The UK's Data Protection and Digital Information (DPDI) Act 2025 makes 14 significant departures from EU GDPR — creating the first substantive regulatory divergence between EU and UK data protection frameworks since Brexit. The EU-UK adequacy decision, originally valid until June 2025 and extended pending review, faces increasing scrutiny from GDPR practitioners and the European Commission.
The LastPass Enforcement: UK GDPR's Technical Benchmark
The ICO's £1.2 million fine against LastPass UK in December 2025 is the UK's most significant technical security enforcement case. The ICO found:
Encryption inadequacy: LastPass stored customer master password vaults with outdated encryption that the ICO found "inadequate" under UK GDPR Article 32. Specifically, the ICO found that some vault iterations used PBKDF2-SHA256 with only 1 iteration — far below the UK NCSC's minimum recommendation of 600,000 iterations for password-derived keys.
The legal standard established: UK GDPR Article 32 requires "appropriate technical measures" reflecting the "state of the art." The ICO found that "state of the art" for encryption key derivation in 2022 (when the breach occurred) required far more than LastPass provided. This establishes that security standards evolve — what was acceptable in 2015 may not be acceptable in 2022.
Direct implication for encryption tools: Organizations using data processing tools must verify that those tools' encryption implementations meet current "state of the art" standards, not just minimum baseline standards. The ICO's LastPass enforcement makes vendor encryption quality a directly auditable compliance requirement.
DPDI Act 2025: Key Divergences from EU GDPR
The DPDI Act makes 14 identified departures from EU GDPR. The most operationally significant:
1. Legitimate interests reform: The DPDI Act creates a list of "recognized legitimate interests" that do not require the EU GDPR's balancing test against data subject interests. This makes legitimate interest a more accessible legal basis for UK organizations — reducing consent requirements for some commercial processing.
2. Research, statistics, and archiving: The DPDI Act significantly broadens the research exemption, allowing broader secondary use of personal data for research purposes without explicit consent requirements that EU GDPR imposes.
3. Automated decision-making: The DPDI Act's replacement for GDPR Article 22 (automated decision-making rights) is more permissive for commercial automated decisions. The requirement for meaningful human review is relaxed for some categories of automated processing.
4. Record-keeping: The DPDI Act removes mandatory ROPA (records of processing activities) requirements for small organizations (under 250 employees) without "systematic" processing. EU GDPR requires ROPA for all organizations whose processing is not occasional.
5. Cookie consent: The DPDI Act includes provisions for "cookie-less alternatives" and reduces consent requirements for analytics cookies — specifically designed to reduce cookie consent banner burden. EU GDPR's ePrivacy requirements (enforced in parallel) still require consent for tracking cookies.
6. International transfers: The DPDI Act gives the UK Secretary of State broader authority to grant adequacy decisions — potentially allowing the UK to grant adequacy to countries the EU has not, creating divergent transfer frameworks.
The Adequacy Risk: What Could Trigger EU Review
The EU Commission's adequacy review of the UK will assess whether UK GDPR (as modified by DPDI Act) provides "essentially equivalent" protection to EU GDPR:
Areas of concern identified by EU monitors:
- DPDI Act's legitimate interests expansion may create gaps the EU considers inadequate
- UK surveillance law (Investigatory Powers Act 2016) remains incompatible with GDPR standards according to CJEU precedent in related cases
- UK-US data sharing arrangements under CLOUD Act create potential for EU data exposure to US law enforcement access
If adequacy is suspended or revoked: 10,000+ UK-EU Standard Contractual Clause arrangements would need to be immediately activated. Organizations currently relying solely on adequacy for UK-EU transfers would face compliance gaps.
Maintaining Dual EU + UK GDPR Compliance
For organizations subject to both EU GDPR and UK GDPR, the practical approach:
Use the stricter standard as the baseline: EU GDPR Article 32, GDPR's legitimate interests balancing test, and GDPR's automated decision-making requirements are stricter than their DPDI Act equivalents. Organizations meeting EU GDPR standards automatically meet UK GDPR standards (with minor UK-specific additions).
Document both legal bases: For processing under legitimate interests, document both the EU GDPR balancing test and that the processing would fall within UK DPDI Act recognized legitimate interests. Dual documentation protects against divergence.
Monitor adequacy decision status: The 2026 adequacy review outcome will determine whether separate transfer mechanisms are needed for UK-EU transfers. Organizations should maintain SCCs as a backup mechanism even if relying on adequacy currently.
Encryption to current state-of-the-art: The ICO's LastPass enforcement makes vendor encryption standards an active compliance consideration. Verify that PII tools, data stores, and key management implementations use current recommended parameters (AES-256-GCM, argon2id for key derivation with current parameter recommendations).
The UK's post-Brexit GDPR divergence represents the first significant fracturing of the EU's data protection standards. For organizations operating across both jurisdictions, the safest posture is designing for the most stringent applicable requirements — which remain EU GDPR's core technical standards.
Sources: