During a recent Privacy and Data Security conference in Israel, industry leaders explored the implications of Amendment 13 to the Israeli Privacy Protection Law and discussed how organizations can address emerging risks associated with deploying advanced AI.
circumstance. “Amendment 13 is a real game-changer, not just a technical update,” said Vered Zuleikha, Partner and Head of the Cyber & AI Practice at law firm Lipa & Co. “While it introduces many substantive provisions, the real development lies in implementation. For the first time, the Privacy Protection Authority (PPA) has been given meaningful powers to impose financial penalties and take concrete action against violators. This means that every company in Israel must realize that violations are no longer theoretical; they now carry a price.” Tangible.”
Zulekha noted that before the amendment took effect, fines were imposed on companies for scanning ID cards or failing to remove users from direct mail lists. “Now the penalties can reach much higher amounts,” she added.
She further stressed that data must be used strictly for the stated purpose: “If data is collected exclusively to establish contact but is subsequently used for other purposes without proper notification, this may constitute misuse. Organizations must clearly define goals, ensure transparency, and obtain informed consent. Amendment 13 significantly strengthens this requirement at the normative level.”
“Even organizations that are not required to register a database remain fully subject to the law,” Zulekha added. “In addition, the amendment introduces a new role, the Privacy Protection Officer (DPO), which is mandatory for entities that process large amounts of sensitive data. This officer must have in-depth experience in privacy and technology law, act independently, and avoid conflicts of interest. It is a position that carries new responsibilities and is poised to reshape how organizations approach data protection. Accountability extends beyond CISOs and DPOs: corporate management and boards must These issues are also addressed under the PPA’s guidance, and boards may have specific legal obligations under data security regulations.
Founder and CEO of Cyberoot, Eli Levine, spoke about the need for a shift in corporate mindset. “With a few simple steps, any organization can turn information security and internal policy into real, practical tools,” he said. “It doesn’t have to be expensive or complicated. You need to sit down, talk, and start moving. 2025 and 2026 will be the years when everything happens; the pace is fast, the intensity is high, and our mission is to transform privacy and information security from a luxury to a must. This is no longer an option; it is an organizational culture we must embrace.”
“Most organizations still don’t have a complete mapping of their systems and data assets,” Levin continued. “If you don’t know what you have, you can’t protect it,” he said. A cyber incident can quickly turn into a large-scale crisis when there is no prior preparation. Even a minor technical glitch can turn into a large-scale security breach. You can’t buy cybersecurity off the shelf; It must be carefully designed, from the risk assessment to the detailed business plan. Information security is an ongoing process that requires participation at every level of the organization. The responsibility lies with everyone who handles the data.”
SLING CEO (part of KELA Group) Dr. Uri Cohen and KELA Head of Research Elad Ezrahi discussed the risks of data leaks associated with third-party systems. “Personal data stored with third-party service providers may be exposed,” Ezrahi warned, presenting two recent cases of a supply chain attack involving voice impersonation and stolen access credentials, supported by findings from KELA’s threat intelligence platform.
A professional committee managed by the lawyer. Fareed Zulekha explored the integration of AI systems into organizations, the interfaces between IT and legal teams, and dealing with privacy and technology risks.
“When new technologies are introduced, whether it’s a new vendor, a tool like ChatGPT, or an AI feature within the product, it’s a cross-departmental effort spanning development, IT, security, and legal,” said Lusha CISO and CTO Inat Shimoni. “We hold monthly forums to discuss these issues. The goal is not to ban tools but to enable controlled, intelligent use. We have set clear policies, increased awareness, and provide ongoing training to our teams.”
circumstance. Zulekha concluded: “Managing regulatory risks in AI systems raises broad issues that go beyond privacy and data security, among others, around system accuracy, the need for human oversight, as well as regulatory awareness and employee training. It is important to remember that organizations have a broad toolkit to manage these risks – regulatory, procedural, technological and legal. Effectively addressing these risks requires drawing on the full range of tools available.”
Published by Globes, Israel Business News – en.globes.co.il – on November 12, 2025.
© Copyright Globes Publisher Itonut (1983) Ltd., 2025.
The post Amendment 13 is gamechanger on data security enforcement first appeared on Investorempires.com.
