In 2018, a hostile European takeover of the global business world has began. Didn't you feel it? If your company does business with entities in the EU or contacts with customers from the EU - you are likely to feel it. The code name given to the takeover operation: GDPR, and it ostensibly touches on everything related to information security and use of personal information, but in practice it has a touch on every business activity, anywhere in the world!
On May 25, 2018, the European data protection directive came into force (its full name is: The General Data Protection Regulation, but everyone knows it under the abbreviation: GDPR), which brought with it the most comprehensive change to information security law in decades and created a real revolution in requirements for businesses that collect or process people's personal information. The most significant change brought about by the directive is the application of direct and absolute responsibility to companies and individuals who collect or process personal information, to maintain the confidentiality of the personal information they collect and to legally justify its use.
The directive adopted a new concept of planned privacy in addition to privacy by default and its breach exposes to heavy fines ranging from Euro 20,000 to 4% of the business’ profits. Thus, the confidentiality of the information must be fully transparent to the customer and one that is pre-planned proactively, built into the technology or information collection process, and guaranteed automatically, with the subject of the information is not required to take any further action on its part to ensure security or confidentiality of data. Furthermore, the transfer of information about EU citizens outside the borders of the EU is only allowed to a country that has been examined by the EU and found to meet the criteria. Moreover, even without transferring information outside the EU, the Directive applies to all information related to EU citizens or companies operating in the EU.
In other words, if your company sells products or collects personal information of EU citizens or enters into an agreement with a company registered in the EU according to which you are exposed to data of such company - you must comply with the Directive. In fact, even if your company provides services and receives information only about Israeli citizens, it is enough that one of them also holds European citizenship (a common thing in Israel), in order to apply the Directive to you.
Most Israeli companies comply with Israeli privacy legislation and regulations enacted under it and believe that they are safe, but are unaware that Israeli legislation lacks many of the elements in the European Directive such as the right to be forgotten, a person's right to withdraw consent given to processing or use of data or the obligation of the collecting company to declare to its customers the legal reason justifying the collection of information in the first place. At the same time, many Israeli companies communicate with European entities and collect personal data about them, while not being aware that compliance with Israeli rules does not protect against violating the Directive.
What, then, are Israeli organizations required to do in order to meet the requirements of the Directive? It is advisable to enlist the help of a lawyer with expertise in the field, to produce an internal enforcement plan, after an internal organizational review to diagnose what personal information the company collects, what uses are made thereof, and what legal reasons justify its collection, to determine whether the Directive applies. As part of the internal enforcement plan, internal procedures for information security and confidentiality and a transparency police are to be adopted, privacy policies and terms of use updated, as well as amendments to agreements with employees and subcontractors with access to data and any other step taken to prevent breach of the Directive.