I agree, and I am a BA employee. The GDPR regulations cannot legislate on cross boarder hacks but will fine those who are victims. However, outsourcing to IT centres abroad increases that risk as it's more difficult to control what goes on - no need to dispute that as it is an obvious fact. IT centres in other countries are not bound by UK law apart from the contract they sign with the UK company. For balance, I have no idea if the hack was due to IT being outsourced but I'm sure that the tech guys abroad won't be fined, it will be the UK based BA company.
To broaden the subject (sorry for the thread keep), why has Cruz still got his job? Don't BA have non-execs who are supposed to monitor the CEO etc ? IAG ) are making unbelievable profits (lets face it BA is making the money) but the board are allowing one disaster after another. In many industries Cruz would have gone by now, so why is he still CEO ?