The GDPR and PECR are the controlling legislation for data security. They are both pieces of EU Legislation. So, they do not require any further member state legislation to be introduced before becoming law throughout the EU and UK. The key UK data security legislation is the Data Protection Act 2018 (DPA 18).
When the UK formally leaves the EU on 31st December 2020, the GDPR and PECR will cease to be applicable legislation. By this time, updates to the DPA 18 will have to have taken place. This then becomes the relevant legislation in this area.
How will Covid-18 impact affect the timing of Brexit changes?
Both Michel Barnier and David Frost have been struck by the virus. They are therefore unable to commence negotiations. Despite this, there is no official indication, at time of writing, that there is any delay considered in the Brexit talks. Nor has any official comment been made to imply a delay to the Brexit deadline itself. A delay is always possible.
Furthermore, the differences between the GDPR and PECR, together with the proposed UK focused alterations, are already being debated and developed. This would mean that the process of redeveloping the DPA 18 has already started.
Does this mean there will be no change to data security requirements?
In the UK, with regards to UK based/operating organisations: The current changes are relating to the applicable authority, for example, being the national authority (ICO) rather than European authority. There are understood to be no major changes to the data security requirements. As such, the basic requirements are likely to remain very similar if not identical.
In the UK, with regards to EU based/operating organisations: the GDPR and PECR will continue to list the legal requirements. In this case there will be no change at all due at the Brexit date.
 General Data Processing Regulations
 Privacy and Electronic Communications Regulations
 the EU and UK Brexit negotiators respectively