The Communications Data Bill requires service providers to keep logs. It doesn't provide for decryption of data content.

I imagine GCHQ and the SIS have ways of circumventing your VPN security if they so wish (though they may need a court order to stay within the law - RIPA etc).

If you assume that they do not have the capacity to break your ciphers (by default, blowfish and RSA), that your own systems are not compromised, and that the software you use is not backdoored, they could only attack your link by tricking you into accepting a fake certificate.

You can avoid that either by using a static key (but that creates its own set of key distribution problems), or make sure they cannot obtain a fake certificate. If you rely on some CA, you must make sure the CA will not issue fake certificates, or bypass the CA and anchor your trust directly to the certificates you know.

You should also make sure your certificates use a robust hash function (sha256 at least), because if the CA allows third parties to request certificates, a third party could try to create a pair of colliding certificates, one legitimate and one spoofing your identity, and transplant the signature from one cert to another.

You still need to be careful with your key lengths. In particular, 1024bits is no longer recommended for RSA