In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Vague terms such as “undue delay” still gives weak protection for individuals but the game changer is 72 hours to tell everybody you’ve been hacked.

I can see more blackmail attempts coming forth as companies look to delay public notification.  The big telecoms companies are well prepared and have started notifying end-users of the legal changes but there is not much comments or chatter on how this will change the Hacker community.

The important thing is now you can sue someone when the big hacks happen….and they WILL happen.

Let the legal games begin