UK GDPR After Brexit: What Changed
The UK Data Protection Act 2018 brought UK GDPR into law. It runs close to EU GDPR — but not in every area. If you work in both the UK and the EU, you face two separate compliance checks.
What stayed the same:
- Six lawful bases for processing
- Subject rights: access, erasure, rectification, portability
- 72-hour breach notice to the regulator
- Privacy by design and by default
What changed:
- The UK runs its own adequacy decisions for cross-border transfers
- UK AI guidance issued in 2023–2024 goes further than the EDPB
- UK research exceptions are slightly broader than EU ones
- The regulator is moving from advice-first to fines — faster than before
The gap between UK and EU rules is real. Treat them as two distinct checklists.
The LastPass Fine: Encryption Is Now a Legal Test
In December 2025, the ICO fined LastPass UK £1.2 million for a flawed encryption setup. This is the most important UK GDPR ruling on technical security to date.
What the regulator found: LastPass stored vault records with server-held keys. Anyone who reached the server could read the vault. The ruling found this broke the "appropriate technical measures" test in UK GDPR Article 32.
The key phrase from the notice: "The controller should have used client-side encryption. This would have kept user vault records safe even if the server was breached."
What this sets: If a safer design exists and is buildable, using the weaker one may now break Article 32. Server-side key management is no longer a safe default for sensitive records.
Who is at risk: Any service that stores sensitive records and keeps encryption keys on its own servers. This includes tools that log text for audit trails, usage stats, or document history. If the server can read the text, regulators may ask why you did not use client-side design. See how anonym.legal handles this with zero-knowledge architecture.
UK AI Guidance: Eight Technical Rules
The UK regulator published detailed AI guidance in 2023–2024. It covers eight specific requirements for generative AI systems. The EU's comparable guidance is less detailed.
1. Training data provenance — AI trained on personal records must log where that data came from and what steps were used to clean it.
2. Output monitoring — Systems that produce personal output must have controls to catch and stop bad disclosures.
3. Purpose limitation — Records used for AI training must match the stated purpose. General training on customer records needs a clear legal basis.
4. Automated decision rights — If your AI makes key choices about a person, it must support access, explanation, and appeal.
5. Bias monitoring — Systems that use protected traits — directly or by inference — must have bias checks in place.
6. Minimization before fine-tuning — You must reduce personal records before fine-tuning. A policy alone is not enough.
7. Erasure from model weights — If records enter model weights, you need a plan to address erasure requests. Technical or equivalent safeguards are required.
8. Third-party AI review — If you use another company's AI, you must check and record its compliance with all eight points.
These eight rules form a practical checklist for any UK AI deployment.
UK Enforcement: The Shift to Fines
The regulator used to prefer guidance letters over penalties. That is changing. Recent actions show a clear pattern:
| Action | Amount | Year | Reason |
|---|---|---|---|
| British Airways | £20M | 2020 | Breach — weak security |
| Marriott International | £18.4M | 2020 | Breach — poor due diligence |
| LastPass UK | £1.2M | 2025 | Encryption design failure |
| Electoral Commission | £4.4M reprimand | 2023 | Unpatched server |
67 enforcement notices were issued in 2024 — a record. The LastPass case is notable because the fine was for a design choice, not just a breach outcome. Regulators scrutinized how LastPass built its system. That is new.
UK–EU Transfers: Two-Way Risk
UK organizations that handle EU personal records face obligations from both sides.
From EU to UK: The EU granted the UK an adequacy decision in 2021. It is still valid. But it is under legal challenge. Do not rely on it alone — standard contractual clauses (SCCs) are a sensible backup.
From UK to EU: No current rule blocks moving UK records to EU processors. But an EU processor handling UK records may still trigger EU GDPR rules on its end.
Practical step: Write your UK GDPR position and your EU GDPR position as two separate documents. Note where they match and where they differ. This is the record you need if a regulator asks. Our compliance overview maps both sides.
For a deeper look at zero-knowledge design and how it addresses the server-breach risk identified in LastPass, read our security and privacy architecture page.
Sources
- ICO: UK GDPR Guidance and Resources — VERIFIED-EXTERNAL
- ICO: LastPass Enforcement Notice, December 2025 — VERIFIED-EXTERNAL
- ICO: AI and Data Protection Guidance — VERIFIED-EXTERNAL
- ICO: 2024 Enforcement Annual Report — VERIFIED-EXTERNAL