Written by: Haim Ravia, and Dotan Hammer
A company’s board of directors must supervise and ensure the company’s compliance with privacy laws and related regulations, according to guidelines issued by the Israeli Privacy Protection Authority (PPA).
The guidelines state that the board of directors must ensure that the company drafts, adopts, and implements policy documents required by privacy law. The board of directors must also ensure that the company properly considers how it processes personal data and carries out its data breach notification duties. Additionally, the board of directors must create effective oversight processes to ensure compliance. According to the guidelines, the more the company’s business focuses on processing personal data, the more important it is for the company’s board of directors to actively supervise compliance with data protection laws.
The PPA identified four major board of directors’ responsibilities relating to data protection: discussing the corporation’s database specification documents prior to their approval, discussing outcomes of risk management surveys conducted for the company, periodically discussing data breach incidents, and discussing the fundamental principles of the organization’s data protection procedure prior to approval.
However, the regulatory authority clarified that in certain cases, relegating these responsibilities could be done while considering potential privacy risks, and the corporate structure, particularly the size of the directorate. Additionally, the directive focuses these responsibilities on corporations where data processing is at the heart of its activity, defining this according to the characteristics of the organization, and the type and volume of data processed by it.
Click here to read the guidelines of the Israeli Privacy Protection Authority (in Hebrew).
