Now, the personal data is not only assured under the directives of EU (as a recommendation to the national law of member states), but also included into regulations (with an ability of direct implementation in national law) and legal regulations were also put into practice in our country at the same time (following a long preparation period).
At this point, key questions to be answered by all companies keeping the personal data records have been specified. The most important questions will be "why do they record personal data?" and "why do they need these records?". Some judgments should be made regarding the purposes of processing, the connection to business processes, usage period, technologies to use and to whom they may be transferred by means of which resources. For, many records, which aren't required during the usual work flows of companies, are kept. On the other hand, the normal data has also the risk of being considered as sensitive data subjected to more qualified regulations depending on the condition.
According to the law, the companies are required to ensure the compliance of existing records from previous period within 2 years and compliance of the records to be registered in the following period with applicable regulations. The necessary technical and administrative measures haven't been specified yet. Secondary adjustments like regulations will clarify the subject. For now, the only source to use is the ISO 27001. However, the reasons and methods for processing may be planned, the impacts on privacy may be assessed, policies for data safety may be prepared to develop protocols and notifications regarding the breach of data privacy/data safety in this transition period. Similarly, this transition period will be useful for ensuring compatibility of recording layout of staff's personal data, defining the jobs and informing when hiring, granting authorization of access to data system, recording the access history, preparation to apply to the data managers registry and reviewing existing contracts.
The companies have data, which may be considered as personal data, in various documents (invoices, commercial correspondence and letters, etc.) within different units. Especially today, plenty of data is saved in digital media (e.g. CRM software) based on the contractual relationships. In line with the legal regulation on this matter, processing address details for the invoice may be regarded as a legitimate usage based on the contractual relationship. However, saving the data for other purposes which are not directly related to the contractual relationship (e.g. To celebrate customers' birthday) will raise an evident need of consent and will also be a risky choice. It would be precise to review records when the counter party of the relationship is a sole proprietorship. The archive records should be reviewed in terms of situations like these and assessments can be made to define these data sets not as a part of the data recording system in case the elimination is difficult. On the other hand, within the scope of outsourcing processes, assurance should be provided with appropriate provisions and necessary commitments should be obtained if personal data will be processed under the agreements made with 3rd party companies or sharing data with relevant foreign entities becomes a current issue on subjects such as social media representatives or public relations. Similarly, the approvals to be taken from the natural persons with data to be processed are preferably regulated apart from the contractual texts and it may be useful to mention existing rights of related parties in these texts.
The companies saving the personal data will be regarded as data managers because the questions above are addressed to them. Besides, there may be another company to process the data. In case of a security breach, joint liability may become a current issue. Though the authority to answer the questions regarding the data responsibility is board of directors, when it comes to internal operations, it is assumed that a data manager can be designated with delegation of authority if it is allowed under the main contract, as for the occupational health and safety managers. Besides, rulings must shape the assessments to be made in terms of data managers, which are deemed as the ones holding tortious liability, may perhaps have the defect liability and to be subjected to the employers' liability.
In line with the views that the personal data is becoming the new currency and the possibilities enabled by Internet of Things and Big Data, a new economy is reported to be coming to light and that the EU regulations are evolving into administrative fines. Since the EU regulation on this matter will become effective within 2 years, member states will be required to consult with the EU if they are planning to bring a criminal regulation apart from fines. Yet, it is important to remark that the amount of fines to be imposed by the regulation is over a million euros reaching 4% in turnaround.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.