What needs to be done to comply with the Data Protection Law?

Many companies have started and are continuing to work on their compliance with Data Protection Law (“Law”). 

After being fully appointed, the Data Protection Board (“Board”) has published 2 important draft legislation and prepared several guidelines. The guidelines contain questions and answers aiming to inform those who are concerned. Companies and their consultants are trying to determine and apply the points that need to be in place regarding the management of compliance programs, the Law, draft regulations and guidelines. 

What are the biggest challenges for the companies performing compliance programs?

In general, compliance programs contain two main phases:

1) detailed company audits and assessments (due diligence) and

2) implementation

During the inspection and assessment phase, companies initially encounter difficulties in determining data flows. They need to prepare an inventory showing when and from whom the data was collected, how the data is used, stored, transferred and destroyed, and they need to work on a system to keep this current. For this operation, data controllers, need to determine their processes, establish their organizational structure and define who must have access to data.  Also, an analysis of the current data security measures must be conducted by data security specialists. Under the structure of data controller, manual and IT-based solutions to be used for personal data protection, should be determined and must be tested for their appropriateness. At the end of this assessment, it is extremely important to determine the deficiencies concerning the working and technical processes in handling, transferring, storing and destruction of the personal data and establishing means to overcome any deficiencies. 

As for the implementation stage, the companies encounter difficulties determining their own strategies and create customized policies for their own processes and compliance programmes. In this respect, texts borrowed from the policies of competitors or other corporations emerge. It must be remembered that texts “borrowed” this way may bring more harm than profit as they were prepared according to the needs of another company. 

What needs to be known and considered for the inventory preparation?

  • Personal data inventory is actually a detailed database prepared by the data controllers, showing the personal data processing activities, data categories and types, the purposes of data processing, places and retention periods of data stored, the relation of the receiving group with the data subjects’ transferred data. 
  • In order to prepare the inventory, the data controllers must determine each data category according to the individual data subject groups. 
  • It is crucial to have the compliance audit and assessment done correctly as part of the compliance project. Thus, the preparation of the inventory requires a very detailed work, involving all the departments and units of the data controller company. For this purpose, we suggest establishing a compliance committee.  

What does the compliance committee do?

  • First of all, the compliance committee should complete the first phase of the compliance project, which is the inventory. 
  • After the inventory is in place, all the documentation necessary for fair processing notices, determining the cases requiring explicit consent and needed for the data processing has to be drafted and all the agreements that require the personal data to be transferred to third parties have to be modified. 
  • Compliance committee also needs to compose data registration policies and processes, specific to the company’s data processing activities, like the collection of data by the data controller, recording, storing, safe keeping, alteration or adaptation, organization, disclosure, transferring, retrieval, making available, classification or blocking. 
  • In addition to these, the compliance committee should aim to take technical measures according to the outcomes of the compliance audit reports showing which scenarios could materialize following the current vulnerability in the system. Within this scope, subjects like the company’s risk management structure, security policies, information security organization, human resources security, information asset management, access control security, encryption controls, physical and environmental security, information technologies operations and communications security need to be addressed. 
  • It is very important that the duties of the compliance committee do not terminate with the compliance project procedures and the committee is shaped as a proactive body operating in an orderly manner. This would specifically help companies improve their reflexes swiftly in data protection compliance and establish a data security breach control system suitable for the company’s strategy. 

Who should be on the compliance committee?

  • It is crucial to form a compliance committee to conduct a proactive internal organization within a company. If a company is to appoint a data protection compliance department or a data privacy officer, it would be right to have this department’s activity organized by the appointed officer. However, since the appointment of a data privacy officer is not a legal requirement, we see that very few companies chose to go through this path at the moment. 
  • We recommend the companies to commission to their committees one or more managers from the legal, IT, information security, finance, human resources, sales or business development departments, in a manner most suitable to their organizational structures. It is very favourable for the increase of all the departments’ awareness on data processing responsibilities, that these managers work in harmony with the data privacy officer, if there is one, on establishing the purpose and ways in processing the data by the company in various categories. 

What is the Data Processing Policy? 

  • A policy is the sum of all the rules determined by the data controller company, stating which personal data could be processed or accessed by whom or what types of processing of such data are not permitted. The policies and processes prepared by the company are like a guideline for how the company should handle data processing activities. In this way, companies could provide faster decisions on their data processing practices. When policies are applied correctly, each department would be working efficiently in respect of their respective data processing activities. 
  • Data Protection Law does not yet officially require the policy to be published on company websites. However, companies could prefer to do so, in order to be more transparent on their data processing activities. 
  • It must be remembered that the data processing policy is the data controller’s one-sided commitment/undertaking in the light of company’s data processing activities. In this context, representations and warranties in the policy should be drafted very carefully, customizing the provisions specifically to the data processing activities of the company.
  • Companies should also evaluate if they really wish to commit to a higher level of duty of care compared to the level required legally while writing their policies. They must fully understand the liability that might be imposed upon them when they promise to act in a certain way.