Data regulations: from compliance headache to growth opportunity

March 14, 2023
The EU have been driven by a rights-based covenant of regulations while the historical course in the U.S. has been a harms-prevention-based approach.

As regulation around the world increasingly pushes small businesses towards digitalization and better data management, business owners may find the transition overwhelming. At the same time, the evolving regulatory landscape is not all doom and gloom for small businesses. Approaching compliance in the right way can deliver major benefits to businesses of all sizes.

One of the big areas of regulation driving this transition is tax compliance. Programs like the UK’s Making Tax Digital and Single Touch Payroll in Australia - among other emerging efforts from the Pilot IRS program in the U.S. - are increasingly compelling small businesses to transition from old analog processes to digital ones.

This is easier said than done, particularly when digital is not the business’s bread and butter. While initiatives such as Single Touch Payroll are intended to save businesses time and reduce inaccurate reporting, governments don’t always spell out these benefits or how to attain them.

Conversely, some of the changes actually make short-term actions harder. For instance, suppliers to the public sector agencies in Australia are required to spend significant time shifting to e-invoicing systems, for no apparent added benefit to the business.

What Drives Regulations?

Data privacy and protection regulation is another significant driver of digital maturity, particularly in jurisdictions like the EU, where small businesses are covered by GDPR. For example, the ability to manage customer marketing consents, and to respond in the event of a data breach, requires strong data management and an excellent grasp of what data the business holds. 

The EU have been driven by a rights-based covenant of regulations to protect personal data information, by contrast, the historical course in the U.S. has been a harms-prevention-based approach. 

However, that is about to change in 2023. As reported by Reuters, “Following California's lead, four other states — Colorado, Connecticut, Utah, and Virginia — will begin enforcing new GDPR-inspired statutes in 2023. More states are sure to follow. The implications of this fundamental shift in the underlying philosophical framework regarding data privacy protection will be profound in the years and decades to come. 2023 will mark the shift.”

Taking a step back, these not-so-gentle nudges by government lift the overall digital and data maturity of the small business sector. But whether that economy-wide maturity uplift translates into tangible benefits for a given business depends on how well the business manages the transition.

The Value Proposition for Small Businesses

The good news is, small businesses can turn digitalization into a growth opportunity, whether it is undertaken voluntarily or driven by compliance obligations. Research from 2021 found digitally-enabled small businesses were significantly more resilient throughout the height of the COVID-19 pandemic, and outperformed their peers in most performance metrics.

Digitalization can enable a business to extract valuable data insights that are simply not attainable using old school approaches. For instance, real-time accounts payable and receivable data can help a business learn a lot about its likely cash flow, by identifying patterns in how and when customers pay invoices, and who the best paying customers are. Sending out invoices generated in Word or Excel makes it harder to get at these valuable insights. Given that more than 9 in 10 small businesses experience at least one month of negative cash flow each year, having easy access to this data can be critical.

Even something seemingly mundane - such as complying with a requirement to code certain financial data for tax reasons - can unlock new market intelligence. For example, coding to distinguish between different services and products enables a business to better tailor their offering to different customer segments and optimize their marketing. 

Similarly, the very capabilities that enable a business to comply with data privacy regulations, can also assist to understand its customer cohorts, have confidence that its marketing campaigns are respecting customer preferences, and reduce the costs associated with poor data management (including retaining redundant or out of date data). 

The consistent theme here is for small businesses to think creatively about what insights they could draw from the new data and tools they have at their fingertips as a result of digitalization. 

Sorting Through the Data Maze

Being a more digital and data-savvy business doesn’t just mean doing clever analytics and automations. It needs to be coupled with an awareness of what is and isn’t permitted across the data lifecycle, from data collection through to disposal. Getting familiar with the concept of data minimization is crucial. At heart, minimization is about: understanding what data you need from your customers to provide your product or service; not collecting more data than is required; and deleting data when no longer needed. 

In fact, one of the major pitfalls for businesses who are at the early stage of their maturity journey is to over-collect data. For instance, many businesses collect ‘gender’, ‘date of birth’ and ‘home address’ as a matter of course. After all, knowing the gender identity of customers, how old they are, and where they live can be highly useful for marketing and product development. 

However, if it is unnecessary to collect this data to provide the product or service, businesses should pause and take stock. 

Collecting unnecessary data can contravene privacy regulations, and it can also create security and identity theft risks for your customers, making your business a target for bad actors. A less obvious downside risk is that savvy customers don’t willingly hand over their data for no perceived value. This means that over-collecting often leads to customers providing ‘junk data’, such as false personal or demographic details. This can in turn lead to businesses making misinformed decisions. 

There are alternatives for businesses that still want to collect demographic data about their customers, without asking customers to hand over sensitive personal data. For example, knowing a customer’s postcode may be the next best thing to knowing their address, and most are happy to oblige. Similarly, age ranges  — such as 18-24, 25-30, and so on  — can be used instead of date of birth, while still getting a good snapshot of customer cohorts.

Finally, it’s often a good option to allow customers to choose what non-essential data they wish to provide, while explaining the benefits of doing so. For instance, in some cases customers may be happy to disclose their location or even their gender identity so they can receive more targeted information. Giving customers freedom in what they disclose, and being clear on why they are being asked, not only makes for happier customers, it’s also likely to yield better data quality to drive insights and decision-making. 

Finding the Sweet Spot
Between Compliance and Value 

Businesses of all sizes are facing regulatory landscapes that mandate more mature digital and data capabilities. Whether this becomes a headwind, or a tailwind, will depend on the decisions that each business makes. 

Tax compliance can be turned to a business’ advantage, and adhering to the data minimization principle can help with compliance and lead to happier customers and better data for decision making. Finding the ‘sweet spot’ requires creativity and lateral thinking. But it is well within the grasp of small business owners - who are creative and entrepreneurial by definition.

Dr. Kendra Vant is Executive General Manager of Data at global small business accounting platform Xero. In this role, she heads a global team building data-driven products that harness AI and machine learning to solve complex problems for business and industry. She is also the chair of Xero’s Responsible Data Use Advisory Council. With a career spanning four countries and eight industries, Kendra has worked in bespoke systems development, in generating business insights from data, and is now focused on applying machine learning to create personalized experiences in an increasingly connected world. She is passionate about collaborating with and leading others to solve complex problems.