The enactment of Amendment 13 to the Privacy Protection Law marks a turning point in the regulatory approach to digital privacy in Israel. The amendment, recently approved by the Knesset and expected to enter into force during 2025, sets new and stricter standards for the protection of personal information and imposes significant sanctions on violators of the law. This is a comprehensive reform that will change the way organizations manage and secure personal information.
The implications for Israeli companies are dramatic: financial sanctions of up to NIS 320,000 for a single violation, and the possibility of personal claims of up to NIS 10,000 without proof of damage. Beyond fines, the risks include damage to reputation, loss of customer trust, and even cease-and-desist orders from the Privacy Protection Authority. The Authority received extensive powers for supervision and enforcement, including the ability to conduct surprise audits and demand documents and information from organizations.
The preparation for the new law requires a systemic and comprehensive approach. First, organizations must carry out a comprehensive mapping of the databases in their possession, including the identification of sensitive personal information, digital identifiers and biometric information. The mapping process must include interviews with department managers, the use of structured questionnaires, and the application of technological tools for the automatic identification of sensitive information.
At the same time, some organizations must appoint a privacy protection officer with legal and technological understanding, who will lead the assimilation of an organizational culture that respects privacy. His role also includes the development of training programs, risk management, and coordination with the Authority for the Protection of Privacy.
Updating the information security and privacy policy is another critical step. This includes refreshing internal procedures, agreements with suppliers and public policy documents. At the same time, investment in advanced technological infrastructure is required to manage consents, identify personal information and protect against leaks. These systems must include advanced encryption capabilities, real-time anomaly monitoring, and protection mechanisms against information leaks.
Training employees and implementing security incident response plans are essential components of preparedness. It is recommended to develop a comprehensive training system and practice emergency scenarios. The exercises should include simulations of information leakage events, cyber attacks, and scenarios of requests from data subjects to exercise their rights.
Managing outsourcing providers requires special attention. All suppliers must be mapped, periodic control surveys must be carried out and detailed data processing agreements must be regulated. It is also important to establish a steering committee that will discuss information security incidents and oversee the management of permissions and updates in the systems, while fully documenting all decisions and actions.
Preparing for Amendment 13 is not only a legal obligation, but an opportunity to upgrade organizational processes and strengthen customer trust. Organizations that know how to prepare ahead of time will not only avoid sanctions, but will gain a competitive advantage in the digital age. Despite the costs involved in being prepared, the price of not being prepared – both in financial terms and in terms of reputation – may be immeasurably high. The time to act is now.
The writer is a partner and director of the information systems and cyber department, Fahn Kena Control Management – GT ISRAEL