The regulations apply to both private and public sectors and establish organizational mechanisms aimed at making data security part of the management routines of all organizations processing personal data.
The regulations are a product of an in-depth study of legislation, standards and parallel Israeli and international guidelines. The regulations were enacted after extensive consultation with the Israeli public, and in particular the stake holders that would be effected by the regulations.
It is expected that the regulations will substantially improve the level of data security in Israel because at the same time they are both flexible, concrete and specific to a degree that offers organizations regulatory certainty and practical tools that are simple to implement. With the entry into force of the regulations in May 2018, we expect a new era in which the protection of privacy in Israel will be stronger than ever.
The regulations classify databases to four groups according to the level of risk created by the processing activity in those databases: high, medium, basic and databases controlled by individuals that grant access to no more than three authorized individuals. The duties of the controllers are determined with accordance to the level of risk.
The level of risk is defined by the data sensitivity, the number of data subjects and number of authorized access holders.
In specific circumstances, the privacy protection authority ׂ(PPA) may instruct a database to implement additional obligations in order to strengthen the security level of its activities, or exempt a database from applying specific details of the obligations in the regulations. For example, PPA may instruct low level risk databases to implement provisions that apply on medium risk databases, and when justified, PPA may exempt medium risk databases from specific provisions.