Article 33
Its says that "[the company] shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify [...] the supervisory authority [...] unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification [...] is not made within 72 hours, it shall be accompanied by reasons for the delay."
so it doesnt have to be within 72 hrs, but if its not, you have to justify it.
and the fine is based on the Global group turnover, not the business unit, so if there were to be a fine, it would be based on IAG's turnover not BA's