Twitter Logo Youtube Circle Icon LinkedIn Icon




Data privacy and cyber security in Turkey – the impact of new legislation

Turkey’s Law on Protection of Personal Data has been in force for a few months. The impact of the law on the internal operations of companies in Turkey is potentially huge, and brings them in line with requirements for wider EU law.

The law has been generally well received, but as with any new legislation there have been kinks to iron out. The Legal 500 teamed up with Gün + Partners to host a roundtable event in Istanbul, inviting Turkish in-house counsel to discuss the increasingly important topic of data privacy and cyber security across the country.

Corporate counsel from a range of industries – covering consumer products, energy, ecommerce, insurance and banking – came together to discuss their attempts to comply with the new law so far, outline early best practices they had discovered and suggest improvements that could be developed using secondary legislation.

What’s missing from the law as it stands?

The general consensus was that the new data privacy law was a considerable step in the right direction, but there is need for clarification on a number of points. As it stands there is overlap with the new law and some existing employment law, proving early incidents of contradiction – there have been too few cases that cover this so far, and therefore there is often little precedent for companies to follow. For example, when it came to the topic of obtaining consent from employees in order to share their data, there was heated debate about how this fits in with existing EU law and wider international requirements, and how exactly you have to gain consent from the individuals.

However, there was wide agreement that with discussion during the secondary legislation period these topics will be highlighted and addressed.

How can multinational and domestic companies integrate the changes in Turkey?

Data protection laws are different the world over, and that means that multinational companies often have to deal with conflicts. It is not unheard of for such a company to have global standards that are applied across its operations regardless of local laws. Although this can be helpful – one counsel outlined how they were able to use other countries’ data mapping software as a starting point – there are also times when existing frameworks can be a hindrance when local laws change. One GC stated that there were provisions contained in the new Turkish law that would made it difficult for the company to comply with its own internal procedures.

The movement of data within a holding company was an interesting topic of debate. Many multinationals store their data on a server in another country, and there are instances were different parts of the holding organisation would like to benefit from the data of their sister companies. In this respect there is still some doubt about what is acceptable, and what would be punishable under the new law.

The role of the Chief Privacy Officer: Who owns the risk?

The room was divided on this point: many thought that the ultimate responsibility should rest with the GC, while others thought that there was a strong need for technical or operational ownership of data privacy and cyber security. Ultimately the GC can advise on the intricacy of the law and the potential impact of non-compliance, but there is little that they can do when it comes to designing and implementing the IT systems necessary to make data secure.

One GC described data privacy as an iceberg: where the visible tip is the legal element that you can comply with, but the vast amount of crucial work of other back office staff is hidden beneath the surface.

There was also a strong case for the inclusion of senior business management in the planning process, giving data privacy the importance that it demands in today’s business world. If there is little or no senior buy-in then there is unlikely to be appropriate preparation. The role of the Chief Privacy Officer will be further outlined by the Data Protection Authority in due course, but all of the GCs around the table have already made efforts to create the role. There is no exact template that GCs can follow, but best practice approaches to data mapping, defining procedures and instilling a complaint mentality are already becoming apparent.

The risk of non-compliance in privacy matters was summarised by one attendee as having two main drivers: “First is the case of consumer care over their own data, and second is the level of penalty that a company can face in the event of a breach. You often need one of these to be considerable to ensure that you get significant buy-in from management.”

More change to come

As well as the discussion about the content of the secondary legislation in Turkey, there is still a question about the effect of changing regulation and legislation in the European Union. When the EU’s General Data Protection Regulation (GDPR) comes into force in 2018, there will undoubtedly be an impact on both multinational and domestic Turkish businesses – but it is yet to be seen how this will compliment or contradict the recent Turkish law.

Data protection is a crucial topic across the world, but perhaps has an even tougher starting point in Turkey as companies seek to catch up in many respects. As one GC said: “It is difficult to allocate budget for data privacy in any country, but at least in those countries they already have some budget for a chief privacy officer!”

The panellists
  • Gülistan Nayci, adidas Turkey
  • Kurtuluş Çaltekin, AvivaSA Pension and Life Insurance
  • Elif Demir, İş Bankası
  • İdil Haliloğlu, Karadeniz Holding
  • Ozge Ayoz, Procter & Gamble Tüketim
  • Gözde Kuşçuoğlu, Shaya
  • Ozan Alakustekin, Total Oil Türkiye
  • Dilek Akdas Kokenek, N11
  • Aybike Satir Oskay, N11
  • Dominic Williams, The Legal 500
  • Uğur Aktekin, Gün + Partners
  • Begüm Yavuzdoğan Okumuş, Gün + Partners
  • Ozan Karaduma, Gün + Partners

Scroll down to see more photos from the evening.