In accordance with the Law on the Protection of Personal Data No.6698 ("KVKK"), natural and legal persons engaged in data processing activities are obliged to take administrative and technical measures regarding data processing activities. One of these administrative measures is to ensure the security of environments containing personal data. In addition to the technical measures to be taken to ensure the security of the digital environments where personal data are kept, it is essential to provide the security of physical environment in order to protect the data stored in devices or on paper. Certain monitoring methods can be used to ensure the security of physical environment, and various data recording systems can be set up. While taking this protection measure, the party engaged in data processing activity should not neglect other administrative and technical measures. Although not limited in number, some examples that can be taken to ensure physical environment security are listed as follows:
1. Security Cameras
Controlling the entry and exit of environments containing personal data and monitoring these environments with 24-hour security cameras is one of the methods to ensure physical environment security. This monitoring can be performed at the entrance of the organization or in the form of monitoring in areas where data requiring double protection are available.
In case of monitoring with a security camera, attention should be paid to the aspects such as placing warning (information) visuals in areas with security cameras, having detailed information and disclosure texts ready and informing people by means of these texts, not using the recorded images for purposes other than ensuring the security of physical environment and destruction of images within a reasonable time.
2. Registering Visitors
One of the methods of controlling the entry and exit of environments containing personal data is to keep records of persons other than employees at the workplace. Persons visiting the workplace can be registered with a data recording system created digitally or physically. Thus, in the event of a data breach regarding the data stored in physical environment (for example, in case of theft of a device), it can be easily found who is at the workplace on the relevant dates. While taking this measure, the most important thing that people who are engaged in data processing activities should pay attention to is to ensure that this data is processed proportionate. For example, in case of visitor card application, the identity card of visitors should not be held hostage; for the purpose of verifying the declared name, it must be returned to the data subject after identity check. In addition, visitor register books or other recording environments should be destructed after a reasonable period of time has passed.
3. Providing Additional Security Measures Inside or Outside the Organization
Additional security measures can be taken while protecting sensitive personal data or strictly confidential data within the organization. For example, if sensitive personal data is stored in a paper environment, it should be stored in lockers and access to these lockers should only be with certain people. In addition, methods such as defining passwords for persons who have access to entry and exit of environments such as server room, human resources department, R&D department that are important for the organization or containing sensitive personal data, setting up a card reader system or installing fingerprint reader systems can be followed. The measure to be taken here should be compared with the nature of the data to be protected and the principle of proportionality should be respected. In addition, if the method of data protection is to process sensitive personal data, that is, to process the biometric data of the data subjects, it is necessary to obtain the explicit consent of the persons and to operate the policies and procedures accordingly.
4. Providing Environments Resistant to Disasters Such as Fire/Flood
Protection of the physical environments containing personal data against external risks (fire, flood, etc.) with appropriate methods is also one of the measures to be taken. That is, it is recommended to use fire or crash resistant cabinets for data stored in paper environment. In addition, the fact that the system room is fire resistant in every aspect is one of the important information security elements.
In addition, depending on the measure of backing up personal data, which is one of the technical measures, keeping the backups in a different location than the workplace or even in a different city will be one of the top level measures to be taken in order to protect them against natural disasters. Physical environment security should also be provided for the areas in the locations where the backups are kept. To sum up, the measures to be taken to ensure the protection of data against natural disasters are not limited and taking measures at the highest level is important according to the nature of the data.
5. Other Aspects to Consider When Working Remotely During Pandemic
There will be various measures to be taken during the pandemic when many organizations have adopted the practice of working remotely; because, in this period, the most difficult situation to protect personal data is that it has become indispensable to take the data out of the organization. Taking corporate devices out of the workplace, employees' need to use their personal devices, or sending physical documents to the home addresses of employees/those entitled for many reasons create these risks.
Shortly, the points to be considered by employees in such situations are keeping corporate devices and paper data in protected areas against dangers such as theft and accidents, prevent other people living in the house from using corporate devices or, if personal devices are used, log out of all corporate accounts when someone else needs to use the device, a good track of the cargo coming to the employee's home on behalf of the organization and preventing loss of information on this issue. These measures are not limited in number, and it is basically important that people provide the highest level of protection measures when working remotely, as well as at workplace.
On the other hand, technical measures also need to be taken while working remotely, and all administrative and technical measures should be considered in a holistic manner. You can check out our article titled Technical Aspects to be Considered During Working Remotely through our KVKK&GDPR March Newsletter to have further information on the subject.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.