THE PROCESS AND IMPORTANCE OF ISO 27701 AND KVKK COMPLIANCE STUDIES 

Personal Data Protection Law (KVKK) is gaining more and more importance in Turkey in the most comprehensive and systematic way under current conditions. In this sense, ISO / IEC 27701 is a standard that can be documented as a guide for organizations that want to comply with the EU Data Protection Regulation (GDPR) and KVKK at the same time.

Country laws are always above the standards. Therefore, organizations should know the legal requirements in their standard articles, apply them within the organization and fulfill their requirements.

ISO 27701 has many benefits for you, your staff and your customers.

To talk about the benefits to your organization: 

• Protects the reputation of your brand, 
• It enables you to do more business with new and existing customers, 
• It reduces the cost of sales, allows you to get more business,
• Contributes to avoid fines arising from non-compliance with the legislation (such as GDPR, KVKK), allows you to avoid legal processes arising from data breaches,
• It makes it easier for you to avoid corrective action costs arising from incidents and/or violations, and increases your corporate culture and vision. 
• It enables your organization's personal data management to be integrated with other management systems. 

The benefits for your staff are: 

• Awareness, working in accordance with policies and procedures through trainings, 
• Confidence in the sustainability of the organization, avoiding extra workload and unnecessary waste of time. 

Finally, the benefits for your customers: 

• Trust and assurance against your company, trust and assurance against your suppliers, 
• A less costly breach probability increases customer satisfaction with the system and method applied,
• Secures customer information security and personal data, 
• It ensures your business continuity. 

ISO 27701 KVYS (Personal Data Management System) and KVKK Compliance Processes; It consists of Organization, Planning, Implementation, Control, Improvement, Documentation steps. These steps are of great importance in the compliance efforts of companies. All steps must be performed correctly and in order.

STEPS OF ISO 27701 KVYS and KVKK COMPLIANCE PROCESSES AND WHAT TO DO:

Organization Step:

The organizational step is a step that plays a role in determining the teams that initiate the compliance processes and determining the managers of the teams. 

• ISO 27701, that is, KVYS and KVKK Organization proceeds equally in general.
• An opening meeting should be held.
• While the management representative and committee members are determined for roles and responsibilities for ISO 27701, KVYS, the contact person and committee members are determined for roles and responsibilities in KVKK.
• After determining the roles and responsibilities of the individuals, KVYS training should be given to the project teams in the ISO 27701 compliance process, and KVKK Training for KVKK. Training is very important. Employees become much more knowledgeable thanks to the training given to the project teams at the point of preventing data breaches.
• After the training given to the project team in the organization part of ISO 27701 Compliance studies, the statement of the top management is requested, and then internal-external issues and scope are determined.
• In the post-training part of the KVKK Compliance studies, the Personal Data Processing Policies are passed during the preparation phase, and after the preparation of the policies, expectations and requirements are reviewed. Commitments regarding personal data security are taken from suppliers and service providers.

Planning Steps:

• Planning step is the completion of the organizational step where the roles are assigned to the teams, together with the completion of the PIA report where the Procedures for the ISO 27701 Compliance process are prepared, the information assets are determined, the personal data inventory is prepared, the information classes are determined and the privacy impact analysis is made. It is a step in which the applicability statement is prepared after the risk processing planning and determination of the information security targets. For the KVKK compliance process, it is a stage where the Personal Data Inventory is created and the PIA Report is prepared, where the privacy impact analysis is made.
• While the first stage of the planning step of the ISO 27701 Compliance process is the Preparation of the Asset and Risk Analysis Procedure, there is no such procedure requirement in the KVKK.
• In the ISO 27701 Compliance process, Information Assets are determined after the Asset and Risk Analysis Procedure is Prepared. At this stage, a Personal Data Inventory must be created in the KVKK Compliance process.
• After Identification of Information Assets, Personal Data Inventory should be prepared like KVKK in the ISO 27701 Compliance process.
• Personal Data Inventory; It is an inventory that is detailed by explaining the data processing purposes, durations, activities, legal reasons and measures taken regarding data security depending on the business processes of data controllers.
• In the ISO 27701 Compliance process, after the inventory is prepared, the Information Classes must be determined, and then the Privacy Impact Analysis is done after the Risk Analysis is done. In the KVKK Compliance process, after the personal data inventory is created, the MED (Privacy Impact Assessment) of the data in the inventory is made and the PIA Report is prepared. Although this report and assessment is not mandatory in KVKK, it is mandatory in GDPR.
• After the privacy impact analysis for both compliance processes, Risk Processing Planning is carried out in the ISO 27701 Compliance process, while there is no systematic requirement in the KVKK Compliance process, it is evaluated within the scope of administrative and technical measures.
• While determining the Information Security Targets in the ISO 27701 Compliance process, there is no systematic target management requirement in KVKK.
• After the Determination of Information Security Objectives, the Applicability Statement is prepared in the ISO 27701 Compliance process and the planning phase ends. Although there is no systematic application control requirement at the stage of Determination of Information Security Objectives in KVKK, it is recommended to determine which measures should be taken by examining administrative and technical measures.

