The Dutch Data Protection Authority has released the first GDPR fining policy in the EU. It consists of a four-category system, based on company size, the maximum fine and factors including the duration of the offense, the number of people affected and how quickly the company reacts.