They're obliged to notify under GDPR. The size of one's legal team does not excuse oneself from meeting basic compliance obligations, especially if you've already 'breached'.
In other words, make good. Don't compound one mistake with a mistake.
As for the original 'breach', they didn't have consent from isx customers to use their information in this way. Remember, ASX has no jurisdiction in the EU. The admission essentially confirms the breach.
ISX Price at posting:
$1.07 Sentiment: Hold Disclosure: Held