‘Communication’, Preparing for the withdrawal of the United Kingdom from the European Union on 30 March 2019: a Contingency Action Plan by the EU - see page 12 regarding personal data:
"In the case of a no deal scenario, as of the withdrawal date, the transfer of personal data to the United Kingdom will become subject to the rules on international transfers in application of the General Data Protection Regulation (EU) 2016/679, Directive (EU) 2016/680 for the law enforcement sector and Regulation (EC) 45/2001 26 for the institutions and bodies of the European Union. The General Data Protection Regulation, Directive 2016/680 and Regulation 45/2001 contain a broad toolbox for data transfers to third countries. This includes in particular the so-called ʻappropriate safeguardsʼ (e.g. the Commission's approved Standard Contractual Clauses, Binding Corporate Rules, administrative arrangements) that can be used both by the private sector and public authorities. In addition, the three legislative acts mentioned above contain a number of derogations for specific situations that allow data transfers even in the absence of appropriate safeguards, for instance if the data subject provides explicit consent, for the performance of a contract, for exercise of legal claims or for important reasons of public interest. These are the same tools that are used with most countries in the world for which no adequacy decision exists. In view of the options available under the legislative acts mentioned, the adoption of an adequacy decision is not part of the Commission's contingency planning."