Most Accurate Solutions and ApproachesFor Your Data Inventory

What are the types of your data? Where are they stored? Who has access? Have you specified the retention periods?

Not being aware of in which environments the collected data is stored and how it is shared with other parties, is like travelling offshore.

The most important need of an organization for data management; moreover, the starting point of the data management, is to have knowledge about the scale, location, sharing and lifecycle of the data.

The private sector and public institutions obtain, process and store many personal data in order to carry out their core activities. Organizations that desire to expand their economic activities naturally access more personal data and be in the position of sharing it with third parties. If the management model of the data is not adequately constructed, as the data increases, the risks to keep it safe and the measures to be taken increase, as well.

The expert teams of Verisistem® complete the data inventory studies quickly thanks to their superior knowledge in this field, which can be quite detailed according to the scale of data processed and the parties you share. In addition, inventory service is included in the scope, if all end-to-end personal data protection law compliance studies are in progress.

Envanter Çalışması ile İlgili Çeşitli Tanımlar

Various Definitions Related to the Inventory Study

Inventory study on personal data is not an easy process. However, it cannot be argued that the results of this study, which is spread over time, will become a unique entity in terms of the operation of the organization.

The inventory work on the protection of personal data is defined in Article 4, paragraph 1 (h) of the Regulation on the Data Controllers’ Registry published in the Official Gazette dated 30.12.2017. Later, the scope was changed with various arrangements.

In these regulations, Inventory is described as "the inventory in which the measures taken regarding data security are explained and elaborated as data controllers perform personal data processing activities depending on business processes; their purposes of processing personal data and its legal ground, data category they create by associating with the recipient group of transmission and group of persons subject data and the maximum retention period required for the purposes which personal data processed for and personal data which are intended to be transferred to foreign countries."

Envanter Çalışması ile İlgili Çeşitli Tanımlar

Why Should You Prepare a Data Inventory?

The obligation to prepare the inventory is the preparation of infrastructure for compliance with the Law in the business processes related to the activities of the data controllers. In other words, it is to serve easily to determine whether there is a personal data processing that is incompliant with the Law. Thanks to this inventory, the data controller has also the opportunity to self-audit regarding the legal compliance of personal data processing activities.

The aim is to convert the data into information and to transform it into understanding.

Carly Fiorina  HP, Former chief executive officer
Envanter Çalışması ile İlgili Çeşitli Tanımlar

Is it a Legal Obligation to Prepare Data Inventory?

For the reasons mentioned above, it is important to take technical and administrative measures properly in terms securing personal data. Therefore, it will be easier for organizations to classify their data assets beforehand. However, the law also imposed obligations in this field;

According to Article 5, paragraph 1 (d) of the Regulation on the Data Controllers' Registry, the provision "Data controllers (*) who are obliged to register at the Registry, are obliged to prepare Personal Data Processing Inventory. Data to be disclosed to the Registry during the registration applications, is prepared based on the Personal Data Processing Inventory", in paragraph (d) the provision "In the obligation of information defined in Article 10 of the Law for the data controllers, in responding to the applications of the person referred to in Article 13 of the Law and determining the scope of the express consent to be announced by the relevant persons, the data submitted to the Registry and published in the Registry shall be taken as basis based on the personal data processing inventory." takes place.

(*) Amendment has been made in paragraph (ç) with the Article 2 of the Regulation on the Amendment of the Regulation on the Data Controllers’ Registry published in the Official Gazette dated 28.04.2019.

Click here to see the criteria for VERBIS Registration

Envanter Çalışması ile İlgili Çeşitli Tanımlar

Is it compulsory to prepare data inventory according to GDPR?

According to GDPR, there is no obligation to prepare data inventory, but due to the nature of the process, data inventory is "required". Because GDPR asks which data is managed, recorded, shared. In addition to this, enterprises with more than 250 people have to keep the record of data processing activities and show them during the audits.

Article 30, paragraphs 1 and 2 of GDPR listed the requirements for data processing activities. According to this;

Name and surname of the data controller, DPO and representatives

Purpose of data processing

Categories of data subject's processed data

Data transfer parties

Retention periods

Technical and administrative measures

The differences between the conventional Data Retention and the "Transaction Records" mentioned in the GDPR are, for example, as follows;

Data Retention (Saving, storing)

It is important which records we keep in which systems. For example, customer contracts are located on the cloud server named "ABC" in Istanbul.

Who has access to data? For example, who can access supplier data stored in our servers in Ankara? With which authorization can they access to this data?

Transaction Records (Data processing records)

GDPR looks for answers to “how” and “why” questions. Why are these records kept, what is the purpose and how are they kept?

Which departments have access to data and why is this needed?