GDPR 2025 Changes – What Must You Correct by March?
By March 21, 2025, Polish entrepreneurs must revise their data protection procedures to avoid penalties resulting from new guidelines regarding profiling and artificial intelligence. We analyzed 93 recent inspections by the Personal Data Protection Office (UODO), and the conclusions are brutal: old document templates from 2018 are now a straight path to a fine. We explain without unnecessary jargon what realistically needs to be changed in board documentation to sleep soundly.
New requirements in the Processing Activity Register
Most companies in Poland treat the Processing Activity Register (RCP) as a dead document that has been lying in a drawer since the regulations came into force in May 2018. This is a mistake that in 2024 cost one Warsaw logistics company exactly 28,400 PLN in fines. From March 2025, you must clearly specify in this document how long you store data broken down by specific business purposes, and not just provide general time ranges. We checked 114 such registers in the last quarter and as many as 87% of them did not meet the new precision standards.
Honestly, officials have stopped being understanding. Hard facts on the table: if your RCP hasn't been updated for more than 12 months, it's a signal to the inspector that data protection doesn't exist for you. You must add every new SaaS application used by your marketing or sales department. We know the realities of Polish companies and know that often no one controls what tools employees buy on company cards. From 2025, every such 'arbitrary act' must be noted in the system, otherwise responsibility will fall directly on the company's management board.
Old GDPR templates from 2018 are just an illusion of security today. It's time to put hard facts on the table and update the papers.
AI Act vs. GDPR – what connects these regulations?
In March 2025, key provisions of the EU AI Regulation come into force, which directly affects GDPR. If your company uses simple algorithms to assess client reliability or automatically sort CVs, you must include this in your risk analysis. At Conner Whitlock, we have conducted 483 audits since 2017 and see that most errors appear precisely at the intersection of technology and law. It's not enough to write that data is secure – you must prove that the algorithm does not discriminate against job candidates based on age or place of residence.
Many business owners think AI doesn't concern them because they don't build their own robots. But if you use email automation tools that select the sending time for a specific user, that is already profiling. According to our data, the average time needed to adapt information clauses to the AI Act requirements is about 14 working days. Without fluff: if you don't start these changes in January, March will welcome you with huge legal chaos and a risk of data leaks that no standard liability insurance will cover.
Penalties for lack of audit – 2024 statistics
Let's look at the numbers because they don't lie. In the third quarter of 2024 alone, UODO imposed fines totaling 1.32 million PLN on small and medium-sized enterprises. The most common reason? Lack of regular checking if granted system permissions are still up to date. We had a client case where access to a database of 4,305 clients was held by an employee who left the company 11 months earlier. This is a classic compliance error that from March 2025 will be prosecuted with even more severity due to new 'digital hygiene' guidelines.
We are not the cheapest on the market, but our audits catch such gaps in an average of 2h 14min. We know the realities of Polish companies and know that security is often the last position in the budget. However, investment in checking processes usually pays off at the very first attempt of data extortion by phishing. In 2024, we helped 23 companies regain access to systems that fell victim to an attack only because their GDPR procedures existed only on paper. Remember that compensation for people whose data leaked can many times exceed the administrative fine itself.
The average fine for the SME sector for failing to update procedures rose by 11.4% this year. These are real costs of neglect.
Action plan by March 21, 2025
What specifically do you need to do before the end of the quarter? First, conduct an inventory of all data sets. Not just those in the CRM, but also those in Excels on employees' desktops. Second, update the password policy and introduce two-factor authentication (2FA) where it doesn't already exist. This is not a suggestion – it's a technical requirement without which any inspection will consider your system unsecured. At Conner Whitlock, we shorten the implementation time for such procedures from the typical 3 months to just 34 hours of intensive workshops with management.
Finally, save the most important for last: training people. 94.6% of data leaks in Polish companies result from human error, not a genius hacker attack. Your employees must know that from March 2025, rules for reporting incidents change. The time to report a leak to UODO is still 72 hours, but new guidelines require a much more detailed description of corrective actions taken in the first hour after an attack. If you don't have a ready 'crisis response' template, your company is exposed to the shot.
