Several high-profile personal data breaches have triggered a discussion among privacy advocates, security practitioners, corporate managers and politicians on what role regulation should play in how companies and organisations protect data. The self-regulation paradigm fails to reinforce individuals’ right to information and foster proactive risk management as incident-related information is communicated informally and on a voluntary basis. Lately (April 2016) the European Parliament adopted a reformed General Data Protection Regulation (GDPR) which regulates data breach notification. This paper analyzes the current status in information security incident management, describes the data breach notification mandate introduced by the GDPR and discusses its impact on the accountability and transparency of organisations, the amplification of the security function in organisations and the security market and the reinforcement of situational awareness. This paper also identifies enablers and barriers to compliance and highlights the key challenges that governments and organisations need to address for effective incident management, in the context of the new regulation paradigm.