The harm could be either moral or financial. It could be to reputations or to relationships, but you need to take into account significant harm.
The obligation to notify is not specified in a specific timeline. It is as soon as possible, which I believe speaks to due diligence yet does not constrain the organization in what are technologically more defined delays than what could be specified in law. Also, the notification must go to both the affected individuals and to the Privacy Commissioner.
To go to your last point, how it helps is that when you notify individuals then you empower them to take measures to protect their personal information.