A company CEO was surprised to receive a formal diagnostic demand from the Israeli Privacy Protection Authority (PPA). The issue was not the questionnaire itself, but the alarming fact that the organization had never conducted a preliminary assessment of needs and risks, gaps were never mapped and the technological and legal rectifications required by law were not implemented in time. Is it even possible to bridge years of gaps and transform a breached data-system into a fortress of compliance and privacy when the Authority’s hourglass has already been turned?
Amendment 13 to the Israeli Privacy Protection Law currently serves as a central pillar in strengthening the deterrence and enforcement capabilities of the PPA. This represents a paradigm shift: a transition from a "recommendations-based" model to a model of firm administrative enforcement, which includes heavy financial sanctions and the issuance of binding professional directives to database controllers. In this era, the PPA does not merely settle for investigating security breaches; it acts proactively to ensure that both private and governmental organizations comply with the rigorous standards of the Privacy Protection Law, with the PPA having the power to impose personal fines on company executives of up to ILS 150,000.
One of the most significant changes introduced by Amendment 13 is the mandatory appointment of a Data Protection Officer (DPO). This requirement is no longer limited to public bodies; it now applies to contractors working on their behalf, entities which primary business is trading in personal data, organizations engaged in systematic monitoring of human behavior and entities processing significant volumes of sensitive data (such as medical, biometric, criminal, credit data, or information regarding sexual orientation). The DPO acts as an independent professional function, reporting directly to the CEO and the Board of Directors and is charged with overseeing the organization's data security.
However, even when appointing a DPO is not mandatory, the Board of Directors bears an active duty to ensure data security. They must approve definitions and procedures, assess risks, and verify the implementation of a compliance policy that includes control mechanisms and immediate reporting of security incidents. Therefore, even in the absence of a statutory obligation, appointing a DPO is highly recommended to ensure ongoing compliance and mitigate the exposure of directors and officers in the event of a data breach. Ignoring the DPO’s recommendations or failing in ongoing oversight (including the failure to allocate appropriate resources) may be perceived as a breach of the duty of care. Whether during a regulatory audit or in the aftermath of a leak, such failures can lead to personal liability for directors and officers, independent of the company’s corporate liability.
A common executive error is viewing privacy as a temporary "project" in preparation for an audit. Amendment 13 clarifies that ultimate responsibility lies with the Board, exposing officers to heavy personal financial sanctions and potential criminal investigations. Consequently, officers are advised to act without delay to ensure full compliance and formulate written security procedures. Given the legal and personal risks involved, it is advisable not to settle for a standard external DPO provider (especially given the recent influx of inexperienced providers "popping up like mushrooms" post-Amendment 13). Instead, organizations should engage a law firm with specific expertise in privacy protection to provide ongoing professional guidance and external DPO services.