Not really what the GDPR intended
'a "comprehensive playbook" for companies who, having suffered a data breach, want to know how to shrug off the public consequences and pretend everything's fine'
I recently had a discussion about infosec with a European data protection lawyer, and the final question he asked was "how would help your client avoid reporting a data breach to the regulator?" My answer ("I won't. My job is to minimise the chance of it happening in the first place") effectively terminated the conversation.
The "get out of jail free" approach is one hundred per cent contrary to the obligations imposed by the GDPR, which is there primarily to prevent data breaches happening in the first place, but also to mandate transparency, even when they do. A fundamental principle of the legislation is that openness to data subjects is an inescapable obligation (even while there's no data breach)
Obviously you don't want to do a Dido and put your foot in your mouth as at Talk Talk, but it's perfectly possible to be honest with the press without exposing too much, and particularly without trying to evade responsibility. It should be recognised that attempts to minimise or conceal a breach are typically pretty obvious and are likely to be taken into account by regulators when setting penalties.
Despite which the ominous words "We take your privacy seriously still prevail.