Data Privacy Compliance Guide for SMEs: Making Sense of Turkey's KVKK

“We're a small company — surely data protection law doesn't apply to us.” If you do business in Turkey, that assumption can get expensive. KVKK (Kişisel Verilerin Korunması Kanunu) is Turkey's data protection law — the Turkish equivalent of GDPR — and it covers virtually every organisation that processes personal data. Keep a customer list? Run payroll? Operate CCTV at your premises or a contact form on your website? Then you process personal data, and KVKK applies to you.
Many SME owners treat compliance as something for the lawyers and keep postponing it. Yet the cost of non-compliance can be steep: serious administrative fines, reputational damage and — perhaps worst of all — the loss of hard-earned customer trust. The good news is that KVKK compliance is far more manageable than it looks, provided you follow a clear roadmap and keep your data infrastructure tidy.
In this guide we'll walk through what counts as personal data, where it accumulates in a typical business, your core obligations under KVKK, and a practical step-by-step plan to get started — no legal jargon required.

What Counts as Personal Data? More Than You Think
Much like GDPR, KVKK defines personal data broadly: any information relating to an identified or identifiable individual. Names and national ID numbers are the obvious examples, but email addresses, phone numbers, IP addresses, location data, CCTV footage and even licence plates all qualify. Special categories of data — health records, biometric data and the like — are subject to stricter rules, again mirroring GDPR.
Where does all this data pile up in an SME? In more places than most owners expect:
- HR processes: CVs, payroll records, health reports, onboarding documents
- Customer records: CRM entries, invoices, quotes, email threads
- E-commerce: account details, order and delivery addresses, payment records
- CCTV: footage of employees and visitors
- Your website: contact forms, cookies, analytics tools
A useful mental model: personal data is borrowed property. It doesn't belong to you; it has been entrusted to you for a specific purpose. You must use it only for that purpose, protect it carefully and hand it back — that is, delete it — once the job is done.
Your Core Obligations Under KVKK
You don't need to memorise the law. For most SMEs the picture boils down to five headings, and if you already know GDPR, much of it will feel familiar:
- Transparency: You must clearly tell people who you are, why you collect their data, who you share it with and what rights they have. Privacy notices on your website, information forms in HR files and CCTV signage all fall under this duty.
- Lawful basis and explicit consent: Every processing activity needs a legal ground. If one exists — performing a contract, meeting a legal obligation — you don't need consent; otherwise you must obtain explicit consent, freely given and specific to the purpose. Blanket “I accept everything” checkboxes don't count.
- Data inventory: A written record of what data you collect, why, where you store it, who you share it with and how long you keep it — similar in spirit to GDPR's records of processing activities. This inventory is the backbone of compliance; without it, every other step floats in mid-air.
- VERBİS registration: Unlike GDPR, KVKK requires data controllers that meet certain criteria to register with VERBİS, Turkey's public registry of data controllers. The thresholds are updated from time to time, so check whether your business is in scope at kvkk.gov.tr.
- Retention, deletion and breach notification: You cannot keep personal data indefinitely; once the purpose expires, the data must be deleted, destroyed or anonymised. And if a data breach occurs, you must notify the Turkish Data Protection Authority and the affected individuals without delay — a close cousin of GDPR's 72-hour rule.
Where to Start: A Step-by-Step Roadmap
Think of compliance as spring cleaning: first you take stock of the whole house, then you work through it room by room.
- Map the current situation. Which processes — HR, sales, accounting, your website — collect which data? Talk to each department and list the software and files you use.
- Build your data inventory. Gather your findings in a single table: data category, purpose, storage location, third parties, retention period.
- Drop unnecessary data. Stop collecting information your business doesn't need, and securely dispose of old records that have piled up over the years. Less data means less risk.
- Prepare notices and policies. Privacy notices, consent forms, a retention and disposal policy — this is the stage where working with a KVKK specialist or lawyer pays off.
- Clarify your VERBİS status. If you are in scope, register and keep your entry up to date.
- Train your team. Even the best policy collapses when an employee emails the customer list to a personal account. Schedule short but regular awareness sessions.
- Put technical measures in place. Access rights, backups, encryption, audit logs — the subject of the next section.
Planning these steps together with your digital transformation roadmap lets you design both efforts once, and in the right order.
The Role of Software and Data Infrastructure
KVKK is not just about legal documents; the law also expects you to take technical measures to keep data safe. This is exactly where your software and data infrastructure comes in:
- Access control: Not everyone should see everything. Your accountant has no reason to view customers' health reports; role-based permissions ensure each person sees only the data their job requires.
- Audit logging: Who viewed or changed which record, and when? If a breach is suspected, these logs are the only way to reconstruct what happened.
- Backup and encryption: Losing data is a breach too. Regular, tested backups are essential — we covered the details in our guide to data security and backup for SMEs.
- Data minimisation: Remove the “just in case” fields from your forms. If your software collects less data to begin with, there is less to protect.
- Automated disposal: Tracking retention periods by hand is nearly impossible. A well-designed system can automatically delete or anonymise records once their time is up.
One more reminder: leaked personal data becomes a powerful weapon in the hands of fraudsters — we explored recent examples in our guide to protecting your company from deepfake fraud. Consolidating data in a central system with controlled access, instead of scattering it across Excel files and personal laptops, makes both compliance and security fundamentally easier.
Compliance Is a Habit, Not a One-Off Project
KVKK compliance is not a project you complete once and file away. Every new software purchase, marketing campaign or hire means revisiting your inventory and notices. Work with your legal advisor on the regulatory side; on the technical side, a well-organised data infrastructure will carry much of the load for you.
At Lumethis, we build data infrastructure for SMEs with exactly this in mind: access control, audit logging, backups and centralised systems that make maintaining a data inventory straightforward. Take a look at our data and software services, or get in touch to make your company's infrastructure compliance-ready.
Note: This article is for general information only and does not constitute legal advice. Work with a qualified KVKK specialist or lawyer throughout your compliance process.
Need help with this topic?
Contact Us