When an organisation discovers a personal data breach it is hard not to catastrophize. It is well known and understood that the GDPR has introduced a mandatory breach reporting requirement, and with mandatory reporting comes regulatory, and often, media scrutiny.