Dear Sir/Madam,

We would like to inform you that work on the new EU General Data Protection Regulation (GDPR) is coming to an end. We expect the official text of the GDPR to be adopted by the European Parliament at the turn of March and April 2016, which means that the regulation will take effect in the second quarter of 2018.

One of main and most revolutionary of the changes to be introduced by the GDPR is that public authorities which control personal data processing in Member States (in Poland, the Inspector General for Personal Data Protection – Generalny Inspektor Ochrony Danych Osobowych; “GIODO”) will be authorised to impose high fines on businesses that fail to comply with the GDPR. The highest fines could be as much as 4% of a business’s worldwide turnover (but no more than EUR 20 million).

Due to this change, the level of risk associated with personal data processing will change entirely, and compliance with personal data protection laws will become even more important for businesses. In the current legal framework, as regards penalties for non-compliant personal data processing, the GIODO is only authorised to impose a coercive fine (of up to PLN 200 thousand) if an entity fails to comply with an administrative decision issued by the GIODO, and may send a notice of a suspected offence to the public prosecutor’s office.

Other major changes will be the application of one law where a data controller operates in several Member States (“one stop shop”), the designation of a Data Protection Officer, the notification of breaches of personal data protection laws, the creation of self-regulatory tools, and the introduction of data protection by design requirements applicable upon the development of products and services (“privacy by default”).