"UK financial services firms spent large amounts to get ready for GDPR but they must again ensure that their data systems are ready for a possible no-deal Brexit. "
Financial services firms need to be aware of rule changes in the event of a no-deal Brexit which could cause data breaches and lead to hefty fines, EY has warned.
The UK Government says it intends to enact statutory instruments in the event of a no-deal to ensure a legal status quo for data transferring outside of the UK.
However the European Commission has said it would not provide immediate data adequacy for the UK in the event of a no-deal.
A no-deal Brexit would therefore mean personal data cannot be sent from the EU to the UK unless firms have taken specific mitigating action.
The penalties for breaching the rules are high, with firms facing fines of 4% of turnover or €20 million, whichever is higher.
The Bank of England’s Financial Policy Committee warned in its February 2019 meeting that the lack of data adequacy could “restrict EU households and businesses from continuing to access UK financial service providers.”
It is unclear how long it would take the UK to gain data adequacy from the EU if there was a no-deal Brexit. If there is an agreed deal then transfers would not be restricted through the proposed transition period to the end of 2020.
EY’s own polling, from February 2019, found almost a quarter (24%) of financial services firms see the issue of data transfers as one of their top three worries around Brexit.
Steve Holt, UK and EMEIA financial services partner at EY, commented: “UK financial services firms spent large amounts to get ready for GDPR but they must again ensure that their data systems are ready for a possible no-deal Brexit. With fines of 4% of turnover as well as the reputational damage of any misstep, it should be a key priority. Many firms have already addressed this, but time is running out for those yet to have taken the necessary steps.
“Firms also need to be aware of risks from their clients and suppliers as individual firms are still responsible for their customer data with third parties. There may also be a need to update privacy notices, as these often require explicit consent if data is transferred outside of the EU.”