Selin OZBEK CITTONE
Attorney at Law / Managing Partner
07 February 2017
Before we start, we must simply answer why data security is now all of a sudden very important for Turkish companies? This is because, on 7 April 2016 the Turkish Data Protection Law (“Law”) introduced data security obligations to all data controllers. The Law, different from the EU legislation, also imposed joint liability for data controllers and data processors and futher set forth administrative fines for failure to secure personal data processed. As per the Law any person that breaches the obligations to secure data may be subjected to an administrative fine varying from TRY 15,000 to TRY 1,000,000 for each breach. There is no doubt that consequences of such a fine may be destructive for companies.
Most small to mid-size companies lack the experience and resources needed to manage the plethora of security, privacy, and compliance issues inherent in their business. Nevertheless, the legal and business implications of poorly managed privacy and data security practices are too important to ignore. Here are 10 common privacy and data security mistakes that companies must avoid.
Too frequently, company management and boards fail to pay sufficient attention to the significant problems that will arise from a company’s failure to provide adequate security or to comply with applicable privacy laws.
With very harsh penalty provisions introduced by the Law, it is realistic to expect that litigation involving privacy and security will soon become mainstream for Turkish companies.
Also we foresee that there may be rising number of shareholder actions for breach of fiduciary duty stemming from failure to supervise the company’s activities related to privacy and security, such as lack of compliance or failure to meet commonly used practices.
Some companies may pay little attention to the fact that businesses are governed by a wide range of laws and standards, and are expected to operate within commonly accepted practices. Among other things, they may ignore that the collection, use, and processing of most personal information in the Turkey is now regulated. Ignoring these laws may lead to significant errors and trouble.
Among other things, ignoring privacy or security obligations may come to haunt a company when it meets its first major customer or business partner. It may receive a superb offer for a contract with a large company that does require certain assurances of compliance with applicable laws. With the new data privacy and data security regime in Turkey, even a start up will be expected to have in place the same levels of protection, awareness, or maturity as its larger client. If it does not have the proper structure in place for its operations to be compliant with applicable laws, it will struggle to meet that client’s expectations, and may have to create in three months what it should have built over three years. If it cannot meet the client’s standards, it will not be able to sign a contract.
Many companies may elect to ignore their legal obligations because they are small and can easily fly under the radar. They might be able to fly under the radar for a short time, but not for long.
Litigants and enforcers shall not be expected to be particularly sympathetic to a defense based on the size of a company. They will be more focused on the actual effect that the mistake, abuse, security incident, or legal violation may have on the public at large. If they will determine that the effect is significant, the fact that it was caused by a five-person company will be likely to be irrelevant.
Companies may think that their ability to succeed require that they be nimble. They may believe that policies and processes slow them down and are not for them.
In the absence of rules defining who is allowed to access certain information or what uses are restricted, employees, subcontractors or visitors might inadvertently access highly confidential or sensitive data and misuse it. Policies and procedures provide a frame of reference and guidelines that show how to proceed, and help make decisions faster. When properly applied, they can increase efficiency and reduce errors because they help build harmony and unity of actions around the company’s goals.
Many companies hire third parties, outsource some functions, or locate operations in the cloud, because they do not have sufficient resources to hire personnel or to purchase equipment. In doing so, they may think they have passed on to those third parties the responsibility for their data. However, the company that initially collects the data remains primarily responsible for anything that happens to the data. The entity that the customers know – not the obscure service provider – will be the one that will be sued or investigated if data is illegally processed or inadequately protected. It will be the one whose reputation and trustworthiness will be at risk.
Turkey now requires that companies provide adequate protection for the data in their custody. A company’s size is not an excuse for failing to seek the proper resources, technologies or experts to ensure the adequate level of security adapted to the nature of the data stored or processed by an entity.
Security breaches are to be avoided by all means. They are significantly disruptive. A company that has implemented a thought through, written security program will be less exposed to potential security breaches and to the significant consequences of security breaches.
A data controller company that has suffered a breach of security will be required to disclose immediately the occurrence of the breach to the data subject and to the Data Protection Board (“DP Board”). DP Board may then decide to disclose such breach of security publicly on its website or by other means. When DP Board becomes aware of the breach, an investigation of the company’s practices may follow, resulting in significant cost, disruptions.
Some companies tend to collect too much data just because “we may need it later” and “storage is cheap.” The more data a company has in its custody, the more vulnerable it is to legal violations and security breaches.
Collecting too much data can cause a compliance issue; some laws require entities to collect only the minimum amount of data necessary to achieve a stated purpose. Additionally, having a lot of data can become a significant charge. For example, the Law grants individuals the right of access to data that a company holds about them. In case of an individual’s request for access to data, the company will be required to provide copies of files that may be located in different locations, on different devices, or in different formats. The more data a company has, the more time and data experts it will need to retrieve it. Collecting a massive amount of data also causes significant security risk. The larger the volume of data the higher the probability that it will be stolen.
If you were to run a marathon, would you borrow your neighbor’s shoes? No. You would be concerned that they would not fit you. You would fear that you could be hurt and unable to continue for the entire distance. Similarly, a borrowed privacy statement likely will not fit your company and may significantly hurt you in your race to the customer. It will not reflect your company, its values, its practices, or its objectives. It will state commitments other than those you would want to make.
When discussing personal data protection, it is common to hear: “We don’t have any personal data, our data is anonymized, and it cannot be tied to an individual.” This is a significant mistake. While it might have been true, a long time ago, that anonymization prevented the association of a particular individual to a particular data set, this is no longer the case. In the world of data analytics, big data, semantics and other tools, there is no such thing as anonymity. Too often, a competent data scientist will be able to crack the anonymization shell in a short time.
Be proactive from the start
It is clear that all companies now need to be proactive about privacy and data security from a very early stage. Small size and limited means are not valid excuses.