I wanted to write an article about the General Data Protection Regulation (GDPR), which is recently takes place on the agenda of almost every organization and necessitates serious changes for institutions. I hope it’s a useful study.

What is the Law on the General Data Protection Regulation (GDPR) Exactly?

Before tell what the law is exactly, I write a few paragraphs about what just isn’t:

  • It is not just a Compatibility issue.
  • It’s not just a matter of risk.
  • It’s not just a matter of security.
  • It is not just a Data issue.
  • It’s not just a legal issue.

This is all and more. A little more detailed;
The Law on Protection of Personal Data, which was enacted on 24 March 2016, aims to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, and to regulate the procedures and principles to be followed by the real and legal persons processing personal data.
And under the law, it is stated that the law will be applicable on real and legal persons those who process personal data, fully or partially automated or part of any data recording system, provided that the non-automatic means of processing.
Briefly, the law tells us : It emphasizes the necessity of a serious transformation along with a serious sanction for the organizations that process, carry and store personal data. Well, How ready are the organizations for this? What exactly are the principles of implementation of law and what parts of organizations will be affected?

What are the Implementation Principles of the Law?
If we examine the implementation principles of the law in detail, we come across the subject of – Data Governance – Technology, Policy & Processes, Standards & Definitions and Organization, which I mentioned in my previous article in the root of many issues. If we examine this issue on the basis of implementation of the law;

  • Personal Data:

All kinds of information relating to an identified or identifiable natural person (Requirement for Identification and Categorization of Sensitive Data)

  • Data Recording System:

Recording system in which personal data is structured and processed according to certain criteria (Management Requirement of Personal Data)

  • Explicit Consent:

A consent based on information on a particular subject, which is stated with free-willed and in informed manner (Management Requirement of Explicit Consent Information)

  • Infringement Notification:

Notification in case of data infringement. (Monitoring and Warning Infrastructure Requirement)

  • Personal Data Commission:

Proving opinions in accordance with the policies of the Ministry on matters determined by the Law and the Board, resolving disputes, handling complaints and conducting audits. (Policy Setting, Processes and Organizational Management Requirement)

  • Data processing:

Processing of personal data in accordance with the basic needs of the organization in accordance with the relevant permits. (Data Transformation Requirement)

  • Data transfer:     

Sharing of personal data in accordance with the data transfer protocols in accordance with permissions of the ministry and the board (Data Transfer and Tracking Requirement)

  • Deletion & Anonym zing:

Data that has not purpose for use left is deleted or anonymized. The data requested to be deleted are archived in a centralized system and deleted after 10 years from the local system. (Requirement of Data Masking and Archiving/Deletion)

  • Information systems:

Establishment and integration of central data system, determination of required standards and approval flows, taking security measures (Requirement of Amendment and Approval Mechanism)

What does PoPD affect inside the institution?
As I mentioned above, Data Governance essentially affects many functions of an end-to-end organization as listed below;

  • Organizational Structure:

Determination of new roles and responsibilities in line with PoPD law

  • Data Management:
    • Detection of Sensitive Data
    • Categorization of Personal Data
    • Monitoring of Data and Establishment of Alert Infrastructure in case of Infringement
    • Management of Personal Data and Explicit Consent Data
    • Conversion/Transfer/Tracking/Sharing of Data
    • Anonymization/Archiving/Deleting of Data
  • Process management:
    • Determination of Policies
    • Change and Approval Mechanism
    • Claim and Complaint Management
  • Legal and Data Security Unit
  • Technological infrastructure.

Are we ready as an organization for this law?
If we are able to give affirmative responses to the following questions, we can say that we were largely ready. If some questions remain incomplete, I will briefly talk about what Informatica Data Governance offers you for this issue in the next section.

 

What solutions Informatica Data Governance offers you in this matter?
Informatica Data Governance provides you with the following solutions within the above-mentioned scope in line with the technology components it offers;

Discovery:

  • Discovery of Sensitive Data
  • Classification and Categorization of Data

Define & Govern:

  • Defining Standards and Security Policies
  • Determination and management of Roles and Responsibilities
  • Change Management and Approval Mechanism

Detect:

  • Detection of infringing transactions
  • Tracking User Actions

Protect::

  • Data Masking
  • Archiving/Deleting of Data

Monitor: 

  • Metadata Tracking
  • Risk Monitoring

Let’s end this article here and wish to meet you in the next series of articles. I hope it has been useful work for you. Hope to see you.

Best,

Evrim AY