Israel’s Privacy Regulations | Data Security

To learn more about our services, leave your contact information here, and we will get back to you, or call 03-9450630.

Israel’s Privacy Protection Regulations (Data Security):

A few years ago, Israel’s privacy protection regulations underwent a significant change.

This came from the growing global trend of improving information security practices. More and more companies fail to keep user data safe in the face of rapidly evolving technology and rising cybercrime rates.

With companies’ problematic conduct being exposed, users and consumers lost their trust in them and began

demanding that the organizations are storing their data be held to a higher standard.

Israel’s Privacy Protection Regulations (Data Security) came into force on May 8, 2018. Roughly at the same time, the EU implemented the GDPR, designed to enhance the security measures for protecting EU residents’ data collected by businesses and other organizations.

Who has to comply with these regulations, and what are the certification and compliance levels?

The requirements apply to all organizations and individuals who keep a database of any type or size. There are different sets of requirements that apply depending on the nature and extent of your database.

1. Sole management: a database with up to 2 permission holders, managed by one individual or a company owned by one individual. This classification is intended for small businesses and has minimal security requirements.
2. Basic security: databases managed by more than one person but do not meet the criteria for needing intermediate – or high-level security.
3. Medium-level security: for databases that store sensitive information (e.g., medical records, criminal records, etc.) or data transferred to third parties. The database needs to have ten or more users.
4. High-level security: for databases that store sensitive information (e.g., medical records, criminal records, etc.) or data transferred to third parties, or if the database stores data about more than 100,000 individuals. The database needs to have 100 or more users.

There are exceptions and caveats, so determining the correct classification for your business requires a good familiarity with the regulations. This is why the best course of action is to seek legal advice from an expert like the ones on Hermeticon’s team.

If this sounds daunting, you have come to the right place:

Hermeticon has made it its mission to support companies that need to meet GDPR requirements. Our experts’ unique solution has a proven track record of helping businesses comply with GDPR.

We keep in touch with the Standards Institution of Israel and the Israeli Ministry of Justice to ensure that we stay up to date on any regulatory developments.

With Hermeticon, you can rest easy knowing that you are in good hands. Let our experts lead your organization toward full compliance with these critical regulations while ensuring your unique needs are met at every step of the way.

In addition, with our CISO-as-a-service offering, you can get a unique solution tailored to your needs, resources, and field of business.

Here are the steps you need to take to comply with the privacy regulations:

Your database definitions:

The first step is to prepare your database definitions document, which you will then have to update annually (if your system changes or you have a security incident). Here is a partial list of what this document needs to include:

• A general description of how your company collects and uses data.
• What types of personal data does your company store, and why.
• Whether the data is transmitted to third parties (e.g., if it’s processed overseas).
• Details on whoever manages your database and who your Information Security Supervisor (or CISO) is.
• Details on the risks for your data and how your company manages them.

Database security management:

If your organization has five or more databases, is in the public sector (this includes banks and insurance companies), or deals with credit scores, the law requires you to appoint an information security supervisor. The regulations state that database owners are responsible for keeping their databases secure and for documenting any actions users take in the database.

Databases must be kept separate from other IT systems. One way to do this is to keep the database on a separate server. All database systems must be updated as instructed by their providers.

Information security procedures:

You will need to prepare a document that outlines the structure of your organization’s IT systems and databases.

Only those with sufficient permissions will have access to this document. Here are some questions this document needs to answer:

• Which systems do the database run on? How is it managed and secured? What software do you use to transmit information inside and outside the database?
• How are the different parts of your system connected? Where are they located? Add a chart.
• What type of hardware do you use? Describe your IT infrastructure.
• When was the document last updated?

Documenting security incidents:

Any incident that results in data integrity loss or unauthorized use of data counts as a data breach and must be documented in detail.

Organizations that meet medium security requirements must hold a security meeting annually. Organizations that have to meet high-security requirements must hold such meetings every quarter.

A security meeting is a place to discuss any security incidents that may have happened, the steps taken after the incidents, and any need to update the organization’s security procedures.

Physical and environmental information security:

Privacy protection regulations require all database owners to secure the hardware components of the database physically.

This is done by preventing unauthorized persons, including company employees without sufficient clearance, from accessing the area where the hardware is located. Medium/high-security needs organizations must also install security cameras and use other means to secure the site.

Mobile devices:

Mobile devices like laptops, smartphones, and external hard drives and flash drives create security risks that are often overlooked. The regulations address this issue. Mobile devices can infect systems with computer viruses when plugged into your systems. This is why it is important to restrict their use in your organization. If data is stored on a mobile device, it has to be encrypted.

Network security:

Another risk factor is transmitting data via the internet. Here are some guidelines for mitigating the risk:

1. Always use reliable encryption methods when transferring data.
2. Have antivirus and other security software installed on all systems to access your database.
3. Verify the identity of users accessing the database remotely.
4. If your database meets the criteria for having medium or high-security needs, you also have to secure it by physical means controlled by the database owner.

Outsourcing:

Working with third parties puts your database at risk. Before working with a supplier or a service provider, consider the nature of your collaboration, the access permissions the third party will need, the potential risks, and how your company can deal with them.

Section 15 of the Data Protection Regulations lists everything you must do when working with third parties.

Periodic audits:

Suppose your database has medium or high-security needs as defined by the regulations. In that case, it needs to be audited externally by a qualified professional (who is not responsible for database security at your company) every two years.

Security data retention period:

Data about the database’s security must be retained securely for at least two years. Ensure the data is backed up and you can recover it should the need arise.

Parallel standards and regulations:

The registrar can exempt an organization from specific requirements listed in the Data Protection Regulations or obligate it to meet extra requirements.

If an organization fails to comply with the regulations, the Privacy Protection Authority may take serious action against it. This can include fines, criminal charges, and even incarceration.