Cyber Law Series – 1 / EU Data Protection Rules and Turkey
EU data protection rules and Turkey
1. Keep up with the cyber age and understand what “data protection” is not
As futurists always underline, we should not plan for or dream about the future; we are actually already living and conducting business in the future, which will with each passing day continue to evolve faster than we can recognize and adapt. On this subject, Einstein is quoted thus: “I never think of the future. It comes soon enough."
However, we should do our best and one should start from somewhere to adapt to the developing cyber business world by learning more about data protection and its effect on our business.
Rather than listing the principles and rules of data protection in a theoretical manner, we believe it would be much more efficient to clearly clarify some of the essential facts. Firstly, organizations should understand that “data” protection is:
- not only related to customer data
- not only related to electronic data
- not only about hacking or cyber-attacks
- not only an IT-related issue.
In the digital age, “data” is one of the most critical business assets and unfortunately the owner of this valuable asset is not the business. Data belongs to the subject of the data who is an identified or identifiable natural person with processed data. When you take a single picture of your workplace, you may catch a lot of personal data related to your customer, employee or subcontractor’s employee, or their family, all of which deserves to be protected.
What is the EU doing about it?
Although it was, of course, late even at the time, since 2012 the EU Parliament has worked hard on drafting a brand-new piece of legislation, namely the General Data Protection Regulation (“GDPR”) to replace the Data Protection Directive (“Data Protection Directive”) of 1995. Not surprisingly, it was decided in 2016 to grant a transition period of two years until 28 May 2018 before this regulation took effect.
Even EU companies and EU businesses are under-prepared, so it is better to be late than sorry. According to EU-based reports and studies, most EU companies – or at least their technical infrastructure and most cloud applications that possess colossal amounts of personal data around the globe – are still not GDPR-ready.
However, the current situation in the EU is, of course, much better than in Turkey since they started their preparations years ago and there is only a bunch of exceptions in Turkey thanks to their chief legal counsels with great vision despite the well-known last-minute Turkish business culture. The EU is now even discussing how to expand this culture away from EU territory in order to more efficiently protect EU-origin data outside the EU.
The impact of GDPR on Turkish business
Data protection is currently a really hot topic not only in Turkey but all around the world. Turkish entrepreneurs in the business world have already started compliance procedures in accordance with the Law on the Protection of Personal Data No. 6698 but they should also consider the GDPR.
What is new?
The GDPR has a greater territorial scope than existing EU laws and so will apply to many more organizations around the world, even those outside the EU. Before the GDPR, the Data Protection Directive set the data protection and privacy frame for EU Member states in addition to each member state having its own data protection act and approach in accordance with the Directive. The goal of the GDPR is to harmonize and standardize data protection laws across the EU. The GDPR is truly exceptional since it is the first and only EU legislation that will have a direct effect even outside the EU territory in cases of EU-related personal data.
The GDPR sets many new concepts, creates long to do lists and issues new obligations for the business world. However, the most important and worldwide change the GDPR brings forward is the “extra territorial effect.” Previously, European data protection legislation only applied to organizations established within the EU or even if they were established outside the EU when they used equipment within the EU to process personal data. However, the GDPR applies to organizations, regardless of the country in which they are based or from where they are operated, unless they can prove they do not collect or process personal data drawn from the European market.
Who is affected?
The GDPR will impact every entity and quite a wide range of sectors. Organizations will be considered to be in the scope of the GDPR if they process the personal data of EU-based individuals by either:
- offering goods or services to individuals within the EU; and/or
- monitoring the behavior of data subjects within the EU.
This means that when a business has a website in one of the European languages or offers certain products or services to the EU, or offers transactions in euros or another EU-based currency, such a business is considered to be processing and targeting EU-based data subjects.
What should a non-EU entrepreneur do?
As for other EU-based businesses, non-EU entrepreneurs (businesses) shall take their business picture on databases and analyze what personal data they hold and process where it came from and who they share it with.
Next, they will have to initiate their compliance process immediately considering that the GDPR brings many steps for currently Directive-complied EU companies.
Non-EU businesses and entrepreneurs shall also appoint representatives within the EU to be a point of contact for EU personal data subjects and regulators for the purposes of GDPR enforcement. However, the designation of the representative shall be without any prejudice to legal actions that could be initiated against the respective controller or processor.
Costs and hefty consequences
The GDPR introduces significant fines, including revenue-based, which enables the Data Protection Authorities to impose fines for some infringements of up to 20 million euros, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. There is also a lower limit for the fines of other breaches, up to the higher limit of 2% of worldwide turnover or 10 million euros.
At the same time, data subjects who have suffered material or non-material damage as a result of an infringement has the right to receive compensation from the controller or processor for the damage suffered.
More importantly, any non-compliance may give rise to the loss of a serious number of customers, client portfolio or market share at very short notice, especially when shared even once on social media, which may have a greater effect on the business and reputation of the company.
The GDPR compliance deadline may still be several months away, but time passes quickly. Businesses and entrepreneurs, even those that are non-EU, must analyze their dataflow and plan their compliance strategies in the short term to give themselves enough time to put the right technology in place and iron out any flaws.