Contrary to a broadly shared belief, under the GDPR not all Data Breaches are created equal. Section 33, first paragraph of the GDPR, indeed, clearly says that
In the case of a personal data breach, the controller shall … notify the personal data breach to the supervisory authority …, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. (emphasis added)
Of course only with a significant number of Court decisions it will be possible to create a taxonomy of what falls within the notion of “unlikely to result in a risk to the rights and freedoms of natural persons”. Nevertheless, is good to know that not any single data spill will turn into a self-incrimination.