Effect of ISO/IEC 27001 Information Security System on the Law on Protection of Personal Data

Effect of ISO/IEC 27001 Information Security System on the Law on Protection of Personal Data

The Law on Protection of Personal Data (KVKK) was enacted on April 7, 2016. The period provided for the personal data processed before the law was enacted to be adopted within 2 years ended on April 7, 2018. The KVKK; which was enacted in order to determine the procedures and principles on the confidentiality of private life, protection of fundamental rights and freedoms and processing the personal data; provides legal and technical obligations for all institutions within the public and private sectors. It requires updates for the applications of ERP, CRM and HR where the personal data are recorded and it also requires legal works.

KVKK attracts the attention of all institutions obtaining personal data especially for the last six years. Some institutions completed their adaptation processes on April 7, 2018 and there are some companies continuing their adaptation works. Therefore, KVKK will continue to be one of the issues the institutions are dealing with in 2018.

Information security is one of the issues which the institutions are focussing on with the digital transformation. Information security means protection confidentiality, integrity and accessibility of the information by applying the risk management process. The institutions prefer applying the ISO/IEC 27001: 2013 Corporate Information Security Management System (BGYS) for enabling information security and business continuity against cyber-attacks. ISO 27001 BGYS is a documentation system in order to enable information security and is one of the important issues within today’s world with intense information.

Then is it possible to related BGYS with KVKK emphasized for those institutions recently? More clearly, is it possible for an institution having a BGYS Certificate to carry out the process of adaptation for KVKK? In which points BGYS supports KVKK? In order to answer those questions, it is necessary to analyse the KVKK closely.

When the law, regulations and notifications related to protection of personal data are analysed, it is possible to observe that there are several extensive articles requiring expertise. It is possible to categorize KVKK as “recording”, “data security” and “deleting operation” despite those details in the law.

The conditions of processing the personal or private data, national or international transfers of the personal data and express consent issues are assessed under the “recording” title. The institutions which follow the express consent conditions related to personal data and build their operations related to processing them to the database obtained face-to-face, online, through SMS, e-mail or phone.

The issue of “data security” is approached in detail under the Article 12 of the law and under the Personal Data Protection Law. The institutions are required to prevent the personal data to be processed and accessed illegally and protect them under the data security. The issues of national and international transfers of the personal data under the law can be approached under the data security.

The issue of “deleting operation” which is included in the law and detailed with the regulation and guide enacted related to the deletion and disposal of the personal data or making them anonymous is one of the critical titles of KVKK. The deleting operation is related to deleting the personal data which are processed through non-automatic methods providing that they are part of any of the data recording system or which is automatic partially or completely, disposing them or making them anonymous.

On the other hand; the institutions are required to conduct intracompany regulations in order to issue documents such as express consent texts, clarification obligation, policy, procedures, personal data processing inventory, registries of data controllers and to accept the applications and complaints of the relevant persons.

Based on the abovementioned details, the relation between the KVKK and BGYS can be evaluated by considering three main processes of the KVKK. The “recording” and “deleting operation” processes are specific processes and are independent from the BGYS. Therefore, the “recording” and “deleting operation” processes are not related to the BGYS articles.

When the “Data Security Guide”, which is published by the Committee of Protection of Personal Data, it is possible to observe that the “data security”, which is main titles of the KVKK, is directly related with the BGYS. The measures related to the personal data security within the KVKK are approached as administrative and technical ones.

As explained in the Data Security Guide; the law expects the institutions to take administrative measures for determination of the current risks and threats, training the employees and carrying out awareness works, determination of personal data security policies and procedures, decreasing the personal data as far as possible and management of the relations with the data processors.

The technical measures which the institutions are required to take are as follows: provision of cyber security, following the personal data protection, provision of safety of the media containing personal data, storing the personal data in a cloud, supply, development and maintenance of information technology systems and backing up the personal data.

The equivalents of measures indicated under the “Summary Tables within the Scope of the Technical and Administrative Measures Related to Personal Data Security” in the Section 4 of the Data Security Guide for BGYS are as follows:

For the summary tables: http://www.cio.com.tr/blog/iso-27001-bilgi-guvenligi-yonetim-sisteminin-kvkkya-etkisi/ 

The issue of Risk Analyses indicated under the Administrative Measures are one of the main issues approached by BGYS. The ISO 27001 BGYS is based on the systematic occupational risk. BGYS is a system designed for creation, application, operating, monitoring, revising, sustaining and improving the information security. BGYS involves behaviours of the personnel, processes and technology. It can be applied for only manage a specific information or for all operations in order to be part of the corporate culture.

Therefore, BGYS is a system containing policies and procedures involving the legal, physical and technical controls within the management process of the information security risks of the institutions. The institutions applying the Risk Approach within the frame of the BGYS conducts the Risk Analysis operation expected by the KVKK. Besides; the institutions are required to prepare the policies and procedures in which they explain the methods applied for express consent texts, clarification texts, deleting the personal data, disposing them or making them anonymous; the internal examination reports, the personal data processing inventory, the registrations of the data controllers, contracts, privacy commitments and risk analyses for adaptation to the KVKK. Since preparation of the documents is one of the main functions of the BGYS, the institutions having BGYS certificate will not have difficulties to prepare documents for the KVKK.

Consequently, it is possible to observe that there is a strong relation between the KVKK and BGYS when the KVKK-BGYS relation table is analysed and the issues related to risk analysis and documentation preparation are taken into consideration. The institutions having BGYS certificate will carry out their adaptation process more easily. It is possible to say that majority of the “data security” process expected by the KVKK is covered by the Information Security Management System. The institutions will see that KVKK emphasizes the legal and technical dimensions of the issue within the adaptation process and ISO 27001 BGYS Certificate supports the KVKK and have an active role for it.

Ahmet Tosunoğlu

Proks Belgelendirme Ltd. Şti. Proks Certification +90 232 50201 26 info@proks.co