This is not an IT failure, but rather an IT success as it implements BA's data protection policies which predate GDRP.
The PNR and e-ticket information, which you reference as a "booking" are the passenger's, not yours and thus either the passenger communicates with BA or authorizes you, as a nominee, This could have been accomplished at the time you made the reservations and purchased the ticket.