On 14 April 2016 the European Parliament finally adopted the General Data Protection Regulation (GDPR), which comes into effect in two years' time, i.e. in May 2018. The Regulation will apply directly in Poland without having to be implemented by statute.

One of the main and most revolutionary amendments introduced by the GDPR is that the public authorities that control personal data processing in Member States (in Poland, the General Inspector for Personal Data Protection – GIODO) will now have the power to impose  heavy fines on enterprises that fail to comply with the GDPR, with the highest fine being up to 4% of an enterprise's global turnover (though not more than EUR 20 million).

Under current regulations on sanctions for incompliant personal data processing GIODO only has the power to impose a coercive fine (up to PLN 200,000) by way of an administrative decision.

This change takes data processing to an entirely different risk level and processing in compliance with personal data protection regulations will become even more essential for enterprises.

Other key amendments involve application of a single law where a data controller operates in more than one EU country (one-stop shop), appointment of an Information Security Administrator, notification of personal data law breaches, creation of self-regulatory instruments and introduction of the obligation to protect personal data at product or service design level (privacy by default).