Yet despite this, we don't get any kickbacks for providing it, do we? We don't even see reductions in our costs.

Shit, if only we could copyright our names, they'd be shafted so hard, they'd think a blue whale was rodgering them.

"Dai Davis, a partner at commercial solicitors Brooke North, agreed that many firms routinely breach principles established by the law when they outsource data processing to India."

Working for a major company, I can say this is true. The people responsible for the offshoring are so tied up with the promises they make to senior management and care far to much about the Bonuses they will get for achieving so called cost savings, that they ignore all regulations including DPA.

We have several offshore organisations where coders, testers, support staff etc have access to the entire customer database including financial info.

The offshorers know it's wrong aswell but they won't rock the boat because all they care about is the almighty dollar.

Checkout the report

http://www.easybourse.com/bourse-actualite/marches/eu-commission-wants-uk-government-to-probe-targeted-488767

The problem is entirely of enforcement and fear of consequence. If there is no consequence then your could apply the 'death penalty' and nothing would change. What focusses the mind is the loss of wealth or loss of liberty.

It is difficult to apply a material estimate of 'wealth' to data so it is not, in reality, possible to apply the criminal law of theft unless use of the data results in a tangible or quantifiable cost/loss. Any intangibility gives rise to argument - which is (literally) meat and drink to lawyer - and the long grass beckons for any case generated on this basis. Solve the problem of value estimation, and get an legal agreement to it, then loss or theft has a monetary (criminal) value.

Requiring the directors of an enterprise to immediately hand over (or worst case Bond) the value of data loss pending the final determination of the courts might encourage them to be a little more careful. You can insure against bonds but it gets expensive after the second/multiple event and the cost of mandatory insurance might just go up. Businesses are required to have PLI and ELI so (much as I dont like and hesitate to suggest it) why not Data Liability Insurance?