Using production data for test and development could be illegal under the Data Protection Act or European Human rights laws, however what are the alternatives?

Three choices are available; create new data, encryption/scrambling and masking.

Creating new data is too time consuming in the first place let alone trying managing it on an ongoing basis.

Encryption seems the easiest but does it actually do the job? Encrypting the database protects the data until it is presented to the user and whilst encrypting the presentation layer hides the data it can significantly lower the viewer's ability to work with the information. Users who see "g5hfy7Hss9" in a name field are more likely to focus on this information as an "error" rather than the functionality of the screen.

Masking the data, with relationally aware tools when the test data is created, removes the presence of sensitive data and therefore the risk of inappropriate access in this environment whilst keeping the context of the data intact, even across multiple databases. If at the same time you are able to both right size the test environment and provide rapid comparison reports  to test the impact of changes, implementing data privacy could actually reduce your IT costs.