How to Prepare a Data Inventory List?
The Law on the Protection of Personal Data (KVKK) numbered 6698, which is a legal framework for the processing of personal data, entered into force on March 24, 2016. Subsequently, some secondary regulations regarding this law were made and some regulations were published. The most important ones are the Regulation on the Data Controllers Registry and the Regulation on the Deletion, Destruction and Anonymization of Personal Data. These regulations, which came into force as of January 1, 2018, impose some obligations on data controllers. One of the most important among these is the obligation to prepare a personal data processing inventory.
What is Personal Data Processing Inventory?
The definition of the said inventory is defined as follows in the relevant regulation: Personal data processing activities carried out by data controllers depending on their business processes; It is an inventory of personal data processing purposes and legal reason, data category, transferred recipient group and data subject group, and detailed by explaining the maximum storage period required for the purposes for which personal data is processed, personal data planned to be transferred to foreign countries, and the measures taken regarding data security. We can state the following important points about the personal data processing inventory, which has a very detailed and long definition:
• Data controllers should evaluate all processes in the processing of personal data.
• It should detail all activities.
• It should specify all the information that falls under the category of personal data separately.
• It should explain why this data is processed and what the legal procedures are followed in doing so.
• If the information is transferred somewhere, it should include the information to whom, why and when it was transferred.
• It should specify the duration of personal data and the security measures taken for its protection.
Personal data processing inventory is a report prepared by data controllers and covers the above-mentioned issues. The features that the inventory should have and how it should be prepared also indicate important issues.
How is Personal Data Processing Inventory Prepared?
We can summarize what needs to be done during the inventory preparation process as follows:
• Detection of personal data
• Determining what characteristics this given has; for example, identity information, health information, member organizations, contact information, personal information, etc.
• Determining a legal basis for why this data is processed
• Demonstrating the purpose of data processing
• Determining which group of people the data covers; for example, revealing groups such as students, employees, association members, customers, suppliers
• Determining the personal given retention period
• If personal data is transferred to another natural or legal person, information about this and indication of legal reasons
• Indication of information about this process, if any, of transfers to foreign countries
• Explaining all the security measures taken to protect the confidentiality of personal data and the effectiveness of these measures.
What is Data Security?
The scope of data security is specified in the KVKK as preventing the illegal access and processing of personal data and ensuring that these data are stored securely. In this case, data controllers have to take all kinds of administrative and technical measures to ensure the level of information security. As stated in the law, we can divide the measures to be taken into two as administrative and technical.
Administrative Measures for Data Security
These measures may differ according to the field of activity of the data controller, the purpose of storing and processing the information, the type and scope of the data. However, we can state that the following measures must be taken in terms of information security:
• Identifying risks and threats to personal data being stolen, transferred to another place without permission or processed outside the rules written in the personal data processing inventory.
• If the data controller is a legal person (company, association, foundation, municipality, public and private sector organization, etc.), providing training on data security to employees
• Determining concrete procedures and policies regarding information security
• Avoidance of storing unnecessary data; Trying to keep the stored and processed data less
• If an outsourced service is outsourced for data security, maintaining relations with these individuals or institutions on a secure and legal basis.
Technical Measures to be Taken for Information Security
The most important of these measures are:
• Taking deterrent and effective measures against cyber attacks
• Continuous monitoring of all platforms and software containing personal data
• Ensuring the security of these environments at the highest level
• Regular backup of personal data
• Using the most up-to-date systems, installations, equipment and software in information technologies; regular maintenance services of the association
The person acting as the data controller will talk about the fact that he/she will be on the other hand, only about the person concerned, in case of a real or real information problem. This improvement should be given due attention to the issue of data security.