The enactment of Amendment 13 to the Privacy Protection Law marks a turning point in the regulatory approach to digital privacy in Israel. The amendment, which was recently approved by the Knesset and is expected to come into force in 2025, sets new and stricter standards for the protection of personal information and imposes significant penalties on violators. This is a comprehensive reform that will change the way organizations manage and secure personal information.
The implications for Israeli companies are dramatic: financial fines of up to NIS 320,000 for a single violation, and the possibility of personal lawsuits of up to NIS 10,000 without proving damages. Beyond the fines, the risks include damage to reputation, loss of customer trust, and even injunctions from the Privacy Protection Authority. The authority has been granted extensive powers for oversight and enforcement, including the ability to conduct surprise audits and demand documents and information from organizations.
Preparation for the new law requires a systemic and comprehensive approach. First, organizations must conduct a thorough mapping of their data repositories, including identifying sensitive personal information, digital identifiers, and biometric data. The mapping process must include interviews with department heads, the use of structured questionnaires, and the implementation of technological tools to automatically identify sensitive information.
At the same time, some organizations must appoint a Privacy Protection Officer with both legal and technological expertise, who will lead the implementation of an organizational culture that respects privacy. Their role also includes developing training programs, managing risks, and coordinating with the Privacy Protection Authority.
Updating security and privacy policies is another critical step. This includes refreshing internal procedures, agreements with vendors, and public policy documents. At the same time, investment is required in advanced technological infrastructure for managing consent, identifying personal information, and protecting against leaks. These systems must include advanced encryption capabilities, real-time anomaly monitoring, and mechanisms for preventing data leaks.
Employee training and the implementation of response programs for security incidents are essential components of preparation. It is recommended to develop a comprehensive training system and simulate emergency scenarios. The drills should include simulations of data breaches, cyberattacks, and scenarios where data subjects request to exercise their rights.
Outsourcing vendor management requires special attention. All vendors must be mapped, periodic control surveys conducted, and detailed data processing agreements arranged. It is also important to establish a steering committee that will discuss security incidents and oversee the management of permissions and updates in systems, with full documentation of all decisions and actions.
Preparation for Amendment 13 is not only a legal obligation but also an opportunity to upgrade organizational processes and strengthen customer trust. Organizations that manage to prepare in advance will not only avoid sanctions but also gain a competitive advantage in the digital era. Despite the costs of preparation, the price of not preparing – both in financial terms and in terms of reputation – could be immeasurably high. The time to act is now.
The author is a partner and head of the Information Systems and Cyber department at Fahn Kanne Management Control – GT ISRAEL.