close
close

Management’s responsibility for data security in the company | Barnea Jaffa Lande & Co.

Posted on by darion

The Israeli Privacy Authority recently published a binding directive on the board’s responsibility for fulfilling the company’s obligations under the Privacy (Data Security) Regulation. The directive, which has just entered into force after receiving public comments, expands and clarifies the board’s obligations to protect privacy and data security.

The directive states for the first time that the management board takes full responsibility for data security in the company and in case of violation of the applicable rules, the company will be exposed to a fine of NIS 320,000 for each violation.

Application of the directive

The latest directive from the Office for the Protection of Privacy focuses on corporations engaging primarily in the processing of personal dataOr corporations whose business activities may involve an increased risk of privacy breachesExamples of such corporations include:

  • Cellular companies and companies that collect location data
  • Banking corporations and insurance companies
  • Companies operating in the medical industry
  • Major retailers
  • Companies employing employees and research institutes dealing with employee assessment.

In order to determine whether the provisions of the Directive apply to corporations, it is necessary to consider, among other things, the characteristics of the corporation (private or public company), the type and sensitivity of the information processed, the amount of information collected, and the number of employees authorized to access that information. For example, corporations that collect significant amounts of economic or medical information in the course of their routine activities will be subject to the Directive.

Management’s responsibility for implementing the regulations

According to the directive of the Office, since the board of directors is one of the company’s bodies responsible for data security, it is responsible for supervising and ensuring that the company complies with laws and regulations, as well as for establishing organizational policy in this area. The board of directors is also obliged to be particularly involved in meeting the requirements and even to be among the decision-makers.

Therefore, the Directive provides that the board of directors is responsible for fulfilling five key duties set out in the regulations:

  • The board must approve database definition documentwhich must include, among other things: a description of the activities related to the collection and use of information; a description of the purposes of using the information; the different types of information contained in the database, etc.
  • The board must discuss key principles organizational data security procedure. This procedure must include instructions regarding the physical and environmental security of the database; authorizations for access to the database; a description of the measures to be taken to protect the database, how to deal with data security incidents; etc.
  • The board must have quarterly or annual discussion (depending on the database security level) about data security incidents within the corporation, including determining whether there is a need to change organizational data security procedures.
  • The board must supervise the conduct discussion of risk review and penetration testing results and must approve the actions necessary to remedy the discovered deficiencies (for databases requiring a high level of security).
  • ŸThe board must have discussion of the results of the periodic audit (once every two years for databases with a medium and high security level) for compliance with regulations.

Other key provisions of the directive

  • The Directive also refers to Amendment No. 13 to the Privacy Law, which was recently approved by the Knesset and is set to enter into force in August 2025. Among other things, the amendment defines a new category of “highly confidential information,” which affects the amount of financial penalties that will be imposed in the event of a breach; requires companies to appoint a privacy officer; and requires companies to register databases and report their existence to the Privacy Office.
  • The Directive recognises that, in appropriate cases, the board will be able to delegate its responsibilities to another entity within the company, taking into account the degree of privacy risk associated with the company’s activities, its size and the composition of the board. Nevertheless, even in such situations, the board will be required to actually oversee compliance with the regulatory requirements.
  • ŸThe Directive clarifies that the board’s duties are intended to be in addition to, and not to diminish, the duties imposed on the company’s board of directors, its chief executive officer, or any other corporate compliance officer. In addition, the Directive may provide a basis for derivative lawsuits that may be brought by shareholders against directors.
  • Finally, the Directive states that one of the key means by which the board can fulfill its oversight responsibilities is to adopt an effective internal enforcement program. Such a program should include mechanisms for monitoring, reporting and supervising the implementation of the provisions of the laws and regulations governing privacy and data security.

Measures to be taken

To mitigate the risk that directors may be personally liable for their duties under the law – whether through enforcement proceedings by the Privacy Office or as a result of personal or derivative actions – the company and its board should familiarise themselves with the duties imposed on them under the privacy laws. They must also take steps to ensure that they actually discharge their duties as directors.

To comply with applicable data security obligations, businesses should consider implementing several measures:

  • conducting training for management board members on privacy protection and data security;
  • remap its databases for the purpose of classifying them in accordance with the provisions of the Privacy (Data Security) Regulation;
  • update the data security risk assessment the company faces;
  • update and change the company’s data security procedures in the context of security incidents;
  • ensure compliance of the company’s internal control systems with the amended regulations;
  • consider appointing a professional advisor to the board on privacy and data security issues.

(See source.)