Fears of an imminent no-deal Brexit may have recently receded but the capricious nature of contemporary British politics mean the UK could still crash out of the EU without a deal, an outcome which would have an enormous impact on data flows.\nThe moment the UK\u00a0departs without a deal, it\u00a0will no longer hold an adequacy agreement, which authorises uninterrupted flows of personal data with European Economic Area (EEA) member states. Instead, it would be deemed a "third country" for data protection purposes. This\u00a0means businesses that share data with EEA nations\u00a0must\u00a0ensure that\u00a0they hold an appropriate safeguard\u00a0to continue\u00a0 data flows across the bloc.\nIn the longer-term, a no-deal Brexit could lead to double enforcement of breaches from both the UK regulator \u2013 the Information Commissioner\u2019s Office \u2013 and the EU's data protection authorities.\nThere would be little disruption in data transfers from the UK to the EU and the 13 countries that the European Commission has\u00a0determined to\u00a0provide adequate data protection,\u00a0subject amendments to references to EU\u00a0institutions\u00a0and procedures that no longer apply.\nFlows to the US can also continue, under the terms of the EU\u2013US Privacy Shield, as long as the companies that have signed up to the framework publicly state that they can continue.\nOther countries will need an alternative agreement. Standard contractual clauses (SSCs) are the most popular option, and\u00a0organisations\u00a0can continue to use their existing SCCs for these countries.\nImporting data from the EU to the UK will be more complicated.\nSCCs or BCRs?\nA no-deal Brexit will lead the\u00a0EU\u00a0to\u00a0no longer\u00a0recognise the UK as having adequate protections, which will force businesses in the UK to amend their SCCs.\n"It will be a tweak, but\u00a0 some organisations have hundreds of standard contractual clauses in place with all of their vendors and their suppliers, so it could be quite a big a task," says\u00a0Annabel Gillham, a partner in the global data privacy team at law firm Morrison & Foerster.\nRead next: GDPR tips for CIOs\nMultinational companies\u00a0may prefer to use\u00a0binding\u00a0corporate rules (BCRs), which\u00a0are tailored to the needs of an individual business and can be more\u00a0effective for inter-group transfers. The BCRs that they currently have in place\u00a0can be updated to ensure they apply if\u00a0the UK leaves the EU\u00a0without\u00a0a deal, but gaining approval for the rules can be difficult.\n"It takes a lot of time and effort to actually register binding corporate rules with the data protection regulator,"\u00a0explains\u00a0Gillham. "If they're not already in place, then the easiest thing to do is implement standard contractual clauses ...\u00a0If you haven't got numerous data importers and exporters then they can be really handy and easy to use.\n"If you are a huge organisation with loads of inter-group transfers all the time, it is a lot easier to just put that effort into getting binding corporate rules in place, registering them with the data protection authority and relying on them. But for no-deal Brexit purposes, if you want to do a quick patch of the situation, then standard contractual clauses are definitely easier."\nPreparation tips\nThe ICO\u00a0has published a six step plan on how ensure that data flows can continue after a no-deal Brexit and created an interactive tool that\u00a0IT business leaders can use to determine whether they can use SCCs.\nGillham advises\u00a0CIOs to focus on securing their inbound data flows from the UK from the EU and\u00a0investigate any large\u00a0volumes of data transfers as well as\u00a0information that is particularly sensitive, such\u00a0as employee and criminal data.\n"Try and fix those by amending the standard contractual clauses," she suggests. "That is the absolute priority. Another thing I would do is look at the flows across Europe. If you're a UK business and you don't have establishments in the EU, so you are UK-based but do sell into the EU, you should look at the possibility that both regimes will still apply to you. Just because you're only based in the UK doesn't mean that the EU GDPR will not apply anymore. It probably still will, so I would start looking at that.\nRead next: How CIOs are ensuring GDPR compliance\n"If you're not established in the EU, don't assume that the EU GDPR will stop applying, and take take legal advice on the applicability of both regimes and what you might do to try and mitigate it."