Yankee bashing might be a little premature?
I unfortunately had to spend several hours wading through the UK DPA 2018 and GDPR yesterday (Sunday), and there seems to be a bit of a hole here.
BICS appears to have collected call data through some sort of operation of exchanges. However, this is not necessarily in violation of GDPR, because the collected data, on the face of it, can not be associated with a real person. To get an identity, they would have needed information from the mobile operator.
So the mobile operator is the data controller (it possessed the private data, which was the caller identity), and BICS is simply a data processor. Transfer of data from a controller to a processor falls outside the data sharing code of conduct.
So the issue comes down to the contract between the mobile operators and BIC. I can't see any reason that the operators would give BIC the data unless they expected BIC to use that data, so the smoking gun appears to be at the operators.
IOW, maybe time to be kicking Vodafone, which sounds like a win.