News
UODO Report: Nearly All Polish Organizations Unprepared for AI Despite GDPR

Poland's Data Protection Authority (UODO) has published a strategic report showing that 95.9% of surveyed organizations rate themselves as unprepared or uncertain about GDPR compliance when deploying artificial intelligence, even though a substantial share already use such tools daily.
Contents
UODO, Poland's Data Protection Authority (Urząd Ochrony Danych Osobowych), has published a strategic report examining how Polish employers in both the public and private sectors are handling the rollout of artificial intelligence while trying to stay compliant with GDPR. The findings are stark: the vast majority of surveyed organizations do not feel ready for the challenges posed by combining AI with personal data protection.
Scale of the unpreparedness
The survey found that nearly every institution covered struggles to assess whether and how the AI systems they use comply with GDPR. The 95.9% figure for organizations reporting a lack of readiness or uncertainty about compliance spans public offices, schools and healthcare facilities as well as private companies, showing the problem isn't confined to a single sector.
At the same time, the actual extent of AI use among surveyed organizations varies widely. The report's authors split respondents into several groups: 16.7% have AI genuinely embedded in day-to-day processes, roughly 40% are in a pilot, testing or planning phase, and 42.7% say they don't use AI at all. The remaining 16.3% are interested in the topic but don't know where to start.
Shadow AI inside organizations
One of the most troubling threads in the report is what's described as shadow AI, meaning informal use of tools like ChatGPT by employees that goes unmonitored by their employer. Report co-author Dr. Dominik Lubasz notes that official data on AI use within organizations likely understates the real scale of the phenomenon significantly.
The actual scale of AI use is probably far greater - Dr. Dominik Lubasz, co-author of the UODO report
The issue is that employees often enter personal data belonging to clients, patients or members of the public into publicly available AI tools without realizing that doing so may breach data protection rules. Employers who have not formally adopted any AI solutions may, in practice, already be processing personal data through third-party models, with no oversight of that process whatsoever.
The report also shows that fully 41% of respondents either don't believe that developing and using AI involves processing personal data, or simply can't assess it at all. That points to a basic knowledge gap about exactly when, in the operation of AI systems, personal data actually gets processed.
Barriers aren't technological
The report's authors stress that the obstacles organizations face in rolling out AI in a GDPR-compliant way are chiefly organizational and regulatory, not technological. Among the most commonly cited barriers, respondents named a lack of suitable data for training models, insufficient support from parent bodies and management, ethical and reputational concerns, and the complexity of AI-related regulation.
As many as 417 organizations pointed to a lack of regulatory support as one of the main obstacles to deploying artificial intelligence. Among the AI applications surveyed organizations are already testing or rolling out, administrative process automation leads at 41.2%, followed by data analytics and forecasting at 31%, chatbot and voicebot-based customer or citizen service at 28%, and support for research and development work at 28.2%.
What comes next
The report, prepared by the Social Expert Panel to the President of UODO within its AI Working Group, is meant to serve as the foundation for a new authority program called AIDA, AI and Data - Active Support. Its goal is to shift the regulator's approach away from a model centered on inspection and penalties toward an educational model, offering organizations concrete substantive, technical and legal support as they roll out AI.
For Polish companies and public institutions, the report's findings carry practical weight as the EU's AI Act takes effect and against the backdrop of earlier work on Poland's law on artificial intelligence systems. With nearly every surveyed organization admitting uncertainty about GDPR compliance, and a significant share of employees using AI tools outside their employer's control, the risk of personal data protection violations is growing faster than organizations' awareness of that risk.


