In theory in the UK the data protection registra can send the CEO of a company in breach of legislation to prison.
Having data without security is like driving without insurance.
You have to consider all of the following and more:-
- Encrypting data in the database
- Encrypting data in the backups
- Data security in electronic transport. SSL certificates etc
- What machines are allowed to talk to a DB server and if possible what processes
- Data security in transport. Physical media, backup tapes, DVDs, USB
- Separation of data with different security concerns
- RACI matrix for who has access to what and at what level
- RACI matrix for who has authority to specify access and to grant it
- How security is monitored/audited
- What business processes are in place for security breaches. This has to include escalating up the chain of command.
- Business process for handling requests under the Freedom of Information Act or ICO requests
- ...etc
In short there is a lot to think about with regard to security and as said earlier its not just doing it, its being seen to do it.