Post referendum, if the UK falls outside the EEA it will be treated like the US in respect of personal data flows from EU based organisations. The data can still flow but will no longer automatically be lawful, although there a number of solutions available to overcome this. Ideally, the UK would want EU recognition that it is a safe country for data, like Switzerland, making EU data transfers to it lawful again without further steps needed.
To achieve adequate protection recognition, the UK is likely to have to largely work with the planned GDPR upgrade effective May 2018 in any event, as the EU will be looking for parity with its higher GDPR (General Data Protection Regulation) standards. It will be interesting to see to what extent the EU revisits current decisions on safe countries and expects like upgrades from them. Even with GDPR, there is still room for local customisation in a number of areas, since it permits numerous “derogations” and local clarifications of its terms – so the UK like other affected countries could take the opportunity to be innovative to best meet its needs, whilst maintaining an acceptable level of safeguard for personal information. The more the UK departs from the EU norm here, the longer it will take to get the EU “safe” stamp of approval. Even with GDPR parity, adequate protection approval is not a given and may take time – although the UK does have GCHQ, it operates with legal checks and balances – and all countries use data for security purposes, including those already recognised as ‘safe’.