In today’s world of business, data is gold. Collecting and analyzing data to create value is present in all aspects of business from supply chain management to marketing. Data-driven organizations benefit from better transparency and accountability, better decision-making that positively affects the bottom line, and consistent and continuous improvement.
Data is a powerful tool, however companies that handle data are also subject to rigorous data protection laws to prevent misuse of data and protect sensitive personal information. Of these laws, GDPR is the most known and the one used as a model for other laws and regulations.
What is GDPR?
GDPR, which stands for General Data Protection Regulation, is a law created in the European Union (EU) to protect the personal data of its citizens. Although it was passed in Europe, it affects businesses worldwide. It went into effect in 2018 and set new standards for data protection. GDPR tells companies of all sizes what they can and can’t do with information they are holding, whether it is from employees or customers.
GDPR has a list of personal data that may be sensitive and should be under protection. These can be anything from name, phone number, address, date of birth, bank account, passport number, social media posts, geotagging, health records, race, religious and political opinions. GDPR regulates the handling of information like this that can help identify a person.
The Basic Principles of GDPR
GDPR is a very complex document full of legal jargon, but it is possible to summarize it into a 6-item list:
- Fair data processing: Data must be processed in a lawful, fair and transparent manner. In other words, the collected data should be used for the purpose it was collected for. The data subject should always be aware of what data is collected and specifically what it will be used for. Th data should be processed fairly and legally.
- Purpose limitation and consent: Connected to the first principle, the data collected with the consent of the data subject should have a limited purpose and should only be used for this purpose. Any additional usage of the data should only be done with the explicit consent of the data subject.
- Minimal data collection and storing: Data is collected for a purpose, and only the data necessary for that purpose should be collected. Also, data should be stored only as long as it is needed.
- Privacy by design: Proactively integrate data protection into the design of new products and systems.
- Respect for data subject rights: Honor users’ rights to request the access, correction, deletion, or transfer of their data.
- Notifying data breaches: If there’s a data breach, data protection authorities must be informed within 72 hours, as well as the users as soon as possible.
Data Protection in Turkey
Turkey has enacted its own data protection law, the Law on Protection of Personal Data (KVKK). While the two regulations have differences due to being used in different legal systems, the basic principles are the same. The key principles of processing data according to KVKK are as follows:
- Processed lawfully and fairly.
- Accurate and where necessary, kept up-to-date.
- Processed for specified, explicit and legitimate purposes.
- Relevant, limited and proportionate to the purposes for which they are processed.
- Retained for the period of time determined by the relevant legislation or the period deemed necessary for the purpose of the processing.
Considerations for Implementing IoT Systems
IoT systems used in workplaces bring out concerns about the protection of personal data. IoT devices generate a large amount of data, which is transmitted, processed and potentially stored for further use. However, IoT devices can be collecting data that can be considered personal, making this process very sensitive and challenging in terms of protection of personal data.
Many of the data processing activities involved in the operation of IoT will fall within scope of GDPR, since IoT devices may collect personal data to be processed. Therefore, data protection should be built into any IoT solution as part of the principle of “privacy by design”. Concepts of transparency, fairness, purpose limitation, data minimization, data accuracy and consent should be built into the design of the IoT product. All of this should be transparently documented with proof for accountability.
Safe Steps is fully KVKK/GDPR compliant, and the protection of all data processed is guaranteed. Interaction data collected with the wearable devices and personal data are held in separate servers for better protection of personal data necessary for filiation reporting. Natro servers, where personal data is held, are ISO 27001 certified and compliant with international standards of information security management.
Contact us for more information on Safe Steps.