They are absolutely required to report this to the data protection agencies in all European countries. As the other comment mentioned, missing the 72 hour deadline on this is enough to get a fine as Booking.com did.
I'm curious to see the total in GDPR fines from this for Facebook. Will probably take a year or two before we know.
GDPR is a gift to large corporations. Regulatory capture in return for a slap on the wrist. It also burdens startup competition and trains people to click "Allow Cookies" and "Accept the Terms of Service" as fast as possible.
GDPR is extremely similar to pre-existing privacy laws in some EU countries. It also applies to startups and large corporations equally, and in practice is more likely to be lenient towards startups making genuine mistakes while trying to obey the rules versus large corporations intentionally ignoring them.
The "Allow Cookies" and "Accept Terms of Service" click-throughs also barely meet any of the GDPR requirements and in the case of the latter don't necessarily constitute informed consent: EU courts have repeatedly ruled that a wall of text can not be used in software to hide "surprising" rules (e.g. that your WhatsApp account will be banned if you use a third-party client).
it really wasn't - unlike other similar laws it is written in terms of world wide revenue (not profit), not a fixed fine, so it's not as easy to simply treat violations as being "free".
The actual work involved is trivial if you minimize data collection, which is the whole point - you shouldn't collect anything you don't actually need and GDPR got rid of the "abusing user privacy is purely profitable" excuse.
Regulatory capture is an anti-piracy bill that requires scanning all uploads using technology that only a few companies have or that costs more than potential income of a business. That's why YouTube was generally pro-that bullshit EU "anti piracy" law.
I'm curious to see the total in GDPR fines from this for Facebook. Will probably take a year or two before we know.