In our pursuit to identify the challenges in the data protection landscape, we connected with legal professionals around the globe. Our Turkish member, Özlem Kurt from Kurt & Partners shared their astute comprehension of the regulatory frameworks and the crucial role of employees in ensuring compliance with data protection laws and regulations.
The Importance of Employee Involvement in Data Protection Compliance Processes
As part of the data protection measures that companies should take as data controllers need to implement, the tasks and significance of employees in data protection processes are quite substantial. This is because employees, due to the nature of their tasks and responsibilities, access and process a significant amount of personal data. Hence, an employee lacking sufficient awareness of data protection processes, and unaware of their responsibilities in maintaining these processes, poses a significant risk to the company. In practice, we observe that a significant portion of data breaches in companies occur due to employee errors. In our country, the most common types of breaches we encounter are related to phishing attacks and cyberattacks.
Effective compliance in any matter can only be achieved through cultural change in the companies. Cultural change within the company regarding this issue can be achieved through regular awareness and training programs, as well as reminders. Employees should be ensured to understand the importance of data protection and the risks associated with it. Additionally, employees should be aware of the procedures and how to implement data protection processes. In the event of any breach, employees should know the steps to follow.
The İmportance Of Cultural Change And Awareness Trainings:
Within the data protection compliance activities carried out by data controller companies, the most important task undoubtedly falls to the data controller’s own employees since as a part of the data controller. For sustained data protection, long-term assessments and training programs need to be conducted within the company.
General Data Protection Regulation (“GDPR”), which forms the basis of many legislations, makes it legally obligatory to provide training to raise the awareness of the personnel involved in data processing activities and Data Protection Authorities inspect whether awareness trainings are provided to employees during data breach investigations and may increase the penalty if they determine the effect of this situation on the breach.
In practice, we observe that the majority of data breaches in companies occur due to employee errors, with phishing and employee negligence being the most common causes. Phishing is often carried out through emails that create the impression of being sent from regularly contacted organizations, and employees fall into this trap. This can only be prevented through continuously elevated awareness
Employee turnover also has a negative impact on data protection processes. A new employee may not be familiar with the data protection culture in the company and the obligations expected of him/her in this process. For this reason, personal data protection should be included in orientation trainings and periodic data protection trainings.
Data protection compliance efforts are often perceived by companies as one-off efforts and it is believed that once the compliance work is completed, the obligations on this issue end. However, the pace of technological change and internet-connected ways of working and living mean that data is always on the move. This requires a continuous compliance audit and implementation in companies. Here again, the trainings that need to be given to raise employee awareness stand out.
Superficial Data Protection Compliance Processes Without Considering The Whole Database:
Due to factors such as a company’s international status, partnership structure, departmental organization, and the diversity of the industry it operates in, it is highly likely that data storage and processing occur in multiple channels. Additionally, employees, who are also users, can store documents and content they create in the course of their work under various names on different platforms. If personal data is present in all these channels, each one should be addressed separately in data protection processes. In many cases, even the company itself may not be aware of where and what kind of data is stored, digitally or physically, across different channels.
Therefore, companies should start by mapping out all the digital channels, databases, applications, software, and infrastructure used within the company. They should then conduct a data discovery process to create a data map for their organization
This map should undoubtedly be kept up-to-date. Each software and application in this map should be evaluated individually, taking into account the nature and characteristics of the application; what technical security measures can be taken, what is the destruction method allowed by the application, is there a use that causes data transfer abroad, who are the third parties who have access to the application, etc. The technical measures to be taken should be determined one by one. If this work is not done, a superficial data detection and process analysis and a compliance study based on it will be carried out, which is similar to sweeping the dust under the rug in the house and only making the surroundings look tidy. At the end of the day, the dust is still there and carries risk.
The Importance of Data Protection in Supplier Relationships and the Selection of Suppliers in Processes:
Companies that obtain outsourcing services from external data processors should implement a data protection compliance process and audit mechanism regarding processes and data transfer between them. In this regard, the most crucial point is the selection of external sources. The choice of the service provider is of great importance, and working with providers who operate robust data protection processes will always mitigate the risks for the data controller. Therefore, from the very beginning, it is essential to ask the right questions, establish criteria, and reach an agreement with a suitable provider that aligns with the company’s data protection processes. As a result, contracts should be signed with the selected provider, outlining data protection regulations and specifying the responsibilities of the parties involved.
Failure To Establish Regular Audit And Reporting Mechanisms:
Data protection compliance is a living and continuously evolving process. The adequacy of the established data protection structure should be continuously monitored, and the company should have an audit policy, as well as a discipline policy. In addition, the audit should encompass not only legal and technical aspects but also identify intersections between legal and technical domains. Companies can conduct this audit internally through an independent audit board or externally through a contracted firm.
These audits should be conducted at least once a year and the results should be recorded and reported. The findings of the audit should be leveled as low-medium-high. The findings should be prioritized, an action plan should be prepared to close the gaps and the responsible employee should be identified. The responsible employee should be held accountable until the deficit in question is “completed”. Otherwise, the audit will only be considered as a paper audit.
The Importance of Data Protection in Remote Work:
Remote work is a working model that needs to be addressed independently in terms of data protection processes
During remote work, ensuring surveillance over employees, confirming their active participation in training, and monitoring activities conducted remotely are crucial aspects. In audits or controls, the human factor can lead to disruptions or errors, so it is important to establish infrastructure that operates under technical measures, performs automatic checks, and raises alerts for violation risks. In this context, the ultimate goal is to minimize data processing activities and control mechanisms under human supervision as much as possible. Measures such as Mobile Device Management are utilized by our clients to remotely shut down or lock devices in case of loss, theft, or suspicious situations involving the employee’s mobile phone during work activities. Other examples include disabling USB inputs on employee computers, using Data Loss Prevention (DLP) tools, and implementing systems that monitor remote workers and restrict certain actions. At this point, it is an obligation of the data controller to conduct limited but effective monitoring without infringing on the basic rights and freedoms of employees.
The insights shared by our members from Istanbul bring to light the importance of continuous compliance and to be updated with the technological changes. They highlight the need to raise awareness in employees and ensure proper training to implement a data protection compliance process.