Definition of Privacy by Design
Data privacy by design (“PbD”) is a risk management-oriented data architecture methodology in which products and services are handled in a way that conforms to privacy principles from the beginning of the design phase. PbD principle aims to take measures for legal, administrative, and technical measures simultaneously with its unique structure. For this reason, technical actions should not be overlooked such as the design of data input channels and query screens in the systems, while documentation studies are carried out in order to fulfill legal and administrative obligations in compliance projects. It is significant for the efficiency of the project that the process is not only focused on one way but also managed from both sides together.
The Turkish Personal Data Protection Law (“Law”) has not analogous article about PbD, dissimilar to GDPR. In addition, there are no statements directly related to Privacy by Design in measures tables in Obligations Concerning Data Security (“Obligations”) published by the Turkish Personal Data Protection Authority (“Authority”). However, it is possible to say that checks input controls in systems, designing applications in a way that minimizes the possibility of data integrity disruption during processing, and similar these measures can be evaluated within the scope of PbD in other parts of the Obligations
PbD within Scope of Turkish Data Protection Board’s Decision
The Turkish Personal Data Protection Board (“Board”) emphasizes two issues regarding the Privacy by Design principle in its decision no. 2020/50 regarding the retail clothing company. The first point is to take the log records, which are very clearly and frequently stated in the Obligations. In addition to determining the log sources and classification by recording the event logs, in order to diagnose possible violations through SIEM, the accurate rule sets must provide security to personal data/ special category data. The second point is to check the necessary tests at the web page design stage. In this respect, although the Board does not use a term for data privacy design but its determination in the last point actually directly refers to the definition of PbD.
Both the implicit reference to Privacy by Design by the Board in the aforementioned relevant decision and emphasis of the GDPR of the Law amendments in the Action Plan titles published by the Ministry of Treasury and Finance are indicators that there will be a very strong link between the intended Law and the GDPR. Finally, within the scope of all these issues, we expect a regulation similar to the PbD principle included in the GDPR provisions in the intended new Law.