KVKK Technical & Administrative Measures: 2026 SME Compliance Checklist

İsmet Öztürk June 28, 2026 5 min read

IT specialist auditing data security measures in a server room — Xen Bilişim

For most SMEs in Türkiye, KVKK compliance has shrunk to two words: privacy notice and VERBİS. You post a notice on the website, register with the data controllers’ registry, and close the file. But when the Personal Data Protection Board (KVKK is Türkiye’s data protection authority, its law the rough equivalent of the GDPR) audits you, it looks somewhere else entirely: are you actually protecting the data itself? That question lives in Article 12 of the law — the data security obligations.

The gap shows up plainly in one penalty line. In 2026 the ceiling for breaching the disclosure obligation is TRY 1,709,200, while failing to take data security measures can cost up to TRY 17,092,242. Handling the paperwork and leaving the technical side empty means keeping most of the risk in your own pocket.

What exactly does Article 12 require?

The article mandates three things: prevent unlawful processing of personal data, prevent unlawful access to it, and ensure its safekeeping. To do this you must take “all necessary technical and administrative measures to provide an appropriate level of security.”

The law deliberately avoids a single recipe. Expecting the same setup from an eight-person accounting office and a 200-person e-commerce firm would make no sense. The authority knows this, and asks for measures scaled to company size, the nature of the business and the type of data processed. The detailed framework sits in the authority’s published Personal Data Security Guide, organized under two headings: administrative measures and technical measures.

Use the two lists below as a self-assessment tool. Mark each line “in place”, “partial” or “missing” — for most companies the compliance path gets clear with exactly this simple exercise.

Administrative measures checklist

These aren’t about hardware; they’re about decisions and processes. Honestly, this is where SMEs stumble most, because the work is “invisible”.

Personal data inventory — do you keep a written record of which data you hold, why, where, and for how long? Without an inventory, everything else rests on guesswork.
Corporate policies — are your access, information security, usage and retention-disposal policies written and current?
Contracts with data processors — do you have confidentiality and security commitments with everyone you share data with: your accountant, cloud provider, courier, call center?
Retention and disposal — do you periodically delete, destroy or anonymize data whose retention period has expired?
Staff awareness training — can your people recognize a phishing email and know where a record belongs? Training should be a repeated habit, not a one-off slide deck.
Internal audit and risk analysis — do you regularly check whether the measures actually work?
VERBİS — registration is mandatory if your annual headcount exceeds 50 or your balance sheet total exceeds TRY 100 million. If your core activity processes special-category data (health, biometrics), you must register even below those thresholds.

Technical measures checklist

This side belongs to your IT team or your outsourced partner. Here are the guide’s headings mapped to what they mean on the ground:

Measure	What it means in practice
Authorization matrix & access control	Everyone reaches only the data their job needs, not all of it
User account management	A departing employee’s account is closed the same day; no shared passwords
Encryption	Disks, databases and portable devices encrypted; traffic over HTTPS/TLS
Backup	Regular, tested and ideally immutable backups
Network security	Firewall, segmentation, up-to-date anti-virus/EDR
Logging	Access and transaction logs kept and protected against tampering
Penetration testing	Periodic external vulnerability scanning
Data masking / DLP	Sensitive fields masked, data-loss prevention active
Secure disposal	Drives retired via physical destruction or secure wipe

Half of these lines already exist in a well-run IT setup. What’s usually missing is the written evidence: being able to show in an audit that you applied the measure. The Board doesn’t trust the claim “we do it” — it looks at records and policy.

How much is the fine if you skip the measures?

The 2026 amounts were updated by the 25.49% revaluation rate published in the Official Gazette on 27 November 2025. Current floors and ceilings:

Violation type	Lower limit	Upper limit
Disclosure obligation (Art. 10)	TRY 85,437	TRY 1,709,200
Data security (Art. 12)	TRY 256,357	TRY 17,092,242
Non-compliance with Board decisions	TRY 427,263	TRY 17,092,242

When setting the fine, the Board weighs whether the violation was intentional or negligent, how many people were affected, what corrective steps were taken, and whether a similar breach happened before. A firm that took its measures in advance — and can document them — stands on far more defensible ground when a breach does occur.

Where should an SME start?

The point isn’t to do all of it in one week. I’d suggest this order:

Build the inventory. You can’t protect what you don’t know you have.
Fix access and passwords. Close shared accounts, cut off departed staff — this drops the biggest risk at zero cost.
Test the backup. A backup that exists but has never been restored is as good as no backup.
Put training on the calendar. A large share of breaches start not from a technical flaw but from a link an employee clicked.
Write the gaps into a roadmap. The Board doesn’t expect perfection; it expects reasonable, demonstrable effort.

Frequently asked questions

Is KVKK compliance only for large companies? No. The Article 12 obligation is independent of headcount; even a one-person business must take data security measures. VERBİS registration depends on thresholds, but the duty to protect data belongs to everyone.

I have a privacy notice and a VERBİS record — am I compliant? Those are necessary but not sufficient. An audit also questions your technical measures (encryption, backup, access control, logs) and administrative processes. The heaviest penalty line sits precisely on that side.

Do we have to build all the measures ourselves? Not necessarily. Many SMEs run their technical measures through a managed IT partner; the contract with the data processor is the legitimate, recorded way to do this.

If you’d like to review your data security side through an auditor’s eyes, we can compare your current setup against the Article 12 checklist and plan the missing items together. Get in touch.

June 23, 2026

Workplace CCTV and KVKK: A 2026 Compliance Guide for Türkiye

Türkiye's data authority issued new CCTV guidance on 8 June 2026: banned areas, no audio recording, retention limits, access control and 2026 fine ranges. A practical KVKK compliance checklist for SMEs running security cameras.

June 8, 2026

KVKK Cross-Border Data Transfer 2026: Standard Contract Guide

If your company runs Microsoft 365 or Google Workspace, you are already transferring data abroad. Here is what Türkiye's reformed KVKK Article 9, the standard contract and the 5-day filing rule mean for an SME.

May 22, 2026

Quishing (QR Code Phishing): What It Is and How SMBs Defend Against It

Last month an accounting client called in a panic: an email with a 'pending e-invoice' subject and a QR code 'scan to view the document'. The QR led to a pixel-perfect fake Microsoft 365 login. This is quishing — the fastest-growing email threat of 2026.