During a recent privacy and data-security conference in Israel, industry leaders explored the implications of Amendment 13 to Israel’s Privacy Protection Law and discussed how organizations can address emerging risks associated with the deployment of advanced AI.
Adv. Vered Zlaikha, Partner and Head of Cyber and AI Practice at Lipa & Co law firm said, “Amendment 13 is a genuine game-changer, not just a technical update. While it introduces several substantial provisions, the real development lies in enforcement. For the first time, the Privacy Protection Authority (PPA) has been granted meaningful powers to impose financial sanctions and take concrete action against violators. This means that every company in Israel must recognize that violations are no longer theoretical; they now carry a tangible price.”
Zlaikha noted that before the amendment took effect, companies were fined for scanning ID cards or failing to remove users from direct mailing lists. “Now,” she added, “the penalties can reach much higher sums.”
She further emphasized, “Data must be used strictly for its stated purpose: “If data is collected exclusively to establish contact but later used for other purposes without proper notification, that may constitute a misuse. Organizations must clearly define the objectives, ensure transparency, and obtain informed consent. Amendment 13 significantly strengthens this requirement at a normative level.”
Zlaikha added, “Even organizations not required to register a database remain fully subject to the law. In addition, the amendment introduces a new role, the Privacy Protection Officer (DPO), mandatory for entities processing large volumes of sensitive data. This officer must have in-depth expertise in privacy law and technology, operate independently, and avoid conflicts of interest. It is a position that carries new responsibilities and is about to reshape how organizations approach data protection. Accountability extends beyond CISOs and DPOs: Corporate management and boards must also address these issues. Under the PPA guidance, boards may even bear specific legal obligations under the Data Security Regulations.”
Cyberoot founder and CEO Eli Levin spoke about the need for a shift in corporate mindset. “With a few simple steps, any organization can turn information security and internal policy into real, practical tools,” he said. “It doesn’t have to be expensive or complicated. You need to sit down, talk, and start moving. 2025 and 2026 are going to be the years when everything happens; the pace is fast, the intensity is high, and our mission is to turn privacy and information security from a luxury into a must-have. It is no longer a choice; it is an organizational culture we have to embrace.”
Levin continued, “Most organizations still lack a full mapping of their systems and data assets. “If you do not know what you have, you cannot protect it,” he said. “A cyber incident quickly turns into a full-scale crisis when there’s no advance preparation. Even a minor technical glitch can spiral into a large-scale security breach. You cannot buy cybersecurity off the shelf; it has to be tailored meticulously, from risk assessment through to a detailed action plan. Information security is an ongoing process that requires involvement at every level of the organization. The responsibility lies with everyone who handles data.”
SLING (part of KELA Group) CEO Dr. Uri Cohen, and KELA head of research Elad Ezrahi discussed data leak risks linked to third-party systems. Ezrahi warned, Personal data stored with external providers may be exposed.” He presented two recent supply-chain attack cases involving voice impersonation and stolen access credentials, supported by findings from KELA’s threat-intelligence platform.
A professional panel moderated by Adv. Vered Zlaikha, explored the integration of AI systems in enterprises, the interfaces between IT and legal teams, and the handling of privacy and technology risks.
Lusha CISO and IT head Einat Shimoni said, “When introducing new technologies, be it a new vendor, a tool like ChatGPT, or an in-product AI feature, it is a cross-departmental effort involving development, IT, security, and legal. We hold monthly forums to discuss these issues. The goal is not to block tools but to enable smart, controlled use. We have established clear policies, increased awareness, and provided ongoing training for our teams.”
Adv. Zlaikha concluded, “Managing regulatory risks in AI systems raises wide-ranging issues that go beyond privacy and data security, inter alia, about system accuracy, the need for human oversight, as well as organizational awareness and employee training. It is key to remember that organizations possess a broad toolkit to manage these risks – organizational, procedural, technological and legal. Addressing these risks effectively requires drawing on the full range of available tools.”
Published by Globes, Israel business news – en.globes.co.il – on November 12, 2025.
© Copyright of Globes Publisher Itonut (1983) Ltd., 2025.
