I asked our in-house data protection legal teams, and their understanding is that because they _reported_ the breach after GDPR, they will be bound those rules and potential fines.
Problem is, they were coordinating with the National Cyber Security Centre. To quote Wikipedia:
> The National Cyber Security Centre is an organisation of the United Kingdom Government that provides advice and support for the public and private sector in how to avoid computer security threats
Unfortunately, it remains to be seen how competent the NCSC is, what exactly the goals of the NCSC are. It's an arm of GCHQ, and so far doesn't seem interested in fast disclosure.
Anyway, this might give them a way out. I'm sure NCSC/GCHQ are very capable of exerting a lot of political pressure on ICO.
> The National Cyber Security Centre is an organisation of the United Kingdom Government that provides advice and support for the public and private sector in how to avoid computer security threats
Unfortunately, it remains to be seen how competent the NCSC is, what exactly the goals of the NCSC are. It's an arm of GCHQ, and so far doesn't seem interested in fast disclosure.
Anyway, this might give them a way out. I'm sure NCSC/GCHQ are very capable of exerting a lot of political pressure on ICO.