Recently, data breaches and serious data losses have started to occur at many points covered under the Personal Data Protection Law No. 6698 in our country. Although criminal sanctions have been imposed on Microsoft, Facebook, banks, hotels and private companies, including world giants, through the KVKK institution, we wanted to address the fact in more detail. 

KVKK with laws, regulations and circulars when you read it carefully, in fact, that you hold all personal data in digital environments and hard-copy documents qualified personal and private data collection, processing, storage, transfer, and shared with all stakeholders at every point for safety should be provided detailed information from related institutions is being requested. So, why are data losses occurring?  Are security levels inadequate? Infrastructure problems? Is IT staff inadequate?

To summarize the subject;

1-although GDPR and KVKK say that we should protect personal data at every point, it is actually a team game. Providing infrastructure and other security measures, employees within the system and 3. It is also necessary to raise the awareness of the parties on this issue. Because it is a human factor that steals data and uses it maliciously. Then it's best to start by educating people first.  Because if the person who gives their personal data and the person who receives it for the purpose of processing or storing it becomes aware of the issue, then the data security environment begins to form.

2-although players of the world giant virtualization platform say that their systems are safe, they are also compatible with KVKK and GDPR, we observe that they do not have very secure systems and technical infrastructure with recently cut penalties. Because if personal data is stolen from a server located abroad, which service provider around the world should take responsibility for this situation is considered a gray area, and no institution takes the necessary and detailed measures related to this. These measures can be listed mainly as obtaining explicit consent and obtaining permission from the KVKK Board. In KVKK; while the rules for data export abroad have been established; hosting data on servers that you do not know where in the world is the most important indicator of illegal activity to transfer data without explicit consent and permission of the Kvkk Board. 

3-Another issue is; as the state of the Republic of Turkey ;when the European Union has officially applied and committed to comply with all its regulations ; the issue of what will happen when the data of a European Union citizen staying in our country is stolen... ? GDPR (General DATA PROTECTION REGULATION) in the European Union in our country; in accordance with the Law No. 6698, which enters into practice as the protection of personal data, penalties will be applied in different castles. The KVKK (Personal Data Protection) Board will apply the necessary criminal sanctions, but in accordance with the contract and regulation that we have committed and signed, the European Union can fine the institution that caused the violation under and through the GDPR.

So, does your institution need to apply KVKK or GDPR or both?

Our proposal is to apply all the requirements of ISO27001 and KVKK and GDPR, which is already fully applied to ISO27001 and KVKK procedures and principles, and GDPR compliance will be ensured by 80%. 

Finally, because the risk increases on Foreign Cloud servers and unfortunately the possibility of getting commitments becomes difficult, it is more accurate to keep personal data in a domestic datacenter as much as possible and to severely restrict or limit their access. If anonymization methods can be applied, even within the company, it will provide serious security. In addition, permission must be obtained from the KVKK board and explicit consent must be obtained from the client to take him abroad. 

We do not intend to create an unsafe perception of institutions providing datacenter services around the world, but the warnings and penalties made by the KVKK board about Microsoft and Facebook remind us once again that no Datacenter service that is not in Turkey should be considered as absolute assurance...