Application Step:

The implementation step is a platform where policies are prepared for both processes, actions related to risk processing are implemented, obligations to data owners for the ISO 27701 Compliance process are determined, and Clarification and Explicit Consent Texts are prepared for the KVKK Compliance Process. is the step. Another step made in this step, which we think is very important, is to determine how to share, transfer and disclose personal data after determining the obligations in the ISO 27701 Compliance process. In the KVKK Compliance process, at this stage, Data Transfer Actions abroad are examined and regulated, while at the same time, Data Transfer Actions to Third Parties are examined and regulated. For the documents examined, the document called Annex-A Document is prepared for the ISO 27701 Compliance process.

• In the implementation step of the ISO 27701 Compliance process, the first stage is the preparation of the Information Security Policy, while the Personal Data Processing and Protection Policies are prepared in the second stage. In the KVKK Compliance process, the Personal Data Processing Policy is prepared at the first stage.
• After the preparation of the policies, while Risk Processing Actions are implemented in the ISO 27701 Compliance process, actions related to administrative and technical measures are implemented in KVKK.
• Following the implementation of the actions, they are transferred to the collection and processing conditions in the ISO 27701 Compliance process. In the KVKK Compliance process, a risk analysis is carried out in consultation with all units. In these analyzes, personal data detection, storage conditions and processing conditions are determined.
• In the ISO 27701 Compliance process, confidentiality by design and confidentiality by default are separated from each other, while the processes are revised in order to reduce the personal data processed during the KVKK Compliance process. While this stage is mandatory in GDPR, it is not mandatory in KVKK.
• In the ISO 27701 compliance process, obligations are set against data owners. KVKK While preparing the Clarification and Explicit Consent Texts in the compliance process, the rights of the persons concerned and the use of these rights are also determined.
• After determining the obligations in the ISO 27701 Compliance process, it is determined how to share, transfer and disclose personal data. In the KVKK Compliance process, at this stage, Data Transfer Actions abroad are examined and regulated, while at the same time, Data Transfer Actions to Third Parties are examined and regulated.
• During the KVKK Harmonization process, the necessary measures should be determined by examining the administrative and technical measures.
• As the last step of the implementation step in the KVKK Compliance process, the forms containing personal data are examined and arranged, while Organizational documents are prepared in ISO 27701.

Checking Step:

The control step is a very important step, especially within the scope of the ISO 27701 Compliance process. 27701 In this step for the compliance process, first of all, Business Continuity Exercises are carried out, then the monitoring, measurement, analysis and evaluations should be analyzed and controlled. At this stage, where the internal audit is carried out, the internal audit ends with the YGG meeting. For the KVKK Compliance Process, this stage is evaluated within the scope of administrative and technical measures. 

• While Business Continuity Exercises are carried out first within the scope of ISO 27701 Compliance process, there is no systematic requirement since this stage is evaluated within the scope of administrative and technical measures in the KVKK Compliance process.
• While Monitoring, Measurement, Analysis and Evaluations should be analyzed in the ISO 27701 Compliance process, there is no systematic performance management requirement in KVKK.
• In the ISO 27701 Compliance process, Internal Audit is performed and then the checking step is concluded with the YGG meeting. Since the internal audit phase is evaluated within the scope of administrative and technical measures in the KVKK Compliance process, there is no systematic requirement. At the stage of holding the YGG meeting, there is a compliance requirement in KVKK as a data controller, but the management does not have to review it.

Improvement Step:

• This step is not required in the KVKK Compliance process, but in the ISO 27701 Compliance process, the Internal Audit is reported at the first stage and the findings are followed, while the final planning and follow-up of corrective actions

Certification Step:

• There is no documentation requirement in the KVKK Compliance process. In the ISO 27701 Compliance process, first of all, the audit should be carried out after the certification application is made. After the audit, the stage of elimination of nonconformities begins. At this stage, after nonconformities are eliminated, certification is made.

ISO 27701 KVYS – KVKK Comparison Table