With the development of technology and the widespread use of the internet, there are many possibilities that the security systems of companies and the data they host may be jeopardized. One of the important points in ensuring that personal data is processed in accordance with the Personal Data Protection Law is to prevent unlawful access to personal data by third parties. Otherwise, there will be a data breach.
Although there is no specific definition of personal data breach in the Law, the phrase "...if the processed personal data is obtained by others through illegal means..." in Article 12 of the Law is regulated as a data breach. Therefore, in order to talk about personal data breach; personal data must be obtained illegally and obtained by third parties. Regardless of the extent of the breach, the fact that the company faces a data security threat causes serious reputational damage. In the decisions of the Personal Data Protection Board, we see that companies are often subjected to large administrative fines due to data breaches caused by not taking the necessary administrative and technical cautions.
In the event of a data breach, the company has an obligation to notify two parties. One of them is the Personal Data Protection Board and the other is the persons affected by the breach. The company must be sure that a personal data breach has occurred before making these notifications.
Steps Companies Should Take in Event of Personal Data Breach
- Determination: It should be determined whether personal data has been illegally obtained by third parties.
- Collecting information about the breach: Information such as how the breach occurred, which groups of persons were affected by the breach, which data categories were affected by the breach should be collected. An important point here is that all the information regarding the breach may not be obtained at the same time. The effects of the breach may emerge over time, but after the breach is detected, the first notification should be made to the Board without delay, and then the Board should be informed with interim forms as information is obtained.
- Filling out the data breach notification form: If it is determined that a personal data breach has occurred, the breach notification form should be filled out.
- Making the notification: - Notification should be made to the Board within 72 hours at the latest from the moment the breach is detected, and notification should be made to the data subjects as soon as possible after the data subjects affected by the breach are identified.
Data breach notification can be made by filling out and sending the "Data Breach Notification Form" that appears after pressing the "Breach Notification" button on the website of the Personal Data Protection Authority. At the same time, the PDF version of this form can also be filled in and sent to [email protected]
It is also possible to make a written notification via the address of the institution.
Many companies from different sectors are faced with administrative fines due to their failure to pay due attention to the confidentiality and personal data protection, and this situation also leads to loss of reputation. In order to prevent loss of reputation, brand value and customers, the company must ensure that it has established the necessary security infrastructure within its own and the data processor on behalf of the company, and that administrative and technical cautions are applied and must follow this carefully.