Click to open contact form.
Your Global Partners in the Business of Innovation

Israeli Privacy Regulator Endorses Appointment of Chief Privacy Officers in Organizations

Publications / November 01, 2020

Article written by Haim Ravia, Dotan Hammer and Adi Shoval

The Israeli Privacy Protection Authority published for public comments a draft position paper on the advisable appointment of Chief Privacy Officers (CPOs, sometimes referred to as Data Protection Officers – DPOs) in Israeli organizations. The paper explains that although Israeli law does not mandate the appointment of CPO/DPO (other than in one isolated instance related to the Bank of Israel), the authority views the voluntary appointment as a recommended best practice for organizations whose operations involve processing personal data.

The paper goes on to explain that while the position may be performed by an in-house member or by an outside professional, it is highly recommended to appoint a senior, in-house executive in organizations whose core activities involve processing personal data or where processing is performed in a large scale.

The position paper references the comparable CPO/DPO regimes under the EU GDPR, the Brazilian LGPD, and the US HIPAA. It recommends that the CPO/DPO, among other matters, be responsible for the organization’s privacy policy; be involved in the lifecycle of the organization’s data processing activities to ensure that privacy and data protection principles are respected; conduct data protection impact assessments; and handle data subject complaints. The CPO/DPO would also be tasked with supervision and monitoring; education, training, and raising awareness. Those appointed should have independence in performing their role, be given adequate budget and resources, and not be exposed to a potential conflict of interests.

According to the position paper, the CPO/DPO should be trained or educated in law, regulation, IT, or accounting, have knowledge of technology and information security, and be acquainted with business operations and professional ethics.

The authority draws a sharp distinction between a CPO/DPO and an organizational information security officer. The former focuses on the permissible and prohibited uses of personal data, while the latter focuses on measures to prevent unauthorized use of data. The position paper also recommends that the CPO/DPO be a member of the organization’s senior executive forum.

CLICK HERE to read the Israeli Privacy Protection Authority’s draft position paper (in Hebrew).

MEDIA HIGHLIGHTS