The data protection regulation's stated aim is to give citizens back control of their personal data as well as simplifying the regulatory environment.
It could mean huge fines for companies that breach the law and offer some complex problems about how they store, delete and return data to citizens.
Let's not forget, though, that governments must also be accountable for internet users' data. They must recognise that it is our data, be transparent about how they use it and about how that usage may change.
The biggest change is an increase to the fines that can be issued to non-compliant companies - up to 4% of their global turnover or 20m euros, whichever is bigger. Regulators will be able to inspect companies, who must show that they have appropriate systems in place for compliance, including a mandatory data protection officer for large companies.
It's difficult to see how regulators could properly inspect companies or whether they'll have the resources to do so.
There'll also be provision aimed at making it easier for users to transfer data and accounts to other providers, but once again this could prove difficult in practice:
Or, in the case of someone wanting to transfer their data from one utility or insurance provider to another or even to many, to ensure they get the best deal, "your name and address is probably data you provided, but companies could argue that your gas usage is something that they have collected directly", says Ms Boardman.