IT Checklist for KVKK Compliance: 12 Concrete Items
Summary: KVKK IT compliance is summarized in 12 concrete items: data inventory, access control, log retention, backups, encryption, VERBIS filing, incident response, and vendor agreements. The status of each item must be backed by written evidence (policy, log, contract).
KVKK (Personal Data Protection Law) is a mandatory compliance area for SMEs too. The law and secondary regulations describe technical and administrative measures; but when translated into IT practice, a clear checklist is needed. This guide explains 12 practical items for KVKK compliance.
Why Does KVKK IT Compliance Matter?
In case of a breach, administrative fines and reputational loss are at stake. Even if customer and employee data are otherwise managed, notification obligations apply during a data leak. Typical SME gaps:
- No personal-data inventory exists
- Where which data is kept is unclear
- Access logs missing
- Backups unencrypted
- Employee training never done
- No technical response capability for data-deletion requests
- The data-breach notification process never tested
These 12 controls practically close those gaps.
12 Control Items
1. Personal Data Inventory
Which data is processed? Employee, customer, supplier, and prospect records are listed. For each record type, the source, purpose, retention period, and deletion/destruction procedure are documented.
2. Data Flow Map
Where is data collected, where does it go, and where is it stored? Flows between CRM, accounting, email, and the file server are visualized.
3. Access Control
Each user accesses only the data needed for their job. Role-based access is set up; access of departed staff is removed immediately.
4. MFA Requirement
MFA should be mandatory on systems containing critical data (accounting, HR, CRM).
5. Encryption (At Rest and In Transit)
BitLocker on laptops, disk encryption on servers, HTTPS/TLS in transit. Encrypted delivery is considered for sensitive data in email attachments.
6. Backup and Deletion Procedure
Backups should be encrypted; when a deletion request comes, a procedure to delete from backups too should exist. Data past retention is destroyed automatically or manually.
7. Log Retention
Access, change, and deletion of personal data are logged. Logs are kept for at least 2 years; protected against tampering.
8. Third-Party Management
Data processor agreements must be signed with cloud services, shipping firms, and accounting advisors. A DPA (data processing agreement) similar to GDPR is used.
9. Data Breach Notification Process
A 72-hour notification to the Authority and informing affected individuals procedure must be in writing. Tested with a drill.
10. Employee Training
All staff should receive KVKK awareness training at least once a year. Training is also part of new-hire onboarding.
11. Physical Security
Physical measures like server room locks, file cabinet keys, and visitor logs should be documented and audited.
12. Periodic Audit
An internal audit should be done at least once a year; gaps should turn into action plans.
Control Table
| Item | Owner | Frequency |
|---|---|---|
| Inventory | Data Controller + IT | Annual update |
| Access | IT | On every change |
| MFA | IT | Continuous monitoring |
| Encryption | IT | Annual audit |
| Backup | IT | Monthly testing |
| Logging | IT | Continuous |
| Third party | Legal + Data Controller | Annual |
| Breach procedure | Management + IT | Annual drill |
| Training | HR + Data Controller | Annual |
| Physical security | Management | Twice a year |
| Audit | Independent internal | Annual |
Common Mistakes
- Inventory done once and never updated
- Personal data in backups skipped in deletion
- Managers excluded from employee training
- A verbal plan instead of a written breach procedure
- Third-party contracts left incomplete
- Short log retention
- A minimum-only approach for compliance, missing the chance to reduce real security risk
Real-World Examples
Example 1: Inventory Work at an Accounting Firm
For the first time, an accounting firm concretely identified where data was kept for KVKK compliance. A few sensitive-data leftovers were noticed on old computers; a regular destruction procedure was set up.
Example 2: Access Cleanup at a Manufacturing Site
At a manufacturing site, the accounts of departed staff were still active. The annual audit caught this. An "account closure verification" step was added to the offboarding flow; a rule was set so HR does not approve until IT confirms.
Example 3: Breach Drill at a Consulting Firm
A consulting firm ran a drill on a hypothetical leak scenario. The pressure of the 72-hour notification window was visible; a ready-made notification template was created.
How Does Yamanlar Bilişim Support This Process?
Yamanlar Bilişim addresses the IT side of KVKK compliance through the 12-control framework. All steps from inventory to breach drills are applied tailored to your business.
Main areas where Yamanlar Bilişim can support:
- Personal-data inventory and flow map
- Access-control policy and role design
- MFA and identity-security setup
- Disk and transit encryption
- Backup and deletion procedure
- Log collection and compliance reports
- Data breach notification plan and drill
- Employee training program
FAQ
Frequently Asked Questions
How high is the KVKK administrative-fine risk for an SME?
If a deficiency is found after a complaint or audit, serious fines can be applied. With proactive compliance, the risk drops to a minimum.
How often should the personal-data inventory be updated?
A full annual review; plus an update whenever a new system or workflow change happens.
Do I have to delete personal data from backups when a deletion request comes?
In principle yes; in practice there are certain exceptions. Restricting access until the backup cycle completes is an acceptable approach.
Can I use overseas cloud services?
Cross-border transfer can require special procedures and explicit consent. Legal advice should be obtained.
How is employee training documented?
Training attendance lists, training content, and date records should be kept. Provided to the auditor on request.
Author
Serdar
Yamanlar Bilişim Expert
Writes content on IT infrastructure, cybersecurity, and digital transformation at Yamanlar Bilişim. Get in touch for any questions.
Professional Support
Get help on this topic
Let's design the Compliance and Data Protection solution you need together. Our experts get back to you within 1 business day.
support@yamanlarbilisim.com.tr · Response time: 1 business day
Keep Reading
Related Articles
Preparing for ISO 27001 Certification: An SME Roadmap
The ISO 27001 information-security management standard is not exclusive to large corporations; SMEs can also prepare in stages. The right roadmap makes the process predictable.
Preventing Data Leakage with DLP: An Actionable Strategy for SMEs
Most data leaks happen not from outside but from inside, either deliberately or by accident. DLP (Data Loss Prevention) tools intelligently monitor and block the exit of sensitive data from the organization.