The first year: Understanding the concepts
2016 was a game-changer year in terms of privacy legislation in the EU and in Turkey. The EU upgraded its 20-year-old data protection framework with a wider data processing scope and stricter sanctions, and Turkey finally managed to put into force its data protection act after a long-lasting legislative journey starting in 1981. After the enforcement of the law was engaged with the Schengen-free regime conditions by EU, the codification process was accelerated, and the Turkish Data Protection Law was published and entered into force April 7, 2016, with both administrative and criminal sanctions.
Expectedly, it took a while for industry players to comprehend the law and the privacy concepts before initiating the compliance programs. On top of everything, it was a binding legislation with high risks and significant consequences for violations, including the imprisonment of executives. Accordingly, it was the legal departments and the general counsels that were first triggered to act and bring the issue to their boards. However, at the management level, distinguishing the wide scope of the DPL from other legislative obligations, such as consumer rights or competition regulations, also took some time. In the meantime, while approaching the end of 2016, the nine board members of the data protection authority were appointed and started working in January of the new year. All in all, it was inevitable to take action and initiate compliance programs for the industry players at least to figure out and detect the gap between their current operations and the principles prescribed by the law.
Eventually, we witnessed several approaches or methodologies that have been adopted by the leading national and multinational companies to determine the personal data flows within the company operations and systems. These attempts not only enabled organizations to map the personal data activities spread throughout their overall operations but also led the management level to realize how the personal data processing constitutes — and even shapes — the company’s strategy.
Barriers on business culture
Privacy is a new concept in Turkey, one that hadn’t been taken into consideration in day-to-day business activities before the enactment of the law. For this reason, any kind of operation, process or infrastructure, in both public and private sectors, was designed and has been facilitated for all these years without an approach to privacy principles. There were binding secondary laws solely regulating the telecommunication sector, but that wasn’t sufficient to spread the privacy understanding to the other sectors. Moreover, the fundamental definitions, such as “personal data,” “data subject,” “data controller,” etcetera, were hardly comprehended at first, which hinders the identification of the impact of the obligations throughout the daily operations. For instance, “data subject” has been perceived as just “consumer,” and any kind of personal data processing activity regarding other types of natural persons within the company systems was ignored unwittingly.
The crucial problem that the business culture in Turkey created, while being one of the leading emerging markets in the world, was that all the industrial and technological trends were in place and had been embedded into systems without privacy principles. As the systems and processes were already settled and steady, applying privacy principles required considerable changes or redesigns, causing considerable expense.
A focus on information security principles
Not surprisingly, the scope of data protection has been confused with information security principles, reflecting, in essence, a lack of understanding of privacy concepts. Mostly, operational units and IT departments have the tendency to focus on the technical security measures or international standardizations, such as ISO, PCI DSS, etcetera, in which the infrastructure and awareness have matured in the Turkish market over the years. Although the data security framework is also a substantial requirement in the law, the parts of the law mostly neglected are principles such as use limitation, collection limitation or purpose specification, which require changes in the data management approach, as well as daily operations. Rather than establishing a new data strategy that aligns with privacy principles throughout all activities of the company, organizations have first interpreted the law’s security perspectives resulting in the idea that keeping data secure brings compliance.
'Legal department should deal with it' approach
As known, it is the legal and compliance departments within companies who are primarily and regularly responsible for compliance with national and sectoral laws. The distinguishing aspect of data protection legislation is its wide impact on the operation that falls within the scope of any kind of data processing activity around any natural person. Accordingly, the scope of a data protection program exceeds the legal tasks. Similar to security, legal tasks are often perceived as the sole undertaking to be completed for compliance, including privacy notices, policies and consent texts. When it is realized that there is a need for changes in the methods or scales of collection, usage or storage of data, the decision-making needs to shift toward business units’ area of responsibility. Organizations will need to develop a multidisciplinary approach and gather all stakeholders considering the wide projection of the law on operations.
Despite the barriers, the compliance approach has finally managed to reach a level where sectors are identifying their risks, as well as internalizing the privacy framework. However, the upcoming implementation stage, specifically gap analyses and privacy impact assessments, brings new issues that require a holistic data governance approach.
The way ahead: Privacy transformation
Impact on infrastructure
It is imperative that data inventory, data flow life cycle, and underlying logical and physical architectures are well defined to comply with process-driven requirements of the data protection mandates. There are factors that should be considered when it comes to the implementation:
a) Well-defined topology of the systems and applications
It is essential to be aware of the underlying structures, systems and related applications both in-house and remote (e.g., cloud or virtualized) to make sure that the impact is well measured on the systems while keeping business as usual.
b) Data classification and inventory management
If organizations are aware of what type of data they possess and process, as well as where and how they keep it, it is much easier to implement an overlay of data protection that focuses on the main goal of the processing. It is futile to try to address the dynamic nature of the data if you don’t have this fundamental knowledge. Hence, in emerging markets most often the time to market is quite short, delivery is almost always done without the proper validation of architecture and development according to industry standards such as CMMI — especially if it is delivered by a third party. Should there be a compliance burden on top, it is hard to imagine having the necessary knowledge of the data processed.
c) Overall data life cycle management
Data life cycle mapping makes it easier to understand the dynamic nature of the data when implementing the data protection mandates. It is quite useful to tie the data states to the goals of processing in each stage to be able manage the compliance in ever changing environment of business. Nonetheless one should remember that for the sake of documentation and bureaucracy, agility of the business would be impacted.
Overall, we should be grateful for the data protection requirements as it gives the extra push to have a sustainable governance of the data that would lead to a bottom-line impact when it is done wisely. The burden of compliance does not have to be a zero-sum game in emerging markets. It is a catalyst that would enable companies’ digital transformation and data monetization in a legally secure manner.
Governance needed for sustainability
The governance of all the technical development for data protection compliance is very important, as it is the decision point of the sustainability of the entire effort.
If you do not have a solid governance process laid out, continuous progress and compliance is impossible. In developing countries, the volatile environment and fast digitization of legacy systems make it important to form agile organizations and business processes. These governance requirements should include the related internal stakeholders, such as IT, legal and compliance teams, but should also be in line with the digital strategy of the organization.
A well-laid privacy strategy can be a competitive advantage, as well. When deploying a privacy strategy, business units should envision the potential uses of the data they process in advance to give them a better understanding of data-driven services and opportunities. Assuming that almost every market is in the trend of digitization and, with that, a liquid use of the data that would be resulting creating services using the data processed, a healthy governance strategy will be essential for a competitive edge in creating data driven add-on revenues to the bottom line.
To sum-up, deploying data protection requirements in emerging markets requires an agile and pragmatic approach as the market dynamics are volatile and privacy concepts are brand-new. A well-deployed, multidisciplinary and overall strategy on such markets not only sets you up for compliance, but it also creates a competitive edge for your organization.