Are you sure your company is not subject to GDPR?
Is your organization compliant with the Personal Data Protection Law (KVKK) and EU’s General Data Protection Regulation (GDPR)?
While various organizations in Turkey try to be compliant with the KVKK, they usually neglect that they are also subject to GDPR. Therefore, organizational applications such as confidentiality, security, protection of personal data, policies, agreements and similar applications are developed only in accordance with local regulations. However, not complying with the EU regulation carries an essential risk. As CottGroup®, we administer your compliancy with both regulations.
An essential issue with the overall consultancy services is the fulfillment of only one direction of guidance towards the construction of legal infrastructure regarding KVKK and GDPR compliancy, most commonly due to lack of technical knowledge and qualification of the consultancy company. In fact, important criteria for consultancy companies are their command over the terminology and their experience in the fields of legal system, hardware, software and technical subjects. The process will continue more consistently and without any issues, should the consultant company have top level experience regarding personal data management.
To begin with, it is essential for companies to determine which legal regulation they are subject to. The Article 3 of the GDPR legislation provides clarification on this matter; not only institutions in the EU countries are subject to the regulation, but also institutions in other countries are liable. Regardless of its location every institution; which conducts business with the EU countries, sells product or service to EU citizens and/or EU residents, uses one of EU languages and processes personal data of EU citizens; is subject to the GDPR. Besides, KVKK and GDPR compliances are not single time requirements. On the contrary, companies are required to organize their business as usual activities in accordance with these criteria and implement them in a consistent manner. Both KVKK and GDPR enforce serious penalties against data controllers who violate the regulations. Especially, penalties implemented as per the GDPR could reach to €20 million or 4% of the company’s annual global turnover (the higher amount is preferred).
Security related issues which are dictated by KVKK and GDPR deserves serious attention. Every institution, which monitors or processes personal data, is required to assign a Data Protection Officer (DPO). Also, destruction procedures and cookie policies are important as per the regulation of which companies are subject to. After determining which institutions are subject to what regulation, institutions should organize their destruction and cookie policies in accordance with the qualifications of the possessed data. Moreover, institutions should not neglect data transfer and security procedures to be followed when sharing data with employees, clients etc. For instance, if sensitive data is to be shared with employees, necessary trainings regarding data processing and transfer are mandatory to be provided in advance.
Is your data safe? Have you taken the necessary precautions?
Do you have your;
- Data inventory
- Destruction policy
- Disclosure on data transfer policies
- Data transfer protocols