UK law basically says "assess the risk and take appropriate measures." Short of criminal negligence, it's extremely unlikely that anybody will be prosecuted.
The Talktalk data leak actually seems like criminal negligence. I don't know the British law, but that level of negligence at least should be criminal.
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
TalkTalk did not take appropriate measures against unauthorised processing.
