Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
Mitigating AI risks: A comparative analysis of Data Protection Impact Assessments under GDPR and KVKK
Journal of Data Protection & Privacy,
7
(3),
252-273
(2025)
Abstract
This paper critically examines the Data Protection Impact Assessment (DPIA) frameworks under the European Union’s (EU) General Data Protection Regulation (GDPR) and Turkey’s Personal Data Protection Law (KVKK), with a particular focus on mitigating the risks posed by artificial intelligence (AI) technologies. It identifies significant gaps and challenges within each framework, especially regarding AI-specific risks such as data inference, re-identification and algorithmic bias. By analysing the regulatory landscapes and enforcement practices in key jurisdictions including Germany, France and Ireland, the paper draws lessons that could strengthen KVKK’s ability to address emerging AI-related challenges. The study adopts a comparative approach, detailing the similarities and differences between GDPR and KVKK in their application of DPIAs, their approaches to cross-border data transfers and their regulatory strategies for automated decision-making systems. The research highlights practical challenges faced by organisations, including balancing innovation with compliance, managing cross-border data flows and conducting effective risk assessments for high-risk data processing activities involving AI. Key findings include the need for Turkey’s KVKK to develop explicit AI-focused regulatory guidance, introduce mandatory DPIAs for high-risk activities and enhance transparency and accountability mechanisms. The paper also identifies best practices such as adopting privacy by design and default, leveraging technical measures such as federated learning and differential privacy, and engaging proactively with supervisory authorities to align with global standards. The paper concludes with actionable recommendations for policy makers and practitioners to harmonise KVKK with GDPR, improve cross-border data protection and foster trust in AI systems while maintaining innovation. These insights aim to provide a roadmap for building a robust data protection framework that addresses both current and future challenges posed by AI technologies.
Keywords: Data Protection Impact Assessments; GDPR; KVKK; artificial intelligence; privacy by design; algorithmic transparency
The full article is available to subscribers to the journal.
Author's Biography
Arzu Galandarli is a dynamic and results-driven Legal Counsel with expertise in corporate law, international trade, compliance and data protection. He provides legal guidance to multinational companies, ensuring regulatory compliance and contractual security. With a background in European and international law, he specializes in GDPR, KVKK, and financial regulatory frameworks. Currently, Arzu is pursuing a PhD in European law and international trade at Istanbul Ticaret University, enhancing his knowledge in cross-border legal regulations. He holds an LLM in European business law from Aix-Marseille University and an LLB from Erciyes University, where he was fully funded by Türkiye Scholarships. Arzu’s experience spans pharmaceuticals, fintech and e-commerce, focusing on contract negotiations, mergers and acquisitions, and anti-money laundering (AML) compliance. A multilingual legal professional, he actively contributes to legal journals and conferences on data protection and international regulatory challenges.
