With each new decision, the Personal Data Protection Authority becomes more understandable and explanatory about how organizations should handle personal data. One of the things clearly seen in the summary of the decision dated 27/02/2020 published on May 4, 2020; The Authority should consider the General Data Protection Regulation (GDPR), which is the European Data Protection Law, in its decisions.

KVKK and GDPR set responsibilities for how organizations should handle personal data, which requires additional information security investments. When we look at both KVKK and GDPR, this additional security and the most important issue of investments; Identity and Access Management.

Identity and Access Management is very important in that it directly aims to minimize access to critical information and not to disclose personal data, which is the main focus of KVKK and GDPR. For this reason, KVKK can easily be placed in the first place in the title of Technical Measures.

In terms of data privacy, the three pillars of information security are confidentiality, integrity and accessibility. Integrity ensures that data is not edited or modified in an unauthorized manner after being stored; Accessibility refers to the need for information to be available only when needed and in the required form by authorized persons. Confidentiality is about setting limits on access to information based on who needs to know and protecting data from unauthorized access.

For KVKK Compliance, you need to make sure that the collected personal data can be accessed only by the right people and with the right preservation methods, in accordance with the clarification and explicit consent texts, and for as long as necessary. Along with the principles of Confidentiality, Integrity and Availability, Data Minimization is the main theme of the regulation. Keeping as little data as possible for compliance is one of the most important points, which brings us to Identity and Access Management: Providing minimum access to your employees within the scope of their duties and responsibilities…

For most organizations, the Identity and Access Management strategy will have three elements:

Employees

It is not enough to know what personal data you have and which employees/departments have access to it. Like GDPR, Identity and Access Management under KVKK should be much more detailed. You need to know where all your sensitive data is stored, who can access the personal data and the level of access they have. To overcome the "authorization confusion" where a user's role is changed and/or newly granted access without closing their old access rights, you need to be able to quickly manage the state change. You should also identify and eliminate “ghost accounts”. Industry research shows that up to a quarter of all accounts are inactive, making it an increasing target for hackers.

Business Partners / 3rd Parties / Data Processors

Today, there is almost no company left with personal data within its own four walls. Data sharing and collaboration is essential for many organizations working with complex ecosystems of partners. In addition, many companies are increasingly managing their business processes with contract staff and mobile workers. Especially if you are a Data Controller then you should also be able to provide correct access to data held beyond your corporate firewall. This requires you to be able to manage not only all personal data, but also interactions between users who have access to that data, and the most effective method for this is again Identity and Access Management.

Costumers

Any organization that offers online services – government and private – allows its customers to create digital identities. Many of these include self-service features and mostly work using simple password authentication. This is a security vulnerability, and you should apply the concepts of data minimization and secure user authentication in KVKK as well as in GDPR.

In the past, many organizations have been slow to implement a corporate Identity and Access Management strategy, but today, it is very important to change this situation with KVKK. Identity and Access Management measures should be taken to protect personal data, going beyond employees and covering business partners, suppliers, mobile workforce and customers. It is difficult to see an organization comply with KVKK without adopting this approach.

Active Directory Is Not Enough…

Traditional approaches have often revolved around simple manual access control processes, such as using Active Directory to create groups. The downside is that these processes are slow, cumbersome, and costly, as well as the fact that they don't scale well and often cannot monitor or manage actual user access. Active Directory services only provide an overview of AD group user memberships, not an overview of the actual access / access privileges assigned. Reviewing user access lists based on AD group assignments often provides false assurance, as it is done by the "manager of that job/department".

Identity and Access Management should become a strategic goal for all organizations. All companies should create and consider the need to continually update an Identity and Access Management platform and governance program that provides dynamic and comprehensive authorization and authentication capabilities.

In this way, you can minimize the risk of data breach and reduce your risk of exposure to KVKK penalties by protecting access to personal information in your organization.

 

Source: https://blogs.opentext.com/identity-and-access-management-is-pivotal-for-gdpr-compliance/

---