Privacy Impact Assessment as a Tool for GDPR Compliance Preparation

Year 2019, Volume: 1 Issue: 2, 75 - 86, 27.12.2019

Bilgin Metin Sema Erkan İdil Atasu Enes Yılmaz

Abstract

Technology allows individuals and enterprises to share and disseminate their personal financial, legal, and reputational data via various tools. Such usage may cause loss of control over personal data. The protection of personal data is an indispensable obligation of companies. Eventually, Laws on Protection of Personal Data were enacted by parliament in Europe, such as firstly European Union (EU) Directive 95/46/EC and later General Data Protection Regulation (GDPR). Turkey also adopted a Personal Data Protection Law that was based on EU Directive 95/46/EC on 7 April 2016 as part of its efforts to complement its legislations with the EU. The Turkish Data Protection Law (TDPL) has been leaning more toward the GDPR. European Enterprises and their international business partners should comply with GDPR. In GDPR compliance, Privacy Impact Assessment (PIA) plays an important role. In this literature survey study, the compliance process for TPDL is summarized. Then, how PIA can be utilized as a facilitator for business endeavors for GDPR bound companies is emphasized.

Keywords

Privacy, Privacy Impact Analysis, Privacy Impact Assessment, Compliance

GDPR Uyumluluk Hazırlığı için bir Araç Olarak Mahremiyet Etki Değerlendirmesi

Abstract

Teknoloji, bireylerin ve işletmelerin kişisel finansal, yasal ve itibar verilerini çeşitli araçlarla paylaşmalarını ve yaymalarını sağlar. Bu kullanım kişisel veriler üzerinde kontrol kaybına neden olabilir. Kişisel verilerin korunması, şirketlerin kaçınılmaz bir yükümlülüğüdür. Sonunda, Kişisel Verilerin Korunması Hakkında Kanunlar, Avrupa Parlamentosu tarafından ilk önce 95/46 / EC sayılı AB Direktifi ve daha sonra Genel Veri Koruma Yönetmeliği (GDPR) adları altında kabul edildi. Türkiye, mevzuatını Avrupa Birliği ile tamamlama çabalarının bir parçası olarak, 7 Nisan 2016 tarihinde, 95/46 / EC sayılı AB Direktifine dayanan bir Kişisel Veri Koruma Yasasını da kabul etmiştir. Türkiye Veri Koruma Kanunu (KVKK), zaman içinde GDPR’a daha fazla yönelmiştir. Avrupalı İşletmeleri ve onların uluslararası iş ortakları da GDPR’a uymalıdır. GDPR’a uygunluk surecinde, Gizlilik Etki Değerlendirmesi (PIA) önemli bir rol oynar. Bu literatür çalışmasında KVKK için uygunluk süreci özetlenmiştir. Daha sonra ise, PIA’nin GDPR’a bağlı şirketler için ticari çalışmalar açısından ne şekillerde kolaylaştırıcı olabileceği vurgulanmaktadır.

