Storing out of date or excessive information could result in a criminal prosecution by the information commissioner or a civil action by individuals.
Data protection lawyer Marc Dautlich said many companies could fall foul of the Data Protection Act when its transitional period ends on 24 October.
The warning comes as new research shows that a third of IT managers update their databases only on a monthly basis and 80% are unable to confirm the completeness of the information.
Dautlich said, "Very few companies have grasped that this is a corporate governance issue and that one person should be given responsibility to ensure they are meeting their requirements.
"In many cases that person should be someone from IT who has a good overview of the information being stored by departments across the company. They should have a place on the board or at least report to someone on the board."
The issue is likely to be most acute in companies where much of the business is completed online.
Helena Schwenk, an analyst at Ovum, said that when reviewing their databases many organisations may find they are unwittingly storing information because they do not know how to access it.
"If the system is old the documentation may simply not be there to find out what all the fields in the database are for," she said.
Ascential Software, which provides information asset management solutions, said its survey of 50 IT managers showed companies are not only breaking the law but also harming their businesses.