The notifications and communications referred to in subsections (1), (2) and (3) shall, in addition to the requirements of those subsections —

(a) communicate the name and contact details of a point of contact of the data controller, where more information can be obtained;

(b) describe the likely consequences of the personal data breach; and

(c) describe the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.