Financial services firms need to ensure they do not breach data rules in the event of a no-deal Brexit since this could cause data breaches and lead to fines, EY has warned.
While the UK Government intends to enact statutory instruments in the event of a no-deal to ensure a legal status quo for data transferring outside of the UK, the European Commission has said it would not provide immediate data adequacy for the UK given that scenario.
A no-deal Brexit would mean that personal data could not be sent from the EU to the UK unless firms took specific mitigating action.
The penalties for breaching the rules are high, with firms facing fines of 4% of turnover or €20m, whichever is the highest.
The Bank of England's Financial Policy Committee warned in its February 2019 meeting that the lack of data adequacy could "restrict EU households and businesses from continuing to access UK financial service providers."
It is unclear how long it would take the UK to gain data adequacy from the EU if there was a no-deal Brexit. Conversely, if there is an agreed departure deal, transfers would not be restricted through the proposed transition period to the end of 2020.
EY's own poll from February 2019 found that 24% of financial services firms see the issue of data transfers as one of their top three worries around Brexit.
Steve Holt, UK and EMEIA Financial Services Partner at EY, said: "UK Financial Services firms spent large amounts to get ready for GDPR but they must again ensure that their data systems are ready for a possible no-deal Brexit. With fines of 4% of turnover as well as the reputational damage of any misstep, it should be a key priority. Many firms have already addressed this, but time is running out for those yet to have taken the necessary steps.
"Firms also need to be aware of risks from their clients and suppliers as individual firms are still responsible for their customer data with third parties. There may also be a need to update privacy notices, as these often require explicit consent if data is transferred outside of the EU."