It is important not to lose sight of the purpose of the notification requirement, which is to help individuals decide what steps, if any, they can take to reduce the damage (for example, cancelling their credit cards or resetting their passwords).
To that end, the Guidelines set out what information to include in the notification, including details of any damage limitation measures the organisation has taken. The WP29 also recommends providing specific advice to individuals about how they themselves can limit the damage.
Individuals must be able to understand, and therefore act upon, the notification. The detail and means of transmission of any notification should be considered ahead of time in your organisation’s response plan.