GDPR Compliance Service
After the Law No. 6698 on the Protection of Personal Data entered into force on April 7, 2016 in Turkey, many secondary legislation was enacted based on the law. With the guidelines and decisions taken by the Personal Data Protection Board, the practice began to take shape rapidly.
After the Law No. 6698 on the Protection of Personal Data entered into force on April 7, 2016 in Turkey, many secondary legislation was enacted based on the law. With the guidelines and decisions taken by the Personal Data Protection Board, the practice began to take shape rapidly. In accordance with Law No. 6698, all data controllers are obliged to take the necessary administrative and technical measures in order to process and preserve personal data in accordance with the law and to provide access to these data in accordance with the law.
The fact that personal data sharing channels (social media, search engines, etc.) are an indispensable part of daily life, the rapid development of technology and the emergence of malicious software for data theft constantly threaten information security. For this reason, technical measures to comply with GDPR may require complex solutions and a holistic approach. In order to comply with the GDPR, investing in technology at certain points in the system, purchasing a software or package, having penetration tests or keeping the system up-to-date is not an adequate security solution on its own. Personal data security can only be ensured by producing special solutions for each business, taking into account the entire organizational structure and risks.
There are a number of technical and administrative measures that data controllers should take in order to prevent unlawful processing of personal data and illegal access to personal data and to ensure the protection of personal data. It is important to establish institutional policies and procedures (Access, Information Security, Use, Storage and Disposal, etc.) to ensure these measures. It should be ensured that the policies and procedures on which the data controllers are based on the process of determining the maximum time required for the purpose for which personal data are processed and the deletion, destruction and anonymization process are based. However, how security breaches will be managed should also be clearly defined.
Although the efforts to take administrative and technical measures seem to be independent from each other, we believe that the entire harmonization process should be carried out within the scope of a single project, with the active participation of legal and technical advisors, in an integrated manner and in a full harmonization context. In this way, the subject will be handled from different perspectives at every stage, and boutique, holistic, working and sustainable solutions specific to the organizational structure of the enterprise will be produced.