Data Protection and Cybersecurity in the Digital Age: Legal Framework, Emerging Risks and Compliance Strategies

Authors: Atty. Ayça Berker & Atty. Deniz Nalbant 

Introduction

In an era of rapidly accelerating digitalisation, data protection and cybersecurity have become central pillars of legal, commercial and technological strategies at both national and international levels. As of 2021, the regulatory framework in this field was largely shaped by the European Union General Data Protection Regulation (GDPR) and Türkiye’s Law No. 6698 on the Protection of Personal Data (KVKK). However, recent technological developments, the sharp increase in cyber threats, the widespread use of artificial intelligence applications, the growing scale of cross-border data transfers and the expansion of digital platform economies have necessitated a comprehensive recalibration of legal obligations and compliance policies in this area.

This article examines the current framework of data protection law, contemporary cybersecurity risks, corporate compliance processes and potential legal liabilities.

1. Personal Data Protection and International Regulatory Developments

1.1. Developments under the GDPR and the KVKK

• The GDPR continues to constitute the cornerstone of data protection in Europe. Nevertheless, additional regulatory initiatives entered into force in 2023 and 2024, particularly concerning artificial intelligence, algorithmic transparency and the enhanced protection of children’s personal data.
• In Türkiye, the KVKK was significantly amended in 2022 to achieve closer alignment with European data protection standards. These amendments clarified the legal contours of the concept of explicit consent and shortened the time limits for personal data breach notifications.
• Administrative fines have been substantially increased both in the EU and in Türkiye. Under the GDPR, administrative fines may reach up to 4% of an organisation’s worldwide annual turnover per infringement. Under the KVKK, as of 2025, administrative fines may amount to up to TRY 20 million.

1.2. Cross-Border Data Transfers

• The EU–US Data Privacy Framework, which entered into force in 2023, remains in effect as of 2025 and has resolved, to a large extent, the legal uncertainties created by the Schrems II judgment.
• In Türkiye, the list of countries benefiting from adequacy decisions has expanded, and organisations have been granted the possibility to rely on Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs) for international data transfers.

2. Cybersecurity Risks and Legal Liability

2.1. Contemporary Threat Landscape

• Ransomware attacks have increasingly targeted critical infrastructure operators and the healthcare sector.
• Deepfake technologies and artificial intelligence driven phishing techniques have emerged as sophisticated tools targeting both individuals and corporations.
• Chain data breaches originating from cloud service providers have become more frequent, making supply chain security one of the most critical risk areas.

2.2. Legal Liability Regime

Companies may bear legal responsibility not only in their capacity as data controllers, but also as data processors.

In the event of a data breach, sanctions may arise not only under the GDPR and the KVKK, but also pursuant to the Electronic Communications Law, the Banking Law and the Turkish Criminal Code.

At the EU level, the NIS 2 Directive, which entered into force in 2023, significantly expanded cybersecurity obligations. In Türkiye, the National Cybersecurity Strategy 2023–2025 has introduced specific obligations for operators of critical infrastructures.

3. Compliance Strategies and Best Practices

3.1. Legal and Technical Safeguards

• Mapping all personal data flows through comprehensive data mapping exercises;
• Implementation of robust access control mechanisms and multi-factor authentication systems;
• Regular penetration testing and continuous updates of incident response plans;
• Periodic data protection (KVKK/GDPR) and cybersecurity training programmes for all employees.

3.2. Contractual Protection Mechanisms

• Incorporation of data processing undertakings and cybersecurity protocols into contracts with suppliers and third parties;
• Use of standard contractual clauses for cross-border data transfers;
• Adoption of cyber risk insurance solutions to mitigate exposure in case of data breaches.

Conclusion

As of today, data protection and cybersecurity no longer constitute purely technical matters but represent areas of substantial legal responsibility. Both in the European Union and in Türkiye, regulatory authorities have adopted stricter supervisory approaches and imposed more severe sanctions in response to data breaches.

The adoption of proactive and holistic compliance strategies by companies not only ensures adherence to legal obligations, but also serves to protect corporate reputation and to maintain consumer trust. In a rapidly evolving technological and regulatory landscape, cooperation with experienced legal advisers is of critical importance for the effective management of risks and the sustainability of compliance frameworks.

 

For further information, please contact: info@berkerberker.com