Selin OZBEK CITTONE
Attorney at Law / Managing Partner
18 October 2017
Many companies have started and are continuing to work on their compliance with Data Protection Law (“Law”).
After being fully appointed, the Data Protection Board (“Board”) has published 2 important draft legislation and prepared several guidelines. The guidelines contain questions and answers aiming to inform those who are concerned. Companies and their consultants are trying to determine and apply the points that need to be in place regarding the management of compliance programs, the Law, draft regulations and guidelines.
What are the biggest challenges for the companies performing compliance programs?
In general, compliance programs contain two main phases:
1) detailed company audits and assessments (due diligence) and
During the inspection and assessment phase, companies initially encounter difficulties in determining data flows. They need to prepare an inventory showing when and from whom the data was collected, how the data is used, stored, transferred and destroyed, and they need to work on a system to keep this current. For this operation, data controllers, need to determine their processes, establish their organizational structure and define who must have access to data. Also, an analysis of the current data security measures must be conducted by data security specialists. Under the structure of data controller, manual and IT-based solutions to be used for personal data protection, should be determined and must be tested for their appropriateness. At the end of this assessment, it is extremely important to determine the deficiencies concerning the working and technical processes in handling, transferring, storing and destruction of the personal data and establishing means to overcome any deficiencies.
As for the implementation stage, the companies encounter difficulties determining their own strategies and create customized policies for their own processes and compliance programmes. In this respect, texts borrowed from the policies of competitors or other corporations emerge. It must be remembered that texts “borrowed” this way may bring more harm than profit as they were prepared according to the needs of another company.
What needs to be known and considered for the inventory preparation?
What does the compliance committee do?
Who should be on the compliance committee?
What is the Data Processing Policy?