Keywords

Mahremiyet, Mahremiyet Etki Analizi, Mahremiyet Etki Değerlendirmesi, Uyumluluk

References

• Acquisti, A. (2010). The Economics of Personal Data and the Economics of Privacy. Retrieved July 18, 2016, from http://repository.cmu.edu/cgi/viewcontent.cgi?article=1347&context=heinzworks
• Biagini, L. (2018, July 20). Don't Confuse GDPR Compliance with Security. Retrieved November 4, 2019, from https://www.forbes.com
• Billows, D. (2015, September). Why Projects Fail So Often?. Retrieved November 4, 2019, from https://4pm.com/2015/09/27/project-failure/.
• Binder, D. (2016). Inside Privacy. Retrieved December 15th 2019, from https://www.insideprivacy.com/united-states/federal-government-releases-final-guidance-on-cisa/
• Binns, R. (2017). Data protection impact assessments: A meta-regulatory approach. International Data Privacy Law, 7(1), 22-35.
• Burger, R. (2016, September). 20 Surprising Project Management Statistics. Retrieved November 4, 2019, from https://blog.capterra.com/surprising-project-management-statistics/.
• Burri, M., & Schär, R. (2016). The reform of the EU data protection framework: outlining key changes and assessing their fitness for a data-driven economy. Journal of Information Policy, 6(1), 479-511.
• Calzolari, G., & Pavan, A. (2006). On the optimality of privacy in sequential contracting. Journal of Economic theory, 130(1), 168-204.
• Clarke, R. (2011). An Evaluation of Privacy Impact Assessment Guidance Documents, International Data Privacy Law 1(2). Retrieved November 4, 2019, from http://www.rogerclarke.com/DV/PIAG-Eval.html
• Clarke, R. (2016). Regulatory Failures in the Security Space: Some Current Cases. Retrieved November 4, 2019, from From http://www.rogerclarke.com/DV/RFSS.html.
• DG Connect. (2018, November 12). Commission signs agreement with cybersecurity industry to increase measures to address cyber threats. Retrieved 2019, from https://ec.europa.eu/digital-single-market/en/news/commission-signs-agreement-cybersecurity-industry-increase-measures-address-cyber-threats.
• DG Connect. (2016, July 6). Statement by Vice-President Ansip and Commissioner Oettinger welcoming the adoption of the first EU-wide Taumi Taumi rules on cybersecurity. Retrieved November 3, 2019, from https://ec.europa.eu/digital-single-market/en/news/statement-vice-president-ansip-and-commissioner-oettinger-welcoming-adoption-first-eu-wide
• Di Iorio, C. T., Carinci, F., Azzopardi, J., Baglioni, V., Beck, P., Cunningham, S., ... & Federici, M. O. (2009). Privacy impact assessment in the design of transnational public health information systems: the BIRO project. Journal of Medical Ethics, 35(12), 753-761.
• Dülger, M.V. (2019). Kişisel Verilerin Korunması Hukuku. İstanbul: Hukuk Akademisi Yayıncılık
• GDPR (2016), Regulation (EU) 2016/679 (General Data Protection Regulation), Official Journal of EU.
• Flaherty, D. (2000). Privacy impact assessments: an essential tool for data protection. Privacy Law & Policy Reporter, 5, 85.
• HIQA. (2017). Guidance on Privacy Impact Assessment in health and social care, Health Information and Quality Authority. Retrieved November 2, 2019, from https://www.hiqa.ie/sites/default/files/2017-10/Guidance-on-Privacy-Impact-Assessment-in-health-and-social-care.pdf
• ICO (2012, December 12). What is personal data? – A quick reference guide. Retrieved November 3, 2019, from https://ico.org.uk/media/for-organisations/documents/1549/determining_what_is_personal_data_qu ick_reference_guide.pdf
• ICO (2015). Conducting privacy impact assessments code of practice. Retrieved October 2, 2019, from https://ico.org.uk/media/about-the-ico/consultations/2052/draft-conducting-privacy-impact-assessments-code-of-practice.pdf
• IPC (2015). Planning-for-Success Privacy Impact Assessment Guide. Retrieved November 2, 2019, from https://www.ipc.on.ca/wp-content/uploads/2015/05/Planning-for-Success-PIA-Guide.pdf
• ISO/IEC 29134 (2017). Information technology — Security techniques — Guidelines for privacy impact assessment. Retrieved November 3, 2019, from https://www.iso.org/obp/ui/#iso:std:iso-iec:29134:ed-1:v1:en.
• Kaya, K. (2017). Kişisel Verilerin Korunması Kanunu Çerçevesinde Veri Tabanı Sistemlerinin Yönetilmesi. Retrieved November 4, 2019 from http://kdkaya.blogspot.com/2018/03/kisisel-verilerin-korunmas-kanunu.html
• Lloyd, I. J. (2017). Information technology law. Oxford University Press.
• Lopes, I. M., Guarda, T., & Oliveira, P. (2019). Implementation of ISO 27001 standards as GDPR compliance facilitator. Journal of Information Systems Engineering & Management, 2(4), 1-8.
• Mayer-Schönberger, V., & Cukier, K. (2013). Big data: A revolution that will transform how we live, work, and think. Houghton Mifflin Harcourt.
• Monica, N. & Kumar, K. R. (2013). Survey on Big Data by Coordinating MapReduce to Integrate Variety of Data. International Journal of Science and Research (IJSR) ISSN (Online), 2319-7064.
• Newman, A. (2008). Protectors of privacy: Regulating personal data in the global economy. Cornell University Press.
• SEC. (2007). Privacy Impact Assessment (PIA) Guide. Retrieved November 3, 2019, from https://www.sec.gov/about/privacy/piaguide.pdf
• Siegel B. (2016). What is the difference between privacy and security?. Retrieved November 4, 2019 from https://www.csoonline.com
• TBDL (2016). The Law on the Protection of Personal Data No. 6698. Official Gazette of Turkish Republic. enacted on 7 April 2016 and No. 29677
• Tuomi, I. (1999). Data is more than knowledge: Implications of the reversed knowledge hierarchy for knowledge management and organizational memory. Proceedings of the 32nd IEEE International Conference on Systems Sciences, Hawaii 1999. HICSS-32. pp. 12.
• Varkonyi, G. G. (2017). Evaluation on Turkey's Data Protection Adventure. Eur. Data Prot. L. Rev., 3, 238.
• Whitney, H. (2012). Data insights: new ways to visualize and make sense of data. Newnes.
• Wright, D., & De Hert, P. (2012). Introduction to privacy impact assessment. In Privacy Impact Assessment. Springer, Dordrecht.
• Wright, D. (2012). The state of the art in privacy impact assessment. Computer Law & Security Review, 28(1), 54-61.
• Zerlang, J. (2017). GDPR: a milestone in convergence for cyber-security and compliance. Network Security, 2017(6), 8-11.