UK GDPR Post-Brexit: Divergence and Continuity
The UK Data Protection Act 2018, incorporating UK GDPR, mirrors EU GDPR closely — but with significant divergences that create distinct compliance requirements for organizations operating in the UK.
Continuity:
- Same six lawful bases for processing
- Same data subject rights (access, erasure, rectification, portability)
- Same accountability principle and documentation requirements
- Same data breach notification obligation (72 hours to ICO)
- Same data protection by design and by default requirements
Divergences:
- Adequacy regime: UK has its own adequacy decisions for international data transfers; EU adequacy for UK data transfers is maintained but contested
- AI guidance: ICO issued dedicated AI guidance (2023-2024) more detailed than EDPB's comparable guidance
- Biometric data: UK's treatment of biometric data has minor definitional differences
- Research exceptions: UK's research and statistics exceptions are somewhat broader than EU equivalents
- Enforcement culture: ICO has historically focused on education and guidance before fines; this is changing with recent large enforcement actions
For organizations operating in both EU and UK, UK GDPR creates a parallel compliance obligation requiring assessment of both EU GDPR and UK GDPR requirements — they are not identical.
The LastPass ICO Fine: Establishing Encryption as Legal Requirement
The ICO's December 2025 fine against LastPass UK (£1.2M) is the landmark UK GDPR case for encryption standards. The enforcement notice established several principles with broad implications:
The core finding: LastPass's encryption architecture — which stored user vault data with server-accessible encryption keys — was found to be inadequate under UK GDPR Article 32. The ICO found that "the controller should have implemented client-side encryption, which would have ensured that even in the event of a server breach, user vault data would not be accessible to unauthorized parties."
What this means: ICO has established that where a more privacy-preserving architecture exists (client-side encryption) and is technically feasible, using a less privacy-preserving architecture (server-side encryption) may not satisfy the "appropriate technical measures" standard of Article 32.
Broader implications: Organizations that store sensitive data using server-side encryption — where the vendor's servers hold encryption keys — may face ICO scrutiny if a breach occurs. The enforcement notice explicitly states that "technical measures must be proportionate to the risk, and where the risk of unauthorized access to sensitive personal data is high, the appropriate measure may require client-side key management."
For PII anonymization tools: if a vendor's anonymization service stores the plaintext of processed documents server-side (for audit logs, usage analytics, or features like document history), this creates a server-accessible data store that may not meet the ICO's post-LastPass standard for sensitive data.
ICO's AI Guidance: Technical Requirements for Generative AI
ICO issued comprehensive AI guidance in 2023-2024, covering eight specific technical requirements for generative AI systems — more detailed than EU equivalent guidance:
1. Training data audibility: AI systems trained on personal data must have documented training data provenance, including anonymization procedures applied.
2. Output monitoring: Systems generating personal data outputs must have monitoring controls to detect and prevent inappropriate data disclosure.
3. Purpose limitation in training: Personal data used for training must be limited to the specific purpose — general-purpose AI training using customer data requires explicit legal basis.
4. Individual rights in automated decision-making: AI systems making significant decisions about individuals must implement technical controls to facilitate individual rights (access, explanation, contestation).
5. Bias auditing: Systems processing protected characteristics (directly or by inference) must have technical bias monitoring.
6. Data minimization in fine-tuning: Fine-tuning on personal data must apply minimization before training — not just anonymization policies but technical implementation.
7. Retention in training: Personal data incorporated into model weights must be addressable for erasure requests (technical or equivalent safeguards required).
8. Third-party model due diligence: Organizations using third-party AI systems must assess and document those systems' technical compliance with these requirements.
These eight requirements create a technical implementation checklist for UK AI deployments.
ICO Enforcement Trends: From Guidance to Fines
ICO has historically preferred education and enforcement notices to large fines. This is changing:
- LastPass (Dec 2025): £1.2M — technical security failure (encryption architecture)
- Electoral Commission (2023): £4.4M reprimand (no fine) — security failure (server not patched)
- British Airways (2019, settled 2020): £20M — data breach from cyberattack due to inadequate security
- Marriott International (2019, settled 2020): £18.4M — data breach from inadequate due diligence
ICO issued 67 enforcement notices in 2024 — a record high — suggesting increasing willingness to use formal enforcement.
The LastPass fine is particularly significant because it targeted an encryption architecture decision, not just a breach outcome. This suggests ICO will scrutinize technical design choices, not just breach response.
UK-EU Data Flow Implications
UK organizations serving EU customers or receiving EU personal data face the dual compliance requirement:
- UK GDPR applies to UK processing
- EU GDPR applies to EU personal data
For data transfers from EU to UK: the EU's adequacy decision for the UK (granted 2021) remains valid but is subject to review and legal challenge. Organizations should not rely entirely on UK adequacy — standard contractual clauses remain a recommended additional safeguard.
For UK organizations using EU-based cloud services: the transfer from UK to EU is not currently restricted (no EU restrictions on UK data flows), but the EU service provider's processing of UK personal data may trigger EU GDPR requirements for the processor.
Practical guidance: organizations with EU-UK data flows should document both their UK GDPR compliance posture and their EU GDPR compliance posture separately, noting where they are equivalent and where UK-specific requirements apply.
Sources: