"This is becoming a huge problem and there really needs to be legislation that makes the companies and directors legally responsible. "
There is and they are. Currently it's covered by the Data Protection Directive and from next year its the General Data Protection Regulations. The potential fines are vast and deliberate infringement can result in prison time.