The Dutch Data Protection Authority just appear its GDPR fining policy, being the first country to do so. GDPR allows for a best fine of 4 percent of global acquirement or €20 million, whichever is higher, but little has been said about how to actuate the exact fine amount and what the scale is.

The new GDPR fining policy sheds light on this as it introduces a four class system, giving assorted examples depending on aggregation size and best fine. For example, if a company’s best fine is €10 million, it might face the afterward fines for less severe violations:

  • Category I: €0 to €200,000
  • Category II: €120,000 to €500,000
  • Category III: €300,000 to €750,000
  • Category IV: €450,000 to €1 million

While the Dutch Data Protection Authority doesn’t absolutely state how it’ll assort GDPR violations, it does share a list of “relevant factors” for free a severity of a violation. Factors accommodate the continuance of the infringement, the number of data capacity (people) affected, how quick the aggregation reacts, and what type of claimed data is involved.

Arnoud Engelfriet, IT lawyer and accomplice at Dutch firm Legal ICT, says the policy brings some much needed accuracy to GDPR enforcement. While the GDPR doesn’t carefully crave a abundant policy, it does crave a fine to be evaluated according to many criteria, so arising a clear policy like this helps in Engelfriet’s opinion.

“The administrator is free under the GDPR to issue fines and to assort them as it sees fit, so you can have four, eight, two, or no categories if you want. As long as you can absolve each fine you’re OK under the GDPR,” Engelfriet told TNW.

Introducing categories does, however, make it easier for companies and the accepted public to accept how GDPR will be enforced. Engelfriet is happy with the addition of the new policy and says the fine system is set up so that ‘simple’ offenses can be managed with a almost light fine, thus abbreviation the number of appeals and making the whole action smoother.

“But if article big happens, they can bring down the full GDPR hammer and fine €10 or €20 million, or 4 percent of common turnover. And this is absolutely so for the accepted rules of GDPR: transparency, easily accessible rights, and above all, clear affidavit on every step you took to become compliant. Because if you’re GDPR adjustable but you have no documentation, you’re not GDPR compliant. And that’s a €20 actor fine for you then.”

Many have been cat-and-mouse for GDPR‘s ‘real’ impact, as there wasn’t much administration in 2018. Experts adumbrate that it will change in 2019, with assorted investigations coming to a close in the afterward months, accompanied with the first GDPR fines. Engelfriet agrees that the Dutch GDPR policy is a signal for a GDPR administration era: “You wouldn’t set such a policy if you did not intend to issue fines.”

Read next: Apps are burglary your absorption — here's how to break up with your phone