Mitigating AI risks: A comparative analysis of Data Protection Impact Assessments under GDPR and KVKK

This paper critically examines the Data Protection Impact Assessment (DPIA) frameworks under the European Union’s (EU) General Data Protection Regulation (GDPR) and Turkey’s Personal Data Protection Law (KVKK), with a particular focus on mitigating the risks posed by artificial intelligence (AI) technologies. It identifies significant gaps and challenges within each framework, especially regarding AI-specific risks such as data inference, re-identification and algorithmic bias. By analysing the regulatory landscapes and enforcement practices in key jurisdictions including Germany, France and Ireland, the paper draws lessons that could strengthen KVKK’s ability to address emerging AI-related challenges. The study adopts a comparative approach, detailing the similarities and differences between GDPR and KVKK in their application of DPIAs, their approaches to cross-border data transfers and their regulatory strategies for automated decision-making systems. The research highlights practical challenges faced by organisations, including balancing innovation with compliance, managing cross-border data flows and conducting effective risk assessments for high-risk data processing activities involving AI. Key findings include the need for Turkey’s KVKK to develop explicit AI-focused regulatory guidance, introduce mandatory DPIAs for high-risk activities and enhance transparency and accountability mechanisms. The paper also identifies best practices such as adopting privacy by design and default, leveraging technical measures such as federated learning and differential privacy, and engaging proactively with supervisory authorities to align with global standards. The paper concludes with actionable recommendations for policy makers and practitioners to harmonise KVKK with GDPR, improve cross-border data protection and foster trust in AI systems while maintaining innovation. These insights aim to provide a roadmap for building a robust data protection framework that addresses both current and future challenges posed by AI technologies.