EU Data Protection Regulation: 'We'll tell you what it really means when it's finished,' say commissioners

Want to know what the General Data Protection Regulation will mean for your organisation? Tough, you'll have to wait

Guidelines explaining how the EU's forthcoming General Data Protection Regulation (GDPR) will work in practice will only be produced after member state ministers have finalised the details - leaving organisations little time to adapt to the draconian new law, which will apply across Europe from next year.

The pledge follows talks earlier this week on the final wording of the draft Regulation, which unlike a directive will be applied directly in law across member states - not translated into local law, and debated and passed in nation states' parliaments.

"The Regulation cannot contain all the cases which might occur," Vĕra Jourová, European Commissioner for justice, consumers and gender equality, said. The guidelines, she added "will be important for fine tuning and equalisation of imposing of penalties, because we are introducing quite strict penalties after we agree on them... We have a lot of work to prepare the European public and European businesses for this to be well implemented and understood."

Organisations will need detailed guidance on the Regulation as it will be implemented shortly after all the details have been agreed by government ministers - and will carry draconian fines for non-compliance. It will also, warned Pinsent Masons data protection lawyer Lucy Jenkinson, completely change the nature of data protection law in the UK and across the EU.

The changes, she said, include "the scope of the redefined 'personal data'; what is meant by 'unambiguous consent'; the practicalities of the detailed requirements for fair processing notices; the new obligations imposed on 'data processors'; the operation of the new 'right to be forgotten'; the mechanics of the new right to data portability; the details of any certification mechanisms envisaged in the Regulation; and the internal governance arrangements that will replace the existing requirement to notify with the Information Commissioner".

Organisations need guidelines to decipher the legalese and to communicate exactly what the Regulations will mean for them but, she said, the European Commission also needs to take into account "the realities for business of achieving compliance".

The GDPR has been the subject of three years of wrangling. While few people dispute the need to update data protection laws, given that the last directive was passed in 1995 and implemented three years later, MEPs have wanted to ratchet up data protection to a level that has left many businesses uncomfortable. Some have even warned that their proposals will damage the EU's own somewhat emaciated dot-com sector.

In addition, current drafts of the Regulation would appear to offer a complicated enforcement regime, at odds with the earlier promises of a simplified regime in which pan-EU organisations would only need to answer to one country's data protection authority, instead of being whacked 28 times across the continent for the same transgression.