photo
25.05.2026

GDPR regulations have been with us for 10 years

In 2016, the GDPR, the General Data Protection Regulation, was adopted. The first two years after its adoption were a period for adapting national regulations to the Regulation, preparing the supervisory authority for its new tasks, and preparing data controllers for the obligations arising from the GDPR. We began applying these provisions on 25 May 2018. Although personal data protection regulations have existed since 1997, it was only from that moment that data protection ceased to be a topic solely for specialists, and citizens’ awareness of their rights increased significantly.

A major change occurred in the approach to data protection, which, thanks to new principles such as privacy by design and privacy by default, is taken into account from the very beginning of data processing operations - especially where modern technology is involved.

Risk analysis and data protection impact assessments are elements that are considered before data processing takes place. Without them, it is impossible to protect data properly. Data controllers have also come to understand that data protection is a continuous process rather than a one-time activity.

The impact of the GDPR on personal data protection is presented by the Presidents of the Personal Data Protection Office in the video below. President of the Personal Data Protection Office Mirosław Wróblewski, Deputy President Agnieszka Grzelak, and Deputy President Konrad Komornicki share their reflections and experiences from the 10 years of the GDPR’s existence and discuss its impact on the reality around us.