Do Your Safety MeasuresMeet KVKK Requirements?
PERSONAL DATA PROTECTION COMPLIANCE CONSULTANCY
Thanks to end-to-end KVKK compliance and data protection solutions offered by VeriSistem®, you can step into a more successful digital future by securing your processes regarding personal data.
New technologies have led to significant changes in our daily lives. The reflections of these changes appear as new rules and laws on privacy and security. Today, both public institutions and private sector have access to various information belonging to thousands of people within the scope of the performed business. This information obtained can be processed and transmitted easily as a result of the rapid developments in information technologies.
By increasing the requirements of companies in terms of privacy and security, this transformation made digitalization inevitable. This necessity can also be seen by various organizations as a "technological restructuring" opportunity. Due to the Turkish Personal Data Protection Law (KVKK) introduced in 2016, organizations that do not have enough infrastructure and knowledge in the area of privacy and security have started to focus on this area.
Personal Data Protection is directly related to one of the fundamental human rights: the right of privacy. Before KVKK, the rules on the Personal Data Protection were to specified by Turkish Criminal Code, Constitution and other relevant legislation. Personal Data Protection Law No. 6698 is the most important legal regulation with the most severe sanctions.
What is KVKK?
Personal data rules and regulations defined for Türkiye
Turkish Personal Data Protection Law
April 07, 2016
Our consultancy services on the Turkish Personal Data Protection Law identify risks that may arise due to legal non-compliance and allow you to take the necessary technical and administrative measures for the processing and protection of all kinds of personal data in a lawful manner.
Legal responsibility and basic principles
Negligence and breach of the protection of personal data impose heavy legal and criminal liabilities on business organizations. For example, as of 2019, sanctions up to 100.000 TL are applied in case of breach of the disclosure obligation; sanctions up to 1.000.000 TL shall be applied in case of breach of VERBIS registration obligation and notification. If the personal data are not destructed within the specified period, imprisonment up to 2 years and in case of unlawful action, penalty of imprisonment shall be imposed up to 4 years. Similarly, in the case of compliance issues with GDPR, high penalty fines are imposed, up to 4% of the company's global turnover for the previous year or up to 20,000,000 EUR.
The basic principles for the processing of personal data should be followed in all kinds of data processing activities and such activities should be carried out in accordance with these principles:
Legal compliance with good faith and honesty
Being accurate and up to date
Processing for specific, clear and legitimate purposes
Being relevant, limited and proportionate tal the purposes they are processed for
Data minimization & storing minimum data
Legal retention periods & purpose for processing data
In the process of compliance with the Personal Data Protection Law, first of all, awareness about privacy and security should be built, and data security should be made a part of corporate culture. Organizations exchange information on personal data in many areas from production to sales of products and services, from purchasing to financial processes. For example, the population of Istanbul was over 15 million in 2018. Personal data and sensitive personal data of all people living in Istanbul are processed for various purposes. This indicates the intensity of personal data and sensitive personal data.
What can you achieve with digital transformation and compliance process?
Heavy penal sanctions, and cyber threats, unlimited and fast information needs of the information society have necessitated digital transformation. Organizations that completed their technical and administrative processes within the compliance period will have the following commercial advantages.
Business organizations that aim to complete compliance processes and protect data, thus have fulfilled requirements by establishing privacy and security policies, procedures, and infrastructure developments will achieve significant risk reduction.
Today, the most important part of customer satisfaction is digitalization. Fast and secure digital interaction of the clients with the organization enhances loyalty and trust to a great extent.
Fast and secure sharing of accurate information enhances the agility within the organization, employee commitment, faith, and trust.
Your data, which must be kept confidential, are generated through the exchange of information between you and your employees, their families, clients, suppliers, and any other third-party organizations. Digital transformation requires fundamental changes in the services you provide in all areas of your business and operations of any kinds. This new cultural formation will only be possible by radically changing the status quo that provides administrative and operational comfort in your organization.
Penalty fines imposed in case of KVKK breach
In case disclosure obligation is contradicted;
In case of breach of Data Security obligations;
In case of contradiction with the decisions of the Board;
In case of breach of VERBIS registration obligation and notification;
Sanctions arising from the Turkish Criminal Code
In case of illegal processing of personal data
In case of providing or obtaining data illegally
In case of non-purging of personal data within the period specified by law
At the center of the Turkish Personal Data Protection Law, there is an organizational discipline that consists of administrative and technical measures related to data protection in general. In order to place this discipline in every stage of the organization, the road map in the process of digitalization must be specified in detail.
The technical measures proposed in the guidelines of the
Turkish Personal Data Protection Authority are summed up as follows:
User Account Management
Intrusion Detection and Prevention Systems (IDS & IPS)
Data Loss Prevention (DLP) Software
Up-To-Date Anti-Virus Systems
Deletion, Destruction, or Anonymization
The administrative measures proposed in the guidelines of the
Turkish Personal Data Protection Authority are summed up as follows:
Preparation of Policies and Procedures
Preparation of Personal Data Processing Inventory
Compliance with General Principles
Relationship Management with Data Processors
How does the KVKK compliance process progress?
Strategic planning, gap analysis, questionnaires
Preparation of data inventory and identifying responsibilities
Review and development of policies and procedures
Submission of compliance report
Governance, monitoring, auditing, and updates
Preparation Assessment - GAP Analysis
In order to complete a successful compliance process, we analyze the current situation of the organization in detail and prepare a roadmap covering all stages.
Scored assessment and graphical analysis for the assessment of the current situation
Audit checklist prepared as a result of assessment
Process checklist (which data are used, where and for what purpose they are used)
Examining your Binding Corporate Rules (BCR) that ensure the transfer and protection of the data you transfer abroad and improving necessary areas