1. Binding Corporate rules - are these the only way to transfer data from inside the EU to outside the EU (to UK and EU)
No, you can transfer data based on an adequacy decision under Article 45 GDPR. This applies when the transfer is towards one country that the EU Commission considers providing an adequate level of security for the freedom and rights of individuals.
The European Commission has so far recognized Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay as providing adequate protection.
In case of an adequacy decision, you can transfer data (being compliant with all other GDPR requirements).
In case the adequacy decision is missing you can either apply appropriate safeguards under article 46 GDPR adopting:
Standard contractual clauses approved by the EU Commission
Agreements approved by Surveillance Authorities
And (of course) Binding Corporate Rules.
2.Which EU region has the toughest interpretation of GDPR?
It is hard to say because the EU Surveillance Authorities of the 27 Member State meet in the European Data Protection Board (EDPB) where they adopt Guidelines to harmonize interpretation among EU countries and avoid different levels of interpretation.
Here you can find more information on data transfer under GDPR: