LAW NO. 6698 ON THE PROTECTION OF PERSONAL DATA entered into force in 2016.
With this Law, the procedures and principles regarding the processing of personal data were determined and placed on a legal basis.
The regulation on how the personal data of the data subject will be processed has granted many rights to data subjects and, accordingly, has imposed responsibilities on data controllers who process personal data.
A data controller can be simply defined as any natural or legal person who processes personal data.
Who is a data controller? The data controller is the pharmacy where you buy medicine, your doctor, the local grocery store, your school—in short, the people or institutions you interact with in every aspect of life.
Data controllers must take the necessary administrative and technical measures to protect personal data and must prevent data loss.
In addition, those who meet certain conditions must register with the Data Controllers’ Registry Information System (VERBİS). Due to the pandemic process, the Personal Data Protection Authority extended the deadlines for registration with the VERBİS system, and the final deadline was set as 31.12.2021.
WHAT NEEDS TO BE DONE WITHIN THE SCOPE OF THE LAW ON THE PROTECTION OF PERSONAL DATA SHOULD BE HANDLED IN TWO STAGES.
STAGE 1:
COMPLIANCE STUDIES:
In this process, the data controller must identify the actions required under KVKK and take the necessary measures.
Since the process is somewhat complex and the number of actions to be taken is quite high, professional support should be obtained.
In order to carry out the compliance process, it is necessary to work with individuals or institutions that are well-versed in both technical and administrative aspects and have a strong command of the legislation. Each of the administrative and technical measures that need to be taken should be reviewed one by one, and all procedures should be fully implemented.
Any mistake made at the end of this process will result in significant financial and penal liabilities.
So to speak, an “X-ray” of the data controller must be taken, and based on the results, the necessary measures must be determined and implemented.
In this stage, which we define as Stage 1, the necessary administrative and technical measures must be taken, and the data controller must be brought into compliance with KVKK.
From this point on, Stage 2 begins.
STAGE 2:
CONTINUATION AND ENSURING THE SUSTAINABILITY OF THE KVKK COMPLIANCE PROCESS:
After initiating the KVKK compliance process and taking the necessary technical and administrative measures, ensuring the continuity of these measures is of great importance. This is because the KVKK process is a living, ongoing process.
If the technical and administrative measures taken by data controllers change in practice, the previously prepared documents and processes must be updated.
For example, an employment contract may have been brought into compliance with KVKK, but if there is a change in the legislation afterward, the employment contract will need to be updated.
If a data processing committee has been established in the data retention and destruction policy, but later the individuals in the committee leave their jobs, what should be done?
Likewise, in the event of data loss within the organization, how should the necessary applications be made?
How will personal data that is stored for the legally required periods be destroyed at the end of those periods, and who will decide on this?
What should be done in response to an application by the data subject?
This second stage, which is often overlooked by data controllers and not adequately explained to them, will lead to unfavorable consequences for data controllers in the coming period.
As explained above, data controllers who entrust the first stage to inexperienced parties who carry out the process cheaply and with daily concerns will be left alone and unsupported in the second stage.
This may result in exposure to financial and penal sanctions.
Regardless of whether they are small or large, all businesses view these processes as an additional burden and try to avoid the associated costs. Due to the lack of trained personnel, the matter is often assigned to HR staff or an employee in accounting. However, HR or accounting personnel will see this task as an extra burden alongside their main duties and will not be able to properly carry out the KVKK process.
To avoid experiencing this difficult process, data controllers must work with serious solution partners who will stand by them throughout the process and take responsibility for their work.
Just as external support is obtained for accounting procedures and occupational health and safety services, professional external support can also be obtained within the scope of the Law on the Protection of Personal Data for initiating legal procedures, taking measures, carrying out processes, and ensuring continuity.
In this way, it will be possible to complete the KVKK compliance process smoothly and to maintain ongoing compliance.