28 January marks Data Protection Day (Privacy Day), commemorating the anniversary of the adoption of Council of Europe Convention No. 108 – the first international treaty regulating personal data protection.
This is a good opportunity to look at the most important privacy and data protection challenges that organisations and businesess in Poland and across the European Union will face in 2026.
Personal Data Breaches: A Growing Number of Incidents
In 2025, Poland recorded a record number of approximately 20,000 personal data breach notifications. This increase has been driven by a growing number of cyber threats, as well as a stricter approach taken by the Polish Data Protection Authority (UODO) towards incident reporting obligations.
What does this mean for data controllers in 2026?
As in previous years, it will be crucial to have effective incident management procedures in place, including in particular:
- identifying breaches,
- assessing the risks for data subjects,
- ensuring timely notification to the supervisory authority,
- implementing corrective and preventive measures.
New Cybersecurity Obligations: Implementation of NIS 2
Another significant regulatory challenge in 2026 will be the amendment to the Act on the National Cybersecurity System, implementing the EU NIS 2 Directive. The proposed changes will significantly expand the scope of entities subject to statutory obligations.
What should entities covered by the new regulations prepare for?
Entities operating in sectors classified as essential or important (in accordance with the NIS 2 Directive and the proposed amendment to the Act on the National Cybersecurity System) will be required to prepare for substantial new obligations.
In practice, businesses should first:
- determine whether they fall within the scope of the new regulations (i.e. whether they meet the criteria for essential or important entities),
- if so, review their existing approach to cybersecurity, including current procedures, policies and risk management systems,
- adapt their organisations to the new requirements, including those relating to incident reporting, supply chain security and management oversight,
- prepare for increased regulatory scrutiny and potential sanctions for failure to implement appropriate measures.
UODO Inspections in 2026: Announced Sectoral Audits
In 2026, inspections may be expected in particular in sectors where UODO identified irregularities in previous years.
According to the sectoral inspection plan published by UODO, the authority has announced audits, among others, in:
- public authorities,
- healthcare entities,
- companies conducting marketing activities,
- online delivery platforms.
What should be done now?
For many entities, 2026 will be an appropriate time to review the content of information obligations, the validity of marketing consents and data protection procedures, as well as their practical application, in order to ensure readiness for a potential supervisory authority inspection.
Summary: What to Focus on in 2026
Due to the increased activity of the supervisory authority, compared to previous years, as well as new statutory obligations related to the implementation of the NIS 2 Directive, 2026 will require many entities to revise internal policies and verify the correctness of personal data collection and use. The obligation to maintain internal documentation compliant with EU law must go hand in hand with the ability to demonstrate its effective implementation in practice.
