How to increase awareness about Personal Data Protection with employees and data processors?

We all know that employers should provide awareness training to their employees on the protection of personal data. So, is the training given to the employees once enough? What is phishing? Why should you provide awareness training to your data processors? These questions and more are answered in our blog post this month!

Periodic training is as important as the initial training. Awareness Training.

The first step in providing employee awareness is to include the field of personal data protection among the trainings you put forward to the employee during the orientation process. It should be aimed that an employee joining the team has reached a basic level of knowledge on personal data before accessing systems containing personal data.

Keeping the awareness level of the employees at the highest level will play a major role in the sustainability of the personal data protection culture within your company. For this reason, it is important not to be satisfied with the initial training given to the employees in orientation, and to provide periodic trainings at least once a year.

However, in accordance with your main area of activity, you may mostly be processing sensitive personal data such as health data, biometric data or criminal convictions and security measures data. Or, some of your employees in your company may be working with such data due to their positions. In these cases, we recommend that you keep the frequency of the training and briefing periods to be given to these employees shorter. In addition, you can keep the personal data protection culture alive by providing small information notes to your employees or posting reminders on the boards throughout your business processes!

Do not give fish to your employees! Teach them to fish. Employee Audits.

Putting the knowledge which we have learned into practice is always a recommended method for the knowledge to become usable. For this reason, in addition to providing awareness training, monitoring the awareness levels of your employees and exposing them to artificial data breaches when it is necessary, will maximize efficiency.

You have trained your employees, established policies and procedures about personal data processing and destruction of personal data. It is always possible for your employees to check their knowledge and skills by taking quizzes in this area. However, you can learn exactly how much this information will be applied in the event of a data breach. At this point, artificial data breach can also come into play through phishing attacks, which is one of the artificial data breach forms and which you may prefer due to the practicality of its implementation. So what is phishing?

Phishing is an attack to steal passwords, credentials or other data using e-mails that appear to be reliable and come from another institution or another department within your company. During the phishing attack, artificial data breaches will be presented to the employees and their actions will be observed. In this way, the awareness level of the employees will be determined, and the efficiency of training, policies and procedures will be measured concretely.

Who caught it? Who cooked? Who ate? Roles and Responsibilities.

When an undesired situation occurs in your company, the first step that is important for operating a process that will enable you to reach the result efficiently and as soon as possible is to determine what all employees should do. This is as natural as the hired employee knowing whether to work in the Human Resources Department or the Finance and Accounting Department.

By distributing roles, responsibilities and authorities among the employees, it will be determined by whom the processes of preventing violations, executing violation processes or managing data requests will be carried out. During the said authorization; it is necessary to consider the title of the authorized person, his/her competence to do this job and the accessibility of the resources to be used by this person. For example, the employee who will provide information to the higher authority by directing other employees during the work process, should have a position at a level to make this direction and have an access data-containing environments.

The easiest way to carry out the personal data protection processes within your company is to establish an organized structure that will operate on its own. For this reason, by establishing a Personal Data Protection Committee within your company, it is possible to ensure the up-to-datedness of processes related to data processing activities and the sustainability of compliance. In order to ensure that this structure extends to all branches in your company’s organizational chart, you can assign one Data Protection Officer from each of your units. In this way, a communication network will be created starting from the smallest units of the company and extending to the Data Protection Committee and the Management.

What about your data processors? Joint Responsibility with Data Processors.

Companies, because of their nature, are legal entities that have to be in constant communication with the outside world in order to carry out their activities. You have to make agreements with other companies to deliver your products to customers, to provide call center service to your customers, to supply the necessary materials during your production activities and many more. Meanwhile, in order to carry out your business activities properly, you can sometimes be a little closer with some companies, recruit their employees, have them process personal data on your behalf, or transfer the personal data you have processed to them. At this point, data processors will come into play.

Pursuant to the Law on the Protection of Personal Data; in case the processing of personal data is carried out by another natural or legal person (meaning data processor) on behalf of the data controller, the data controller is jointly responsible with the data processor for taking the measures on personal data security. This means the following: Although you raise awareness of your own employees and build a smooth-running Data Protection compliance within your company, the ignorance of your data processors can ruin everything. And you, as the data controller, are responsible for this lack of data processors regarding Data Protection.

At this point, you have two options. Before entering into a contractual relationship with a company, it is possible to receive confirmation that they have taken the necessary actions in the field of Data Protection, ensure data security and raise awareness of their employees, and include these issues in the contract you will make. Or, you can keep the process under your own control by raising the level of awareness within your data processors and performing periodic audits on Data Protection compliance.

Your contractual relationship with the data processor and the scope of this relationship will play a major role in choosing one of the options. For example, you may want to train your data processor’s employees who will process data for you or access your existing databases, according to your authorization. However, ensuring the data security of a company that only provides archiving services and does not use the data you process, may be sufficient enough for you.


Personal data protection activities within companies are living processes. During many changes, such as the change of your business processes, the departure of your employees or the recruitment of new employees, the acquisition of new partners; one of the things to consider is the protection of personal data. Therefore, we would like to remind you that one of the most important and fundamental steps in terms of ensuring data security within your company is to increase the awareness level of employees, but it is not the only step!

Special thanks to Bilge Ezgi Peker for her contributions to this article.