Weasel words
if organisations choose not to, they don't have to report.
This sounds like organisations will likely only report if they think it is in their best interests i.e. someone else is going to spill the beans on the data breach or there is the scope to gain some more money (rip off customers even more) to be able to "seal" the breach...
Mandatory should mean mandatory. No "Self assessment" of the breach. No weaselling out.