Privacy Protection Authority: Appointing a Privacy Protection Supervisor Is a Necessary Step for Israeli Companies

Israel’s Privacy Protection Authority has published its recommendation that every organization appoint a data protection officer. This officer’s task is to implement the privacy protection laws that apply to the organization.

The PPA noted that although Israeli law does not impose a duty to appoint a data protection officer, it is a best practice recommended for organizations that collect and analyze personal data. As of now, this is only a draft for public comments, published by the PPA.

If the PPA ultimately issues a finalized version, it would impose upon Israeli entities, large and small, an additional regulatory duty that is not formally enacted in applicable law. Therefore, even though appointing a privacy protection officer is not mandatory, as far as the PPA is concerned, this is the expected standard of conduct. Failing to meet this standard would require an organization to justify to the PPA why the appointment was unnecessary under the specific circumstances, in the event of an audit or enforcement event.

We note implementing this regulatory recommendation holds many advantages for organizations, especially in the current reality where the ability to protect personal data has real economic implications.

Currently, Israeli law requires organizations that keep at least five databases to appoint an information security officer (or in cases of narrow special categories of entities). The PPA emphasizes these are two different roles. Whereas the information security officer is responsible for the technical aspects that prevent unauthorized use of the information, the privacy protection officer is responsible for the legal aspects concerning the prohibited and permitted uses of the information. Thus, the privacy protection officer’s role is broader and requires him, inter alia, to provide professional guidance to the information security officer.

An organization may appoint a data protection officer internally or hire an external service provider.

The PPA’s position is that the privacy protection officer’s role can be fulfilled either by an internal appointment in the organization or by an external service provider.

The roles of the data protection officer will be determined by the complexity of the processing activities conducted by the organization and by its size. The responsibilities are diverse and can be categorized into three main areas: data management process; oversight, control, and audit; and implementation and training.

Appointing a data protection officer holds several significant advantages for an organization. It is a paramount tool for improving compliance with the data protection laws applicable to the organization and the protection of privacy by the organization. Furthermore, it enables optimal cooperation with the PPA, since any organization that has undergone an audit can confirm it is a resource- and time-consuming process. Moreover, organizations that serve customers around the world are subject to privacy protection laws in various jurisdictions, which often already demand the appointment of a privacy protection officer.

The PPA expects all organizations, large and small, subject to Israeli law to appoint a data protection officer. Organizations that optimally position this role may even benefit from doing so financially, because of better management of personal data and the reduction of regulatory exposure in the area of privacy protection.