Israeli Firms Unprepared as Tough EU Data-privacy Rules Take Effect

The General Data Protection Regulation imposes stiff penalties on organizations that don’t comply, including those outside Europe

German Chancellor Angela Merkel meets with Facebook's Mark Zuckerberg and Google's Eric Schmidt at the G8 summit in Deauville, France, May 26, 2011.
Philippe Wojazer, Pool / AP

What’s good news for European consumers anxious about how there data may have been abused in the wake of the Cambridge Analytica affair could be bad news for many Israeli companies.

The European Union’s patchwork of privacy and data-handling rules is about to become organized and a lot tougher when the organization’s General Data Protection Regulation, or GDPR, goes into effect May 25.

The rules will apply to companies outside the EU, but experts on privacy say that Israeli companies have been dangerously laggard in getting ready for the changing regulatory environment.

Dr. Dotan Baruch, the head of the Internet practice at the Tel Aviv law firm Barnea, said he had seen little evidence that most Israeli companies have even done a preliminary examination of whether the law applies to them or not and those that have done it haven’t prepared themselves.

“No one knows what will happen May 25,” he said. “I expect at the minimum, the authorities will try and find a few companies that haven’t met the new rules and fine them to serve as an example. At first, they’ll go after big companies and business that have had complaints filed against them.”

Israeli companies are small players, but the fact is the penalties that EU has set are stiff, amounting to 4% of a violator’s annual turnover or 20 million euros ($24.3 million), whichever is bigger.

The GDPR was officially adopted in 2016, but member states were given two years to comply and the deadline is arriving just as concerns about how big companies like Facebook and Google use ordinary people’s information have reached fever pitch.

The aim of the GDPR is to protect the personal data of EU citizens, including their name, email address, financial or medical details and even their IP address.

In addition, the regulations dictate that businesses should only keep the data they absolutely need for only as long as they need it. Afterwards, it should be destroyed or made anonymous. The GDPR gives consumers right the right demand that their personal data to be deleted for any number of reasons, including if they suspect non-compliance with GDPR rules.

Other rules require consumer to give explicit consent for the use of the personal data and businesses have to make it easy for them to withdraw it later. In the event of a hacking attacks, businesses must report it to the EU within 72 hours of discovery and may also need to notify the affected users as well.

The EU has not defined what it defines as “sensitive data” under the regulations, leaving it up to each business to decide.

“Israeli businesses have to show they are adjusting themselves to the rules even minimally,” said Baruch. “It’s not all essential in order to satisfy the authorities but also for European partners and for customers.”

He said he was seeing more and more European checking with Israeli companies are in compliance and threatening to cut off relationships if they aren’t. “That could do more damage than administrative sanctions,” he said.

Tomer Zuker, head of IBM Security Software Group in Israel, said a lot of companies know about the GDPR and are simply waiting to what happens the day after its takes effect. “It’s a cumbersome law and not every organization has a legal department that can shepherd its adoption,” he said.

In all events, GDPR has set a low bar for what is considered a “European” company, so that nearly all Israeli companies with online operations are going to be affected.

Yoram Lichtenstein, a Ramat Gan lawyer with a private practice specializing in European privacy law, said that includes having a European presence, which could mean as little as having a sales person in one EU member state. Another is that the company markets directly to European customers and a third is that it actively tracks the data of European citizens.

Experts say companies that want to meet the GDPR’s conditions should start by learning the new rules and getting a general sense of whether they are in compliance, preferably by getting legal advice.

Companies also need to set up a dedicated team, including a data compliance officer, to assess whether they will need to recollect the data they do have or whether they need to redesign the services they offer.

Finally they need to map they data they have and examine privacy standards they have in place and perhaps rewrite agreements on data-sharing they have with consumers.

There are off-the-shelf products companies can buy that, for example, who has access to data and monitor the behavior of employees for misuse.

“Corporate strategy today has to include meeting GDPR standards. They not only have to concerned about the law but also about their customers,” said Yanai Milstein, manager of data integration in Israel for the Aman Group, a consulting firm.

“The legal and information technology departments have to devise a policy for the company together based on the regulations. The next stage is to identify that gaps between the policy and the law and close them,” he said.