The European Commission has announced an agreement on data protection reform that is designed to give consumers more control over their personal data and clarify the rules for business.

This reform was first proposed back in January 2012 but for some reason has taken four years to thrash out between the EC, European Parliament and the Council. And that’s not the end of it: the formal rubber-stamping won’t happen until next year and then we’ll be given a further two years to get our heads around the changes before they come into effect.

Individuals will then have easier access to more information on how their data is used, will have the right to move their personal data between service providers. They will have a clear ‘right to be forgotten’ through which they can get their data deleted, and finally have the formal right to be notified of any hacks that might affect them.

For businesses there will be a harmonisation of data laws with the aim of making it easier to do business across Europe. There will be one single supervisory authority, all companies doing business in Europe will be compelled to play by these rules regardless of where they’re based and will also be urged to build more data protection measures into their products.

Andrus Ansip, Vice-President for the Digital Single Market, said: “We should not see privacy and data protection as holding back economic activities,” said Andrus Ansip, VP for the Digital Single Market. “They are, in fact, an essential competitive advantage. Today’s agreement builds a strong basis to help Europe develop innovative digital services.

“Our next step is now to remove unjustified barriers which limit cross-border data flow: local practice and sometimes national law, limiting storage and processing of certain data outside national territory. So let us move ahead and build an open and thriving data economy in the EU – based on the highest data protection standards and without unjustified barriers.”

Reaction to the news was mixed. “Business supports a digital single market in Europe which works for both consumers and business, increasing jobs and growth as part of a reformed EU,” said Matthew Fell, CBI Interim Chief Policy Director. “Data is fundamental to delivering this and while the protection of that data is absolutely essential, these measures miss the mark for both businesses and consumers.

“From driving research and development in healthcare to powering our free social media and search platforms, data analytics is a vital part of modern business. This new legislation could hamper that with unnecessary administrative burdens and costs, like mandatory data protection officers, placed on firms of all sectors and size.”

“This is an early Christmas present and we welcome the GDPR text publication,” Nigel Hawthorn, Chief European Spokesperson at Skyhigh Networks. “Consumers are rightly concerned about their private information being lost by organisations and it’s great to have clarity on the regulations. Now enterprises and cloud service providers worldwide need to study them and ensure that their procedures and technology are in place to conform.”

“While the agreed text has not been made publicly available, it has been reported that there will be an increase in fines for breaches of data protection laws from a maximum of £500,000 in the UK to a possible 4 percent of annual global turnover,” said Mahisha Rupan, senior associate at law firm Kemp Little. “While this increase in fines will inevitably grab headlines, the day-to-day reality for businesses is more prosaic.

“With two years to comply, businesses should now be reviewing and auditing what kind of personal data they’re holding, including employee data, business development data and customer information. They need to develop a deep understanding of the types of data they are holding, what they’re doing with that data and why, as well as finding out if they’re sharing that data with third parties. A complete audit of data protection privacy and practices is the first step towards compliance.”