Article 57 of Personal Information Protection Law of the People's Republic of China established the personal information breach notification system for the first time, which stipulates the obligation of personal information processor to perform notifications to relevant departments and individuals after the leakage of information. The leakage of personal information often brings continuous and derivative harm to the subject of personal information, involving personal and property safety as well as mental damage, so timely and effective breach notification can better protect the rights and interests of personal information. In relation to the obligation to breach notification, the processor is given a certain amount of discretion, i.e., if measures can effectively avoid the relevant harm, the individual may not be notified. Correspondingly, there are two main challenges to this discretion:first, it undermines the effectiveness of the reputational sanctions triggered by the breach notification, as companies, anticipating the potential huge commercial risks and social responsibilities, often choose to "digest" the breach events that has already occurred internally, undermining the operational mechanism of reputational sanctions; second, the information asymmetry between the personal information processor and administrative authorities, and the "regulatory capture" based on explicit regulatory indicators lead companies to meet regulatory requirements in the easiest way to achieve legal appearance and reduce compliance costs. Discussions on how to regulate the discretionary scope of the system and how to build a coordination mechanism between regulators and business organizations have not stopped. Properly regulating the discretionary space is the key to the effective operation of the breach notification system. The paper analyzes the system of corporate reputation sanctions, its justification basis and discretionary trigger conditions based on the theoretical framework of third-party obligations in administrative law by drawing on the remarkable legislative policies of breach notification systems in Europe and the United States in respect of triggering criteria and threshold distribution. At the same time, from the perspective of "structured discretion" proposed by Davis, it is proposed that the breach notification system in China should be refined and improved by focusing on the normal supervision of discretion and continuous intervention in the review of processors' discretion; adopting a two-tier approach in the breach notification system, i.e., in principle, information leakage should be immediately notified to the regulator, and a higher trigger threshold should be set for the notification of personal information subjects; the explicit regulatory indicators should be weakened in terms of synergy, and the main responsible department should collaborate with other relevant ones to review the discretionary decision after receiving it, so as to weaken the concept of explicit regulatory indicators; in terms of the effectiveness of the breach notification, the specific content design of the notification and the way of sending the notification should be strengthened and the scope of the content that can be included in the breach notification should be strictly regulated ensuring any commercial promotion that jeopardizes the readability of the notice is prohibited.