Before the European General Data Protection Regulation (GDPR) rules went into force May 25, 2018 there was the 1998 Data Protection Act.  This is potentially what Dixons Carphone (the resulting company of mergers between Dixons Retail and Carphone Warehouse of UK) is facing as a result of 5.9M customers’ bank card details and 10M PII records were exposed by hackers in the latter half of 2017.

Dixons has contended that there is no evidence of fraud committed with those cards and that they were protected by chip & PIN. 

This all comes after Dixons was fined 400k pound sterling (approx. $518k USD) in January for the exposure of 3M customers PII in 2015.