"From our experience, in many cases cyberattacks could have been avoided if companies would have complied with the privacy protection regulations (data security). Unfortunately, there are many companies in Israel that have not sufficiently complied with data security regulations, perhaps because the sanctions for violations were not significant, and they became a target for cyberattacks," said Adv. Gilad Semama, Commissioner of the Privacy Protection Authority (PPA), this week. "Once the sanctions come into force according to the amendment to the law, we expect many companies will increase their efforts and raise the level of data security in order to comply with the regulatory requirements."
Adv. Semama was speaking at a Conference organized by Lipa Meir & Co. Advocates and Israel Directors Union (IDU), which was held last week on Amendment No. 13 to the Privacy Protection Law, which has been recently passed by the Knesset and includes changes and revisions to the Privacy Protection Law, which had not undergone any major changes for about 30 years. The amendment to the law includes, among other things, expanding the PPA's powers of enforcement to includes a mechanism for financial sanctions of considerable amounts for violations of the privacy protection law and regulations as well as strengthening the criminal investigative powers of the PPA, the obligation to appoint a Data Protection Officer for certain organizations , and it also narrows the obligation to register digital databases and in some cases sets instead an obligation to notify the PPA, regarding sensitive database.
Adv. Semama added, "The most important achievement of the amendment to the Privacy Protection Law is the "repricing" of the violation of the right to privacy. In future cases that the PPA will be managing after the amendment to the law comes into effect against companies that have violated the law and regulations, the financial sanctions may amount to millions of shekels. Therefore, organizations must prepare in accordance with the entry into force of the amendment to the law, as its consequences will be extensive and significant."
Board of Directors’ responsibility to supervise and prevent cyberattacks
The conference also dealt with the new directive recently published by the PPA regarding the responsibility of the board of directors in fulfilling obligations set in the privacy protection regulations (data security), including the duty to monitor and ensure that the company complies with the provisions of the law and regulations, to formulate organizational policies on the substantive issues in the field of personal data management, and to be involved significantly in complying with a number of concrete requirements of the data security regulations.
Adv. Semama pointed out, "The PPA's directive regarding compliance with the obligations of the data security regulations by the company's board of directors is effective immediately and will be enforced, in accordance with the circumstances of each case. I believe that the board of directors of a company whose core business is the processing of personal data and that there is a risk to the privacy of its customers must be significantly involved in the supervision and control of compliance with the provisions of the law and regulations, in order to increase the level of compliance regarding the security of the data managed."
Adv. Semama added that the importance of the PPA’s directive becomes even clearer due to the state of data security in companies, and even more so due to the increase in serious cyberattacks against Israeli companies since the outbreak of the war.
Adv. Vered Zlaikha, Partner and the Head of Cyber Affairs & Artificial Intelligence Practice at Lipa Meir & Co. Advocates, referred to the broad consequences of Amendment No. 13 for many organizations in the economy, and mentioned that, "As part of the preparations for the amendment coming into effect, and compliance with the provisions of the law, organizations should already consider taking a series of steps to ensure that gaps are closed with regard to the requirements of the law, including: mapping the types of information in their databases, examining the need to appoint DPO and data security officer; updating notifications to data subjects; updating privacy policy; establishing appropriate organizational procedures; adopting an internal compliance plan and and more."
Regarding the new PPA’s directive on the board of directors' responsibility, Adv. Zlaikha emphasized, "Following the discussion we and the Directors' Union have conducted with the PPA as part of the the public's comments stage, certain changes have been incorporated by the PPA into the final version, taking into account the separation between the executive and supervisory roles reserved for the board of directors. "Nevertheless, Adv. Zlaikha observed, "This is a significant legal development for boards of directors to whom the directive applies, because beyond the duties of outlining policy and supervision, this directive demands board of directors’ involvement regarding specific regulatory requirements, for instance in relation to the database definitions document." Adv. Zlaikha also said, "This may be a significant milestone as it may lead to broadening potential legal exposure of the organization and the board of directors, both in terms of privacy law and corporate law, to the extent that it is found that the board of directors did not comply with the directive."
Preparations of directors to the new situation
Directors who took part in the event raised the concern that the new directive might be complicated to apply and raised the need for a practical "toolkit".
Israel Directors Union’s CEO Hadar Zofiof Hacohen said, "We understand the great importance of the issue of data security and privacy protection in the era of advanced technology. Diverting responsibility towards the boards of directors in this area is significant and a survey we have conducted among the directors' community raises a need for increased awareness and thorough understanding of the obligations. The IDU, as an objective body working to provide practical tools for the members of the Union, will work in cooperation with the PPA and will assist in disseminating this directive and providing practical tools for its implementation.
Regarding the enforcement of the directive, Zofiof said, "We believe that the PPA should continue to invest in broad explaining, so that all boards of directors are aware of the regulatory requirements and updates. Cooperation between the PPA and the IDU is essential to ensure full compliance with the regulations and to protect the public’s data privacy. We call on all boards of directors to take the matter seriously, to study the new developments in depth, and to act to implement them in the best way in the organizations that they serve."
Published by Globes, Israel business news - en.globes.co.il - on October 8, 2024.
© Copyright of Globes Publisher Itonut (1983) Ltd., 2024.