The E.U. General Data Protection Regulation introduces specific breach notification obligations for data controllers and processors. To help covered entities better understand when notification is required and what processes they should have in place in order to meet their obligations, the Article 29 Working Party issued Guidelines on Personal Data Breach Notification at the end of 2017. In this article, with advice and perspective from a former Special Agent with the FBI’s Cyber Division and current head of Nardello & Co.’s digital investigations and cybersecurity practice, we cover key concepts of the WP29 guidance, processes organizations should have in place to comply with the GDPR’s breach notification provisions, and strategies to balance global notification requirements. We also look at the GDPR’s overall effectiveness in addressing cyber risk. See also “Five Months Until GDPR Enforcement: Addressing Tricky Questions and Answers” (Dec. 20, 2017).