Data controllers are obliged to take the necessary technical and administrative measures to ensure data privacy and data security within the scope of both the Turkish Personal Data Protection Law No. 6698 ("KVKK") and the European Union General Data Protection Regulation ("GDPR") in Europe. These measures are not specified in a limited number, but they are stipulated to determine the need of data controllers for "necessity." This necessity differs for each activity.

In addition, the life cycle of personal data in the business activities of the organization changes over time. For example, a marketing activity or employee satisfaction activity may occur, which does not currently exist; an existing process may be terminated, the customer portfolio may expand from domestic to abroad, and private companies may be included into suppliers.

The regular flow of business life makes compliance with data protection regulations a living process. So much so that, the data controllers review their processes for a certain period of time and improve their practices constitutes the first step of compliance with data protection legislation; but does not eliminate future incompliances. Therefore, data controllers should ensure that their compliance with data protection legislation is sustainable for each process that is added to business activities or terminated. Sustainability occurs through the establishment of a functioning data privacy and security system within the organization.

Why is Sustainability Needed?

Data protection rules mostly prescribe self-controlled mechanisms. In other words, rules on data protection impose obligations on the addressees of the rules to control themselves and ensure compliance by themselves. The reason for that is the concerns that the existence of personal data processing in all internal and external business activities of the organizations and being subject to a continuous surveillance and control from the outside will disrupt the operations, and it will lead to loss of time and labor.

Besides, self-control will increase the effectiveness of data protection since the data controller itself has the best and most comprehensive information on personal data processing activities. Thus, data protection legislation requires data controllers to supervise themselves and meet their own needs with appropriate measures in order to achieve their targets for regulatory requirements.

The processes that the data controller will carry out for data processors can be given as an elaborative example of self-control. In fact, before signing a contract with a new data processor, compliance audits should be performed to the extent required by the data processing activities subject to the contract, sometimes certifications should be requested, or written commitments should be taken prior to the contract.

Data controllers should generally prepare documents for accountability for compliance, keep them on record, and submit them to the data subjects or authorities when necessary. However, due to the nature of self-control, preparing and registering such specific documents is not solely enough for compliance with data protection legislation. For example, the information request regarding the processed data from the data subject will not be met without being aware of the existing and terminated processes in the organization; moreover, there is an obligation to answer these requests as soon as possible. As another example, awareness training for the new hires should be provided and a corporate culture for privacy will need to be re-established.

As a result, data controllers should approach data processing activities critically by making continuous evaluations and improve their activities in line with the needs they identify. Risks should be determined for the current situation, the most suitable method for data protection should be determined and integrated into the system. It would not be wrong to say that the obligation of data controllers in this context is to ensure that tasks similar to those assigned to a data protection authority are performed within the organization.

What Does Sustainability Ensure?

Sustainability provides legal assurance above all. In this context, sustainability:

  • Ensures compliance with KVKKGDPR and related data protection legislation.
  • Eliminates the risk of data privacy and security breach.

One of the most important effects of sustainability is that it also contributes to the organization commercially. In this context, sustainability:

  • Creates a competitive difference.
  • Increases the value and quality of the data handled.
  • Reduces the number of lawsuits likely to be brought by employees, customers, and other persons along with their demands and costs of these actions.
  • Provides to meet the expectations of commercial contacts and strengthen the relationship of trust with them.
  • Ensures that the organization is a good corporate citizen and strengthens public trust.
  • Provides added value in terms of institutionalization with regular monitoring of business processes and organizational chart for data flow.
  • Develops and improves the execution of business processes, cross-border sales activities, marketing activities on a global scale including electronic direct marketing for the above reasons and facilitates entry into new markets on the other hand.

How Do We Provide Sustainability?

First of all, a vision and mission of confidentiality should be established within the organization that can be briefly and concisely announced to all related people. Then, a data protection management model should be constructed in the light of this vision and mission. The procedures and principles regarding the scope and sustainability of this model should be set forth, implemented, and regularly monitored.

This management model affects all processes of the organization; therefore, it requires a comprehensive evaluation. First of all, the scope of data processing activities within the operations should be set forth, the relevant legislation should be identified; within this framework, possible challenges and disruptions should be figured out, and it should be ensured that appropriate actions are taken specific to the organization. For example, it will be a good practice to determine the end-to-end data life cycle for a business process, to determine the expectations of people in commercial life and cultural framework both locally and globally in line with these data processing activities, to evaluate legal obligations, to customize these determinations and evaluations for an organization.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.