English
עברית
Français
Deutsch
Русский
Español
简体中文
日本語
Dutch
Türkçe
Language
English
עברית
Français
Deutsch
Русский
Español
简体中文
日本語
Dutch
Türkçe
Home
About us
About us
CV at a glance
Global reach
Pro Bono
What we do
Practice area
The team
Knowledge center
Insights & News
Client updates
Credentials
Doing business in Israel
Join us
Contact
Barnea Blog
© All rights reserved to Barnea Jaffa Lande Law offices

Together is powerful

Client updates
18 September 2023
by Avishay Klein
Masha Yudashkin
         
Antitrust and Competition
Banking & Finance
Capital Markets
Corporate
Employment
Infrastructure
Internet
Litigation
NPO
Private Clients
Real Estate
Regulation
Tax
High Tech

Privacy Protection Obligations: Boards of Directors’ Role

The Israeli Privacy Protection Authority recently published a draft directive regarding boards of directors’ role in fulfilling obligations pursuant to the Privacy Protection (Data Security) Regulations. The directive states that a board of directors must, inter alia, implement procedures for supervising and controlling compliance with the regulations and play an active role in setting the policy governing how the company uses and manages personal information.

 

Pursuant to the provisions of the Privacy Protection Law, the Privacy Protection (Data Security) Regulations apply to database owners, database administrators, and database holders. The regulations prescribe provisions with regard to actions and measures that database owners, managers, and holders must take in their databases to ensure the security of the information stored in them and to create oversight and control mechanisms.

 

The Directive’s Applicability

 

The Privacy Protection Authority’s latest directive focuses on corporations whose principal activity is data processing, or corporations whose business activities may create heightened privacy risks (such as collecting information about a person’s private life, medical or psychological information, genetic information, information about political opinions, biometric information, information about a person’s financial situation, etc.). In order to ascertain if the provisions apply to a particular corporation, one must examine, inter alia, the corporation’s characteristics (private or public company), the type and sensitivity of the information collected and processed, the scope of the information collected, and the number of parties authorized to access this information. For example, corporations that collect a significant volume of economic or medical information about data subjects during the course of their business operations will be under this definition.

 

Boards of Directors’ Role in Implementing the Regulations

 

The Privacy Protection Authority recognizes that the regulations themselves do not define which specific corporate organ is responsible for implementing the regulatory requirements. It does believe, however, that an obligation is imposed on the board of directors to supervise the implementation of the requirements and take part in decision-making. The Privacy Protection Authority reached this conclusion through logical interpretations of the Privacy Protection Regulations and section 92 of the Companies Law, which prescribes that “the board of directors shall delineate the company’s policy and supervise the performance of the CEO’s functions and actions.”

 

Accordingly, the directive states that the board of directors is responsible for fulfilling five principal obligations, as prescribed in the regulations.

 

The Obligations

 

  1. ŸTo approve a database definitions document, which must include, inter alia, a description of the information’s collection and use, the purposes for using the information, the various types of information contained in the database, etc.
  2. To approve the key principles of the organization’s data security procedure, which must include provisions regarding the database’s physical and environmental security, the database’s access authorizations, a description of the database security measures, procedures for contending with data security incidents, etc.
  3. ŸTo hold quarterly or annual discussions (depending upon the database’s level of security) of data security incidents in the organization, including in order to ascertain if the organization’s data security procedure must be revised.
  4. ŸTo hold discussions of the results of risk surveys and penetration tests and to approve the actions needed to rectify any detected deficiencies (for databases that must maintain a high level of data security).
  5. ŸTo hold discussions of the results of periodic audits of compliance with the regulations (once every two years for databases with medium and high levels of security).

The directive recognizes there may be instances when the board of directors may delegate the responsibility for compliance with the requirements to another organ in the company, but clarifies that such delegation of authorities must take into account the level of privacy risks entailed in the company’s activities, its size, and the composition of its board of directors. Even under these circumstances, the board of directors must still actually supervise compliance with the regulatory requirements.

 

The directive further clarifies that the board of directors’ obligations are supplementary and in no way diminish the responsibilities imposed on the company’s CEO, management, or any other corporate organ responsible for implementing the company’s regulations.

 

The Directive’s Implications for Companies

 

To mitigate the risk of directors being held personally liable for fulfilling their obligations pursuant to the regulations, whether as a result of enforcement proceedings instituted by the Privacy Protection Authority or as a result of personal or derivative lawsuits, the company and its board of directors must fully comprehend the obligations imposed on them pursuant to the privacy protection laws and take measures to fulfill their obligations as directors.

 

Companies should take several measures to ensure they are fulfilling the data security obligations imposed on companies holding databases:

  1. ŸMap all databases in their possession and classify them according to the provisions of the Privacy Protection (Data Security) Regulations.
  2. ŸMap the company’s specific data security risks.
  3. ŸDraft and implement data security procedures.
  4. ŸDraft and implement procedures for contending with data security incidents.
  5. ŸAdapt the internal control systems to the regulatory provisions.

Data security and privacy protection have become major issues in companies’ operations. This draft directive emphasizes that the law requires companies to act responsibly in safeguarding information contained in their databases. It also highlights the fact that they are to create privacy protection training and control mechanisms. Companies holding databases that meticulously comply with the regulations can substantially mitigate the risks a company and its officers faces.

 

***

 

Barnea Jaffa Lande’s Privacy and Data Protection Department is at your service if you have any questions about data security and privacy protection, drafting compliance programs, and more.

 

Dr. Avishay Klein is a partner and heads the department.

 

Adv. Masha Yudashkin is an associate in the department.

 

Tags: Board | Privacy Protection Law | Public Companies