On September 10, 2023, the Privacy Protection Authority (“PPA”) published for public comments a draft guidance on the role of the Board of Directors (the “Board”) in fulfilling a company’s obligations under the Protection of Privacy Regulations (Data Security), 2017 (the “Guidance” and the “Regulations”, respectively). The Guidance applies to companies whose core business involves the processing of personal data, or whose activities create a significant risk to the privacy of data subjects. In that regard, the PPA mentioned a few examples for such companies, including public companies, companies that purchase or sell personal data, companies that collect personal data on sensitive populations (such as minors) and companies that collect data on a significant amount of data subjects or that authorize numerous persons to access such data.
The Guidance seeks to define the responsibilities of the Board in connection with compliance with the legal requirements in the field of privacy and data protection. The PPA’s position is that the Board is the most appropriate and efficient organ to determine which persons shall be responsible for carrying out the requirements of the Regulations, to implement supervision procedures to ensure that such persons perform their duties, and to make decisions regarding the use and processing of personal data by the company.
According to the Guidance, and without derogating from the responsibilities assigned to the company’s CEO and its management, the following duties shall be assigned to the Board:
1.approval of the database definitions document;
2.approval of the main principles of the company’s information security procedure;
3.holding a discussion on the results of risk surveys and penetration tests, and approving the actions required to be taken in order to remedy any gaps identified therein;
4.holding a quarterly or annual discussion (in accordance with the security level of the database) on security incidents that occurred in the company; and
5.holding a discussion on the results of periodic audits conducted with respect to the company’s compliance with the Regulations, once every two years.
In the appropriate cases, and taking into account the level of risk to the privacy of data subjects emanating from the company’s activities, the size of the company and the composition of the Board, the Board may appoint another person in the company who will be responsible for the performance of the aforementioned duties, while continuing to supervise their execution.
Should the Guidance be adopted, it could potentially increase the level of accountability placed upon directors regarding the company’s compliance with the Privacy Protection Law, 1981 and the Regulations. Accordingly, it is important for directors to be aware of the requirements imposed on the company on privacy-related matters, the steps that the company takes in order to comply with these requirements, and the responsibilities imposed on the Board in that regard.
The Guidance is open for public comments until October 22, 2023, via the email address: [email protected].
Please feel free to contact us with any questions that you have on this matter.