I don't want to use the word “onerous”, but there is a job to be done, and to do it properly, organizations, especially large organizations, are going to have to change their processes and develop training to make sure that the appropriate staff are properly trained to handle the breach protocols.
We don't know yet what those will look like in detail. The discussions on what they might look like have been ongoing over the last year or so, with government officials, trying to ensure that they aren't unduly onerous in terms of some of the provisions. The law did require record-keeping and so on, and there is a question as to what degree of record-keeping organizations are going to have to work on.