Compliancy Assessment Services
As the variety and amount of personal data in the IT systems increase, the possibility of not acting in accordance with local and global legislations and regulations, which have entered our lives even more strongly in recent years, increases the possibility of serious harm to organisations. It is possible to summarise the basic administrative and technical expectations of such legislations as follows;
- Lawfulness, Fairness and Transparency on Processing Personal Data
- Consent Management
- Covering the Rights of the Data Subject
- Records of Processing Activities
- Designation of Data Processing Officer (DPO)
- Specific Treatment of Sensitive Data
- Retention Management
The frameworks for those above have been defined by “The European Data Protection Board” in EU countries (GDPR) and by “Kişisel Verilerin Korunması Kurulu” in Türkiye (KVKK). As these boards mainly focus on protection of personal data of the real person they fined many Corporate Companies in doing so while the fines were aimed to be “effective, proportionate and dissuasive”. The fines could go up to 20M Euros depending upon the nature of the infringement and measures in place.
In order to prevent such risks, organisations must first understand the current situation, classify and control data for protection purposes. Regardless of whether it is customer, employee or third party data; it is extremely important to create a personal data inventory, classify data, define retention / deletion policies, access conditions / limitations and develop the right protection strategy against cyber security threats.
With our subject matter experts we provide risk-based GDPR/KVKK Gap Analysis services designed to enable your organisation to:
- Understand GDPR/KVKK compliance risks
- Know which may impose a significant impact
- Implement risk management controls
In order to determine the impact and likelihood of a level of risk, information gathered orally during the meetings and additional information regarding the questions arose during the meetings are analysed through:
- Thorough examination of the risk sources;
- Scale of categories of personal data
- Categories of personal data that require additional security measures
- Importance of the application and/or business process to core business activities of the company
- Number of data subjects and relation of data subjects to the data processing activities
- Recipients of the personal data transferred, types and categories of personal data and whether security of the recipients are guaranteed
- Visibility and detectability of the risks by third parties
- Impact to the core business activities of the risk
- Consequences of the risk
- The likelihood that those consequences may occur and the factors that affect them
- Assessment of any existing controls or processes that tend to minimise negative risks or enhance positive risks
Our GDPR/KVKK Gap Analysis services have been designed to help you know which gaps in compliance present risks to your business, what are the likelihood and impact of the risks and finally what is needed to cover any gaps and manage the risks.
We customise our Gap Analysis Services to addresss your organisation’s requirements. We analyse both technical infrastructure and processes to provide a clear set of recommendations that will finally mitigate the risk of data breaches and likely penalties.