Creation of KVKK Culture and Compliance Process of Companies
The Creation of the KVKK Culture and Compliance Process of the Companies covers the methods to be followed by the companies in this way, the precautions to be taken and the action plans. KVKK, or in other words, the Law on the Protection of Personal Data, was published in the Official Gazette in 2016 and entered into force. After a 2-year harmonization period, all provisions of the law became applicable as of April 2018. Thanks to KVKK, selling personal data over the internet has gained more importance with international jargon and “Big Data”. Similar laws have been created and implemented in our country and around the world, based on the relevant directives.
Why is KVKK Study Needed?
Following the entry into force of the law and the completion of the harmonization process, 3 separate regulations were published and the Personal Data Protection Board was established. Thus, companies have become obligated to work on the protection of personal data. In order to create this culture, companies have had various obligations such as training, taking precautions, and having to give consent with their employees. In addition, companies are required to add clauses within the framework of personal data protection law in all contracts concluded with their suppliers, business partners and individuals.
In our country, in accordance with the provisions of the "Regulation on Data Controllers" published in the Official Gazette in 2017, it is obligatory to plan studies in accordance with the VERBIS system and to have a data map drawn during the registration to the VERBIS system.
Culture Creation and Adaptation Process
Creation of KVKK Culture and Adaptation Process of Companies is implemented in different phases for companies. If we examine this process in terms of items;
• The first phase of the harmonization process with the Law on the Protection of Personal Data passes with the processes of establishing the basic infrastructure. Although this process varies according to the companies, it is completed in an average of 8 months.
• In the second phase of the KVKK Compliance process, guidance and guidance services are carried out on important situations that the employer may encounter. This phase is completed in an estimated time of 12 months.
There are also different areas of analysis applied throughout the harmonization process. These areas are:
• Appointment of data controller,
• Creating personal data inventory,
• Trainings (such as Awareness, etc.),
• Preparation of policies and lighting texts,
• Data regulation,
• Transfer of the record to the registry of the data controller,
• Establishment of systemic and physical security measures.
Penalties for Violation of KVKK Legislation
It is stated in the 17th and 18th articles of the law that there are serious prison sentences and fines in case the legislation within the scope of the Personal Data Protection Law is not fulfilled. According to Article 17 of this law, if personal data is not d and anonymized, a prison sentence of between 1 and 2 years is given as per the Turkish Penal Code. It is also stated that if personal data is recorded unlawfully, there is a prison sentence of 1 to 3 years. Pursuant to article 18 of the law, a fine of up to 100,000 TL is imposed in case of breach of obligation. Apart from this, companies are fined up to 1,000,000 TL if the data controllers are not registered.
The persons responsible for these penalties applied to companies in case of violation of KVKK Legislation are as follows:
• Chairman of the Board of Directors
• Board members
• General Manager / Company Manager
• Unit managers authorized by the signature circular and persons authorized to represent the company directly or indirectly.
What Companies Should Do Against KVKK Legislation
Initiating audits with the Data Protection Board established for KVKK is among the priority steps. There is a lot of work to be done in the face of legislation. It is vital to carry out these studies effectively and practically with professionals who have a good command of corporate law. In addition, there are provisions that companies must fulfill in the field of informatics. It is necessary for companies to carry out studies to ensure the security of data accumulated over time. In accordance with KVKK, the stages of creating, storing, storing and destroying data should be accompanied by a specific plan. It is very important to create security and privacy policies within this plan. It is necessary to have a high level of protection against external factors such as third parties and malicious attacks.
For this reason, companies in the field of informatics need to give more importance to infrastructures. Based on the Personal Data Protection Law,
• Cyber ??security,
• IT field monitoring of Personal Data Security,
• The security of the environments where Personal Data is located,
• Correct cloud storage,
• Development and maintenance,