Doesn't matter, if they're a UK based company they fall under the EU GDPR and can receive a fine of 5% of their worldwide turnover for any loss of personal data, blanked out credit card numbers or not.
A cursory read of your own link would have told you that the new Data Protection Regulation is not yet in force and so the figure you quote is incorrect.
The ICO in the UK currently has the ability to fine up to £500k as I understand it.
https://ico.org.uk/action-weve-taken/enforcement/