Amendment No. 13 to the Privacy Protection Law, 1981, came into effect in August 2025. Its main goal is to update Israeli privacy law to better address the challenges of the digital age and align it with international regulations such as the GDPR.

The amendment includes several key components: the obligation to appoint a Data Protection Officer (DPO), new disclosure and transparency requirements, revised obligations regarding databases, broader enforcement powers for the Privacy Protection Authority, and more. Below is an overview of the main changes and their short- and long-term impact on organizations.

Key Changes

1. Appointment of a DPO (Data Protection Officer)

Public bodies, organizations holding databases with over 10,000 records for the purposes of “data trading” or ongoing monitoring, and organizations processing sensitive data on a large scale must appoint a DPO. The DPO must have expertise in privacy law, technologies, and information security.

Main responsibilities of the DPO:

  • Advise and accompany the organization on all matters related to personal data processing.
  • Ensure compliance with the law, regulations, and internal policies.
  • Conduct internal audits, prepare reports, and monitor risks.
  • Act as the contact point for the Privacy Protection Authority (the regulator).
  • Provide privacy training for employees and managers.

Importantly, the organization may appoint either an internal DPO (an employee) or an external DPO (outsourced).

2. Registration / Notification of Databases

The obligation to register databases has been significantly reduced – not every database must be registered in the public registry anymore, only those meeting certain legislative criteria, such as:

  • Databases for data trading or direct marketing purposes – for example, companies that collect customer contact information (phone, email) and sell it to other businesses; organizations that consolidate purchase data and sell it externally; B2B contact list providers segmented by sector, location, or company size.
  • Databases containing sensitive information – e.g., HMOs, hospitals, insurance companies, credit card companies, banks, political parties, polling companies.
  • Large-scale databases – The amendment emphasizes not only the type of data (sensitive/marketing) but also the scale of the population covered. The larger the database, the higher the privacy and security risks, and the stricter the regulatory requirements (e.g., cellular companies, large banks, municipalities, large retailers).

3. Disclosure and Transparency

Amendment 13 significantly strengthens organizations’ obligations to be clear and transparent toward individuals whose data is collected. The goal is to ensure that every person knows what information is collected about them, why it is collected, and with whom it is shared.

4. Technical and Procedural Readiness

Organizations must prepare on two levels: technical and procedural.

  • Technical readiness refers to implementing technological tools and solutions to protect data, such as encrypting databases and communications, access controls that limit information exposure, real-time anomaly detection and monitoring, backups, and recovery plans.
  • Procedural readiness focuses on internal policies and processes: setting clear rules for data retention and secure deletion, defining incident response procedures, mapping and documenting all data sources within the organization, and providing regular employee training to enhance privacy awareness.

Combining both technological and procedural measures is essential for complying with the law and maintaining public trust.

Risks of Non-Compliance

Failure to comply with Amendment 13 exposes organizations to significant risks:

  • Legal risks: The Privacy Protection Authority now has expanded enforcement powers, including the ability to impose heavy fines and financial sanctions.
  • Civil liability: Organizations may face individual or class action lawsuits from data subjects claiming privacy violations.
  • Reputational damage: Data breaches can seriously harm a company’s reputation and erode trust among customers, partners, and investors – sometimes even resulting in lost contracts or clients.
  • Regulatory consequences: Non-compliance may lead to future regulatory restrictions or limitations on business activities, such as the ability to cooperate with international entities.

Ultimately, failing to prepare can cost organizations far more than the investment required to comply in the first place.

A Competitive Opportunity

One of the most interesting aspects of Amendment 13 is that it isn’t merely a “regulatory burden.” Proper compliance can actually become a competitive advantage.

An organization that implements advanced privacy policies and demonstrates compliance signals to its customers that it is trustworthy, responsible, and prioritizes their privacy. In a world where public awareness of privacy is rising, transparency and accountability have become real added value – much like environmental responsibility or ethical business practices.

Moreover, full compliance may be a precondition for collaborating with international partners, especially those subject to GDPR or other strict regulations.

Practical Steps for Organizations – How to Prepare

Here are some practical steps organizations can start taking today:

  • Map all databases within the organization – who collects data, where it is stored, who manages it, and with whom it is shared.
  • Determine whether a DPO is required based on the organization’s type, size, and activity scope. If required, appoint a qualified DPO.
  • Update privacy policies, terms of use, and data collection notices across all forms, presentations, websites, and apps.
  • Develop a data subject rights program – set up mechanisms for handling requests, response times, and documentation.
  • Review technical and security policies – encryption, access control, retention and deletion policies, security monitoring.
  • Train employees – raise awareness, teach basic privacy principles, and establish clear internal request handling procedures.
  • Review supplier contracts – ensure external vendors processing data comply with the law and have proper data processing agreements in place.

Conclusion

Amendment 13 to the Privacy Protection Law represents a significant shift in privacy regulation in Israel. This is not “just another law” — it sets out a new framework requiring broad adjustments in regulation, security practices, and organizational culture.

Organizations that begin preparing now will be able to comply with the requirements, build trust among customers and employees, and avoid legal, financial, and reputational risks. Those that fail to act may face fines, lawsuits, and serious damage to their reputation.