What Israeli Startups Need to Know About GDPR Requirements in the EU

Maintaining GDPR compliance is critical for organizations to avoid breaking EU privacy laws and incurring hefty fines. However, does the GDPR act apply only to European organizations? Or are there cases when Israeli startups need to comply with the GDPR requirements?

This post will answer these questions and more.

GDPR Compliance Requirements: Do They Apply to Israel?

GDPR stands for General Data Protection Regulation, the EU’s legislative act that is called to shape personal data protection requirements for organizations. An organization operating within the European Union or processing personal data records of an EU citizen falls under GDPR requirements. An Israeli startup that plans to operate in the EU must maintain GDPR compliance.

8 Key Points of GDPR Requirements

The eight key positions of the General Data Protection Regulation act define an individual's rights regarding his or her data. Those are the rights to



Access. According to GDPR, an organization must ensure that a customer can access his or her personal data as soon as the customer requests that.

According to GDPR, an organization must ensure that a customer can access his or her personal data as soon as the customer requests that. Be forgotten. When a customer wants to stop using the organization’s goods or services and plans to avoid being a customer, such a customer can request personal data deletion.

When a customer wants to stop using the organization’s goods or services and plans to avoid being a customer, such a customer can request personal data deletion. Data portability. Customers can request to transfer their personal data to another organization.

Customers can request to transfer their personal data to another organization. Be informed. A customer must be informed about personal data collection before that collection happens.

A customer must be informed about personal data collection before that collection happens. Have the information corrected. A customer is in the right to ask an organization to update personal data in the case that data is outdated, incorrect or incomplete.

A customer is in the right to ask an organization to update personal data in the case that data is outdated, incorrect or incomplete. Restrict processing. An organization can keep the data in storage without using it if a customer notifies about personal data processing restrictions.

An organization can keep the data in storage without using it if a customer notifies about personal data processing restrictions. Object. A customer can restrict the use of personal data for the purposes of direct promotion and marketing.

A customer can restrict the use of personal data for the purposes of direct promotion and marketing. Be notified. If an organization suffers data leakage that compromises personal data, customers must be notified within 72 hours of discovering the leakage.

Impact of GDPR Requirements on Organizations in Israel

The General Data Protection Regulation (GDPR) act caused a significant impact on Israel’s regulatory reality. This impact can be summarized in five direct and indirect points:



Organizations from Israel that have been conducting operations in the European Union or remotely offering services to EU residents fall under the act's reach.

If an international investment funds your Israeli startup, GDPR will probably influence your data protection approach.

In case your startup is about to process personal data from EU-based data collectors and holders, contract requirements will demand your organization to apply GDPR norms.

According to the European Commission, Israel has adequate regulations standardizing personal data processing, storage and transmission. This means that Israeli organizations can easily exchange data with EU contractors. However, this recognition is being publicly discussed, considering the general improvements and changes in the European Union regulations. In case EU officials reconsider this recognition, it may be withdrawn if the EU deems that Israeli laws have not sufficiently caught up with the new legislative realities of the EU.

The GDPR was a result of a thorough update to build a modernized data protection policy. The EU initiative influenced the legislative review in Israel to some extent. For instance, the GDPR indirectly impacted the Israeli Protection of Privacy (Data Security) Regulations in 2017.



GDPR and Israel Privacy Law: Data Transfer Rules and Differences

According to the GDPR, while initiating a data transfer, an organization must first ensure that the transfer meets the general requirements. The second step will be to check if transferring that data to a third country is allowed. GDPR regulations demand differentiating secure and insecure third countries according to the European Commission’s adequacy decisions.



Third countries according to the act “which ensure an adequate level of protection are Andorra, Argentina, Canada (only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan, the United Kingdom and South Korea. Data transfer to these countries is expressly permitted.”



Key Differences between Israeli Data Protection Requirements and GDPR

A shortlist of features below can help Israeli startup owners and investors have a better understanding of the two legislative environments.



Data Security

GDPR requirements force data controllers and processors to accept particular organizational and technical approaches ensuring that security correlates with the risk levels. On the other hand, regulations in Israel shape specified and granular requirements respecting the personal data gathered and stored in organizations’ databases.



Data Protection (Security) Officer

GDPR requires organizations controlling and processing data to hire a Data Protection Officer (DPO) in defined cases. The privacy laws of Israel also contain a requirement to designate a data security officer with nearly the same responsibilities as those of a DPO.



Outsourcing

The GDPR allows data processing outsourcing by a controller to a processor. A processor then is obliged to sign specific written agreements to follow the particular instructions and requirements while processing the data on behalf of a controller. Compliance with Israeli laws is possible only after the sides add specific definitions and terms to the data processing outsourcing agreements.

Registration of Databases

Under the GDPR, database registration is not mandatory. Israeli privacy laws require particular databases to be registered with the Database Registrar. An organization then must notify the Registrar about the data exports and other actions taken.



Restrictions of Data Export

Regarding the specific exceptions, the General Data Protection Regulation act allows transferring data records to recipients acknowledged by the European Commission as having adequate data protection policy levels. Israeli law requires an organization to get clear consent for that transfer from data subjects and the appropriate agreement between the data sender and recipient.



Conclusion

Maintaining GDPR compliance is mandatory for an Israeli startup that operates on the EU market, or stores or processes the personal data of EU residents. According to the European Commission’s decision, Israel Privacy Law regulations provide adequate protection for personal data. The differences between the legislative acts of the two territories may require additional adjustments taken and agreements signed to avoid law issues in certain cases.



Written by Alex Tray, a cybersecurity consultant.