"Breach reporting requirements will be significantly increased and more onerous in a world where the GDPR is enforceable," Ryan Rubin, managing director at global consultant Protiviti, told CNBC via email.
"In a climate where there is a high likelihood of data beaches occurring - which are often unavoidable, it is surprising that many have not put in sufficient planning to manage communications post breach. As we have seen in the past, how companies respond to data breach events will be judged equally or higher than the breach event itself."
However, if organizations can avoid being attacked in the first place, they may not need to disclose anything. Van Kessel shares some tips on how they may improve their security.
"Organizations should use cyber threat intelligence and 'active defense' to predict what threats or attacks are heading in their direction and detect them when they do, before the attack is successful. Second, they should upgrade their resistance," he said.
"Last, but not least, companies must improve the ways they react. If companies don't see the threat coming… companies need to react to limit the impact of the attack and get back to business as usual as soon as possible."
Follow CNBC International on Twitter and Facebook.