Many organizations in Israel still refer to the term "data protection" as a recommendation. But Amendment 13 to the Privacy Protection Law, combined with new enforcement trends from the Privacy Protection Authority, make it very clear: this is a mandatory, critical issue - and very expensive when ignored.
At the center of the article is a real-life case of an organization that neglected its data protection responsibilities until the painful consequences set in. This is not a story about a hacker attack – but about internal management failure that turned into a legal and financial breach.
The case: open database, closed regulation
This is a medium-sized organization in the financial services sector, which manages databases with sensitive personal information: ID cards, financial status, addresses, family members' details, and more. For years, the data was accumulated - but procedures were not updated, no data protection officer was appointed, and no data retention policy was defined.
When a customer complained that his information was distributed to unauthorized parties, the authority launched an investigation, revealing shortcomings: open permissions, partial registration, lack of documentation, and above all, the lack of a legally appointed DPO.
The price: not just money
The result: a fine of 150,000 NIS, in addition to the requirement to appoint a DPO within 14 days, establish a system of controls, training courses for employees, and regular annual reporting to the Authority. The damage to the image was no less serious: a media article, the departure of key customers, and a loss of trust.
How could this have been avoided?
By simply appointing a data protection officer, the organization could prepare in advance:
- Build privacy policies and customized work processes.
- Conduct a risk survey and address gaps.
- Instruct employees on how to deal with information requests or malfunctions.
- Ensure regulatory compliance and reduce legal exposure.
The DPO is not just “another role” – it is a management protection mechanism that proves to the world (and the regulator) that the organization understands the importance of protecting personal information.
Who needs a DPO?
According to Israeli law, every public body, and every private body that manages sensitive information or over 100,000 records, is required to appoint a data protection officer. However, even organizations that are not required to do so are choosing to appoint a DPO as a preventive, business, and responsible act.
In conclusion
One thing is for sure: it’s easier to be prepared than to apologize. Appointing a DPO is not an expense – but a huge potential savings. It protects the organization legally, prevents costly mistakes, and conveys responsibility and regulatory compliance – in the eyes of customers, partners, and public bodies.
Cybersecurity and IT – two worlds, one solution.
About the Author
Idan Zabari, a leading strategic consultant in the fields of IT and information security, assists businesses and organizations in information protection, technological innovation, and regulatory compliance.