Evaluating the Impact of the GDPR’s Data Subject Rights on Businesses

Abstract

In 2018, the European Union passed data governance legislation known as the General Data Protection Regulation (GDPR). The US lacks an equivalent policy, but many experts agree that the passage of a comprehensive privacy law is imminent. Existing literature suggests that the GDPR’s data subject rights contained in Articles 15 and 16 (the right to access and rectify personal data) are the most difficult for businesses to comply with. This research paper looks specifically at whether compliance challenges associated with Articles 15 and 16 of the GDPR differ by business size and sector. The findings reveal that small and mid-size enterprises are less likely to acknowledge Articles 15 and 16 of the GDPR within their privacy policy, less likely to clearly explain how consumers can access or rectify their data, and less likely to hire and retain dedicated privacy staff. Despite these disparities, small and mid-size enterprises fulfilled data access and rectification requests at roughly the same rate as large enterprises.