The Israel Privacy Protection Authority published its final recommendations on conducting a privacy impact assessment before using personal information in a way that entails a substantial risk to the privacy of the data subjects, or a substantial change in their rights. The Authority highlights that because there is currently no general obligation in Israeli law to conduct a privacy impact assessment, the Authority’s document also does not create an obligation to do so.

A privacy impact review is a process that aims to help identify, assess, and manage privacy risks in projects or other business activities that include the processing of personal information. The Authority recommends performing this assessment in the early stages of the initiation of the project, and before the processing operations have begun.

The assessment comprises several stages, beginning with a general description of the information processing operations, evaluation of the lawfulness and proportionality of the processing, identification, and assessment of risks, risk reduction, and consultations with the data subjects.

The Authority’s recommendations explain that the privacy impact assessment is not a one-time event, but an ongoing process. It must be updated and revalidated regularly, or when substantial changes are made to the project. Also, the assessment ought to be approved by the senior management or the board of directors of the organization.

Click here to read the Israel Privacy Protection Authority’s recommendations on privacy impact assessments (In Hebrew).