TECHNICAL MEASURES TO BE IMPLEMENTED IN TERMS OF ENSURING PERSONAL DATA SECURITY WITHIN THE SCOPE OF PROTECTION OF PERSONAL DATA
IN GENERAL
Storing, processing and sharing personal data of both internal (employees) and external (beneficiaries) stakeholders is a part of the ordinary flow of life, especially for parties conducting corporate activities. Especially as the storage, processing and sharing of personal data in digital environment with digital methods has become widespread due to technological development, data security approaches have started to be evaluated and emphasized more specifically in the focus of personal data security.
Especially in recent years, the fact that more and more data is received from individuals in terms of data type through different methods within the scope of corporate activities, and the fact that personal data is a part of personal rights and security, has made it necessary to give increasing importance to the protection of personal data day by day. Since the protection of the person is a public obligation and personal data constitutes an integral element of this, all countries have had to approach the protection of personal data on a national basis, have established public institutional authorities, made legal regulations, developed and implemented administrative and technical standards.
The EU General Data Protection Regulation (GDPR), which has been implemented in the European Union, and the current Personal Data Protection Law, which constantly emphasizes the importance of harmonizing with European Union standards, can be given as examples of important legal regulations. The Personal Data Protection Authority, which was established in Turkey for the protection of personal data, continues its activities by issuing legal regulations, violation audits and public disclosure guidelines. The main point in the protection of personal data is to determine the rights and obligations of the parties in order to provide adequate protection and to establish institutional and legal discipline and to consist of administrative and technical measures to be taken in this context.
TECHNICAL MEASURES
Today, data has been digitized in almost all its forms (visual, literary and auditory). In this context, storing, processing and sharing of data is also carried out in digital environments, with digital tools and equipment and digital methods, which necessitates serious attention to technical measures as well as administrative measures. This is because data is under cyber security threat at every stage on digital platforms. Personal Data Protection Authority Authority has published Personal Data Security Guide for this purpose and lists the technical measures recommended to be taken in the guide. These measures are also commonly referred to as cyber security.
CYBER SECURITY
The digital organization structures of corporate organizations are the determining factor in which technical measures will be taken within the scope of cyber security. Digital organizations basically appear as intranet and extranet in parallel with the activity structure of the institutions. Intranet is a private network within the organization, closed to external access, used for secure sharing of company information and computing resources among employees. An extranet is a network that enables employees, suppliers, customers or all other stakeholders in a business partnership to use the same software and protocols over the internet.
PRECAUTIONS FOR INTRANET ORGANIZATIONS:
In corporate systems created with intranet topology, the following technical solutions are considered mandatory for employees (users) who will use data resources by accessing the system;
- Authorizations to access the system and use data resources must be defined and operated with software solutions. Thus, unauthorized access and use will be prevented.
- Keeping instant digital logs of access to the system and use of resources (LOG). This solution is important both for the prevention of violations and for the creation of legal evidence in case violations are detected.
- Implementation of software solutions for backing up data and preventing data loss,
- Ensuring the security of external media (cd, portable memory, external disk, etc.) where data is transferred for any purpose,
- Implementation and rapid operation of monitoring, auditing and feedback software solutions.
PRECAUTIONS FOR EXTRANET ORGANIZATIONS:
Since corporate systems created with extranet topology are open to multilateral and external access over the internet, the technical measures to be taken become more comprehensive. The fact that the resources are open to internet access (external access) makes it necessary to ensure both the security of access to data resources and the security of data communication for data sharing purposes in a coordinated manner. In addition to the measures required for the intranet, the technical measures to be taken in this context are as follows;
Ensuring external access security;- User identification efficiency, creating an effective user account management, implementing user information and feedback systems in this context,
- Ensuring access security with access verification methods (mail, mobile application, sms, etc.),
- Creating and operating layered firewalls (VPN, Firewall, DdOS, etc.) for server-side unauthorized access and attacks,
- Using server and client-side antivirus software and keeping it up-to-date, implementing server-side technical solutions (secure transaction screen) for client-side malware vulnerabilities
- Storing the data by encrypting it with cryptographic methods on the server side and transmitting it by encrypting it end-to-end (peer top peer) in data communication,
- Ensuring the operation of systems with generally accepted security certificates (SSL),
- Ensuring that all measures such as access, storage, sharing, destruction, etc. to be taken by service providers for cloud-based systems are carried out in a serious discipline,
- Implementing adequate monitoring, supervision and intervention solutions in line with institutional size,
- Correct and effective execution of software solutions in line with data anonymization policies
