature privacy program becomes a market differentiator that helps win contracts and unlock new revenue streams.
Beyond that, the program offers scalable compliance. As regulations change and the business expands into new regions or product lines, the framework allows for adapting quickly without reinventing the wheel each time.
Finally, it prepares us for incidents. Documented breach‑detection, response and notification processes turn a potential crisis into a manageable event, preserving continuity and stakeholder confidence.
Disclaimer: The views and opinions expressed in this interview are those of the interviewee and do not necessarily reflect the official policy or position of CanadianSME Small Business Magazine. Our platform is dedicated to fostering dialogue and sharing insights that inspire and empower small and medium-sized businesses across Canada.
