Market Intelligence
Cybersecurity Israel Europe Legislation

Israel Data Protection Regulation

This short report introduces American companies to Israel’s IRDS requirements and also provides a brief comparison between the IRDS and GDPR provisions. 

The IRDS regulation applies to both private and public-sector entities that process the personal data of Israeli citizens. The IRDS establishes requirements designed to make data security a part of the management routines for all entities processing personal data related to Israeli citizens.

The aim of the regulation is to substantially improve the level of data security in Israel and to usher in a new era privacy protection. Companies which do not comply with the new regulation will be subject to sanctions, as described in the “Sanctions” section below.

The IRDS classifies databases according to level of risk, which is in turn determined by the data sensitivity, the number of data subjects and the number of authorized access holders. Databases are grouped into four risk levels: high, medium, basic and databases controlled by individuals that grant access to no more than three authorized individuals. The duties of the database managers are determined in accordance with the associated level of risk. 

GDPR and IRDS: Shared Aims and Provision

The GDPR and IRDS both require businesses that collect and use (“process”) the personal data of employees, customers and suppliers to become much more proactive about knowing exactly what information is collected and for what reason, how the data is processed, where it is stored and for how long, who in the organization has access to it, and to which countries the data may be transferred.  Organizations must have transparent policies for data protection, and they must train personnel in the implementation of these policies and any guidelines that stem from these policies. The data subjects whose personal information is collected will require a dedicated point of contact within the company for any questions that may arise, and the GDPR mandates that the details of this point of contact (email address, phone number) be shared with data subjects.

Other shared aims include special treatment of sensitive data such as health records, biometric data, and criminal records; evaluation of the risks of any damage to the stored personal data; and data minimization. Both the GDPR and the IRDS require notification of data breaches to government regulator and the data subject under certain circumstances.

Click here for the full report
The information provided in this report is intended to be of assistance to U.S. exporters. While we make every effort to ensure its accuracy, neither the United States government nor any of its employees make any representation as to the accuracy or completeness of information in this or any other United States government document. Readers are advised to independently verify any information prior to reliance thereon. The information provided in this report does not constitute legal advice. The Commercial Service reference to or inclusion of material by a non-U.S. Government entity in this document is for informational purposes only and does not constitute an endorsement by the Commercial Service of the entity, its materials, or its products or services

For information contact our office in Tel Aviv.