Re: First large scale test of GDPR legislation perhaps?
Data protection and information security are two slightly different things.
A good lawyer will show that BA only stored data it needed for the purposes of transacting its business with the customer and further that BA took reasonable steps to control access to and protect that data. The lawyer will show that this was a particularly skilled compromise of BA's information security measures, but not a breach of its obligations under GDPR.