The GDPR contains an obligation that personal data should be processed in a manner that ensures appropriate security of personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing. Therefore, the controller or processor should evaluate the risks inherent in the processing of personal data and implement measures to mitigate those risks. (Art. 32 of the GDPR)
Data controllers will need to inform data subjects about data breaches without undue delay. This obligation will be relevant where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions. (Article 33 of the GDPR)
Data controllers will also have to notify the relevant data protection supervisory authority, unless the controller is able to demonstrate that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Such notifications shall be submitted without undue delay and, where feasible, in general not later than 72 hours after having data controllers become aware of it. (Article 34 of the GDPR)
The GDPR contains clear rules on conditions for imposing administrative fines. Data protection authorities will be able to fine companies who do not comply with EU rules, if they have for instance not informed their clients that they're data have been breached or the data protection authorities.