Imagine waking up one morning to find that your favourite online service has been subject to an attack by hackers. The hackers have exposed confidential data from the company, including your name, address, and credit card details. Such a scenario illustrates what a data breach can mean: an unauthorised access to or release of sensitive information by malicious actors. But what steps need to be taken when such a security violation occurs? According to the General Data Protection Regulation (GDPR), an organisation (e.g., the online service) must notify the responsible data protection supervisory authority; and in a second step, notify the data subjects (e.g., you) if the data breach threatens their rights and freedoms. But does this notification requirement help protect personal data and mitigate the potential consequences of data breaches? In a new paper – written together with our colleagues Noël Bangma and Jaap-Henk Hoepman – we combine insights from different disciplines (law, information security and economics) to address the following question: What are the strengths and weaknesses of the data breach notification obligation in the GDPR given its objectives? In this blog post, we summarise the main points of the paper.