NARDC PRIVILEGE IN KVKK CONSULTING
What is Personal Data?
Important information that contributes to the identification of an individual such as ethnic origin, political opinions, religious beliefs, commercial relations and memberships, genetic data including biometric data, health information is defined as personal data. In this context, not only the information that provides the definitive diagnosis of the individual, such as the name, surname, date of birth and place of birth, but also information about the person's physical, familial, economic, social and other characteristics are considered personal data. The fact that a person is specific or identifiable means making that person identifiable by associating existing data with a natural person in any way. That is, the data; It covers all situations that enable the identification of the person as a result of carrying a concrete content that expresses the physical, economic, cultural, social or psychological identity of the person or associating it with any record such as identity, tax, insurance number. Data such as name, phone number, motor vehicle license plate, social security number, passport number, resume, picture, image and sound recordings, fingerprints, genetic information are personal data due to their ability to make the person identifiable, even if indirectly.
(Draft Personal Data Protection Law (1/541) and Justice Commission Report)
Regulations Brought by KVKK
The Law on Protection of Personal Data No. 6698 introduces regulations to prevent the processing of personal data without the consent of the owner. According to this law, it is considered a crime to process data of individuals without their consent.
If the relevant institution wants to obtain the consent of the individual, it must provide clear and understandable information about what type of data it will receive and for what purposes. At the same time, this information should cover the issues with whom the data will be shared and how long it will be stored.
The Personal Data Protection Board, which was established to carry out this regulation, will register and regulate the institutions that collect/process the data with the KVK Law No. 6698. Data owners who have problems with the institutions that receive and process/operate their information will be able to apply to this official institution and file a complaint. This board is defined as an institution that has the authority to impose sanctions such as fines with six zeros to institutions that do not apply the rules, some of which are mentioned above, and even paving the way for prison sentences for faulty, negligent and malicious officials in some cases.
Which Institutions Are Interested in KVKK?
Every institution that receives and stores the personal data defined above that can be connected to a real person is within the scope of this law. For this reason, institutions operating such processes need to carry out a series of studies to comply with the law.
What to Do for Compliance with the Law
The works to be done can be listed as follows:
- Ensuring security functions such as confidentiality, integrity and accessibility of all information assets, ie working according to Information Security Management System (ISMS) standards - Creating strategies to determine the types of data received / to be received from customers - Creating a data inventory - Retrospectively - structured in network systems / to identify ALL unstructured data- To classify recorded personal data according to their characteristics- Retrospectively- to reach ALL customers whose data are desired to be stored and to inform customers about the intentions of the institution- To obtain the consent of employees and customers who are informed about the purposes of data processing by reasonable methods- All of the above is sustainable Developing technologies, policies and systems to implement the To carry out effective studies such as Penetration / Penetration Testing - Internal audits, Penetration Testing, etc. To contribute to the sustainability of the corporate management system with the results to be obtained after the applications.