Let's make one thing clear from the start: the dust hasn't settled over the ECJ's decision on Safe Harbour. At the moment there are accepted facts, some things which we can define as probable and others that we have no idea about at all. To make matters a little more complicated, there is a certain degree of overlap.
1/ What we know
a/ Safe Harbour is dead. The decision is final so we have to move on.
b/ The Information Commissioner's Office (ICO) has allowed a period of transition, which we can assume means that continuing with the current arrangements will not be deemed illegal.
c/ Some data-rich American companies have been setting up data storage centres in the EU.
2/ What is still in doubt
a/ It is not clear how long this ICO safe period is. It is probable that they will await the official pronouncement from the government negotiators before deciding. However, pressure might well come from those EU countries which take data protection considerably more seriously than the UK.
b/ There is disagreement as to whether cloud based data storage systems comply with Principle 8 of the DPA. Some commentators suggest probably, although others point out that American based cloud is accessible both practically and legally by the NSA.
3/ What we don't know
a/ What the nature of the replacement for Safe Harbour will be is impossible to say. The NSA is not going to give up surfing information in transit to, and stored in, the USA regardless of the complaints from FaceBook.
b/ It is assumed that high level negotiations are proceeding at this moment between the EU and the USA on the matter. However, no one has any idea how data transferred to the USA can be kept safe.
c/ No one has any idea of how to ensure the security of data transferred to the USA could comply with Article 9.
d/ Does the ICO period of grace apply to new data sent to the USA?
Until we know what will be permitted, it is difficult to plan. Whilst we should be assessing how exposed they are, that is not planning. We need answers.