Data breach notification

Obligation to notify personal data breaches to supervisory authorities, as introduced last year by the GDPR, has had a major impact on companies all over the Europe and beyond. Since then, tens of thousands of such notifications have been submitted, causing a significant spike in breach notifications, as compared to pre-GDPR era. Under the new law, with its stringent penalties, sweeping data breaches under the carpet has become a risky strategy. This, in turn, caused companies to be more keen to inform regulators about their potential issues with data security. It is no different in Poland, where GDPR is also in effect causing a major change in practices of companies affected by data breaches. In response to growing number of breach notifications, Polish data protection supervisory authority (UODO), has accompanied data controllers by providing guidance on most pertinent questions relating to this new obligation. In this article a Polish perspective relating to data breach notification obligation will be presented, along with relevant guidelines of the UODO.