Local Time: Print


There is a change taking place in the global rules that govern data protection and privacy. Data protection has become one of the most important issues today for companies operating in a cyber-connected, global business environment. On the heels of global change, on May 8th, 2018, new “Privacy Protection Regulations (Data Security) 5777-2017” (Israel Regulations for Data Security, or IRDS) will go into effect. Although IRDS contains some similar elements to the European Union’s General Data Protection Regulation (GDPR), which also goes into effect in May 2018, the two regulations should not be confused. This short report introduces American companies to Israel’s IRDS requirements and also provides a brief comparison between the IRDS and GDPR provisions. It is critical that companies operating in either the EU or Israeli spheres be fully aware of the ramifications for their own business environments and follow developments as the regulations are enforced over time.

Introduction to the IRDS

The IRDS regulation applies to both private and public-sector entities that process the personal data of Israeli citizens. The IRDS establishes requirements designed to make data security a part of the management routines for all entities processing personal data related to Israeli citizens.

The aim of the regulation is to substantially improve the level of data security in Israel and to usher in a new era privacy protection. Companies which do not comply with the new regulation will be subject to sanctions, as described in the “Sanctions” section below.

The IRDS classifies databases according to level of risk, which is in turn determined by the data sensitivity, the number of data subjects and the number of authorized access holders. Databases are grouped into four risk levels: 1) high, 2) medium, 3) basic and 4) databases controlled by individuals that grant access to no more than three authorized individuals. The duties of the database managers are determined in accordance with the associated level of risk.

To learn more details about IRDS, please read the full English translation of the IRDS regulation at https://2016.export.gov/israel/dataprotectionregulation/privacyprotection/

European General Data Protection Regulation

One of the key regulatory developments for organizations operating globally is the European Union’s new rules on personal data protection, called the “General Data Protection Regulation” (or GDPR). The GDPR goes into effect on May 25, 2018, and organizations that process personal data of residents of the 28 EU countries will be required to comply with the provisions of the GDPR or face stiff penalties. For detailed information about GDPR, please review our article on Export.gov

GDPR and IRDS: Shared Aims and Provisions

The GDPR and IRDS both require businesses that collect and use (“process”) the personal data of employees, customers and suppliers to become much more proactive about knowing exactly what information is collected and for what reason, how the data is processed, where it is stored and for how long, who in the organization has access to it, and to which countries the data may be transferred. Organizations must have transparent policies for data protection, and they must train personnel in the implementation of these policies and any guidelines that stem from these policies. The data subjects whose personal information is collected will require a dedicated point of contact within the company for any questions that may arise, and the GDPR mandates that the details of this point of contact (email address, phone number) be shared with data subjects.

Other shared aims include special treatment of sensitive data such as health records, biometric data, and criminal records; evaluation of the risks of any damage to the stored personal data; and data minimization. Both the GDPR and the IRDS require notification of data breaches to government regulator and the data subject under certain circumstances.

In sum, business organizations must bolster their awareness of regulatory requirements for the protection of personal data throughout the organization, and to consider the risks of data exposures and breaches as part of their overall strategic planning.

GDPR and IRDS: Sanctions

Both new regulations include sanctions for non-compliance. The GDPR’s administrative fines may amount to a maximum of 20 million euro or (if a higher amount) 4% of the organization’s total annual turnover. Non-compliance with the IRDS constitutes a breach of Article 17 of the Privacy Law, possibly giving exposure to criminal and civil liability as well as to administrative fines.

GDPR and IRDS: Comparison Chart

Below is a chart comparing some of the highlights of provisions of the GDPR and the IRDS. It is not intended to be a comprehensive comparison, but to provide a sense of some of the commonalities and differences:

Summing up

The new requirements for personal data protection are now critical components of doing business where the GDPR and the IRDS apply, even for firms doing business in the EU but headquartered outside its footprint. Companies now need to recognize this new category of corporate governance and risk management as an integral part of their strategic planning.


Konfidas Tel Aviv-based boutique consulting firm specializing in multidisciplinary approach to cybersecurity and data protection - https://www.konfidas.com/

Privacy Protection Authority, Ministry of Justice - https://www.gov.il/en/Departments/the_privacy_protection_authority

If you have any questions please contact, Commercial Specialist Christina Azar, Christina.azar@trade.gov

The information provided in this report is intended to be of assistance to U.S. exporters. While we make every effort to ensure its accuracy, neither the United States government nor any of its employees make any representation as to the accuracy or completeness of information in this or any other United States government document. Readers are advised to independently verify any information prior to reliance thereon. The information provided in this report does not constitute legal advice. The Commercial Service reference to or inclusion of material by a non-U.S. Government entity in this document is for informational purposes only and does not constitute an endorsement by the Commercial Service of the entity, its materials, or its products or services.

  Notice to Visitors!

  The link you have chosen will take you to a non-U.S. Government website.

  If the page does not appear in 5 seconds, please click this: outside web site

  Export.gov is managed by the International Trade Administration and external links are covered by its website  disclaimer statement.

  Notice to Visitors!

  The link you have chosen will take you to a non-U.S. Government website.

  If the page does not appear in 5 seconds, please click this: outside web site

  BuyUSA.gov is managed by the International Trade Administration and external links are covered by its website disclaimer statement.