You are here

You are here

What you need to know about KVKK data-privacy requirements

public://pictures/cumhur.jpeg
Cumhur Keles Data Security Evangelist, CyberRes
 

As the data-privacy landscape continues to change, most organizations that do business in the European Union have done what they need to do to avoid being penalized under the EU's GDPR data regime, but new challenges continue to arise. In particular, the GDPR is influencing the regulatory and enforcement actions of jurisdictions in nearby countries that are not EU member states.

Turkey is one such nation, although its data-protection law, known in Turkish as Kişisel Verileri Koruma Kanunu (KVKK), predates the GDPR and is more closely modeled on the GDPR's predecessor, EU data privacy Directive 95/46/EC. Signed into law in 2016, this directive has been largely unimplemented. Starting January 1, 2022, however, covered entities of all sizes, both private and public, that haven't signed up with the Turkish Data Protection Agency's VERBIS registry can face administrative fines of up to TRY 1,802,000 (around US$213,000) and even restrictions on their data processing activities.

The mandate applies to all organizations registered in Turkey as well as those outside the country that collect and process data on Turkish residents. The original VERBIS registration deadline was September 2019, and although it has been moved back twice, data controllers should not delay meeting requirements on the assumption that the deadline will be moved back yet again.

Organizations that operate in Turkey need to implement plans for meeting the requirements of the mandate, starting with VERBIS registration. How does this affect your organization? Here's what your team needs to know about the KVKK. 

Protecting PII, Turkish style

The KVKK Law on the Protection of Personal Data No. 6698 is designed to protect any personal information belonging to an identified or identifiable person. It requires organizations to, among other things, obtain informed consent from data subjects before collecting their personally identifiable information (PII) and make sure the data is processed lawfully, is kept up to date, is accurate, and is processed only for specific, legitimate, and explicitly stated purposes. The mandate gives data subjects specific rights over their personal data and how an organization might use it. The KVKK offers special protections for certain categories of data such as that relating to health, race, ethnicity, religion, and membership in organizations.

Because the KVKK predates the GDPR, it has several differences, but even as enforcement gets underway, there are plans to bring it into closer alignment with the newer EU directive. In June 2021, KVKK President Faruk Bilir announced those plans as a preparatory measure should Turkey be accepted as a full member of the European Union. At the same time, Bilir announced the Turkish DPA's intention to increase enforcement action against organizations that fail to comply with the KVKK.

Opportunity for change

The KVKK has forced Turkish organizations to review and revise their data collection and processing habits. Formal data governance practices remain relatively rare for most private and public entities in Turkey except for those in heavily regulated sectors such as telecommunications, finance, and energy. Generally, prior to the KVKK, a definition of personal data did not exist or had only very limited coverage. Companies often collected and stored a huge amount of data with little attention to why they were collecting it and how they were using, storing, and deleting it. Data controllers that were aware of potential risks associated with the data simply swept it under the rug.

Many of these organizations likely perceive the KVKK as a burden that they need to comply with to avoid sanctions and penalties. A better approach is to think of the mandate as an opportunity to understand what kind of data your organization has and to gain significant operational gains by deleting data that is unused, that should not be used, or that has storage terms that have expired.

Registration with VERBIS is an important requirement for complying with the KVKK. VERBIS requires organizations to manage their personal data activities in a structured way. Importantly, the declarations that organizations make about their data management practices in VERBIS are public. Anyone can see any organization’s declarations related to PII through this web page.

VERBIS registration is mandatory and requires organizations to submit a detailed inventory of their data, including types of data subjects, types of data collected and processed, and the purpose and legal basis for collecting the data. As part of the VERBIS registration process, data controllers are required to identify the technical and administrative controls they have in place for complying with the KVKK. The purpose of the registration requirement is to ensure that companies in Turkey fully understand what kind of PII they possess and the kind of controls that are required to protect it.

Organizations that process PII need to determine what kind of information they are storing, all the departments that are using the data, who has permissions to see the data, and whether the data is going to be transferred outside Turkey. The KVKK gives every Turkish citizen the right to be informed about their data and whether the company is storing the data according to the law.

When a data subject asks for access to his own data, the data controller has 30 days to provide the information. Consent management is another big issue. The KVKK requires companies to collect consent from data subjects and to provide evidence of having collected that consent. All retention policies are required to be clearly defined under related law. The company should follow the appropriate data lifecycle management practices and delete data or to archive it after the required storage period has expired.

How to rise to the challenge

You cannot protect data you don't know about. Organizations often have a surprising amount of information that they are not using and often did not even know they had collected. Often, they have no idea what to do with the data or even whether it falls under the KVKK definition of PII. So the first step in your compliance journey must begin with discovery. You need to look for and identify PII not just in your structured databases but also in your unstructured data such as documents and files.

When an organization discovers unknown data it has collected, someone must determine whether it is PII, and whether to delete or store it. The regulation requires a lot of changes in processes. Some terms in it, such as privacy by design, privacy by defaultsecurity by design, and security by default, will require organizations to make fundamental changes to the way they collect, process, store, and delete personal data.

Often, the exercise can result in organizations identifying and deleting a lot of unnecessary data in their environment, freeing up storage space, and cleaning up and categorizing the other data they own.

You then need to understand and, if necessary, revise your retention policies to ensure data is being stored and managed through its lifecycle in a manner that is compliant with the KVKK. Measures can include implementing controls such as data encryption and format-preserving encryption to ensure that sensitive data is secured while also enabling it to be processed as required for business purposes. The shift to a more distributed work environment because of the COVID-19 pandemic means that your organization now must also think about how to protect remote access to sensitive data.

Make compliance an opportunity

Compliance with the KVKK is not a not a one-time task—it is an ongoing, continuous effort. But instead of approaching it as a burden, think of it as an opportunity to implement better information governance practices, improve operations and reduce your overall risks.

Keep learning

Read more articles about: SecurityData Security