Just weeks before Amendment 13 to the Protection of Privacy Law takes effect (August 14, 2025), the Privacy Protection Authority (PPA) has published a detailed draft opinion regarding the duty to appoint a Data Protection Officer (DPO).
Below are the main points from the opinion, along with our practical insights:
Mandatory DPO Appointment – Not Limited to High-Risk Entities
The law imposes the appointment requirement on public bodies, data brokers, organizations conducting systematic monitoring, and entities processing sensitive data at scale. However, as anticipated, the PPA extends this obligation to include any online profiling activities for any purpose.
💬 Organizations must promptly assess their data practices to determine whether they are required to appoint a DPO.
Deep Legal Expertise is Required
The role demands in-depth knowledge of Israeli privacy law, case law, sector-specific regulations, and constitutional principles. The PPA’s DPO training course serves as a basic introduction but does not replace the need for deep legal expertise.
💬 This is fundamentally a legal compliance role – not merely a technical one.
Technological Literacy is Essential
DPOs must have an understanding of data flows, system architecture, and privacy-enhancing technologies.
💬 They should be capable of preparing information security policies. Lawyers seeking to take on this role must pursue independent or formal training in cyber and IT.
No Personal Liability for DPOs
The DPO’s role focuses on advice, training, supervision, and oversight.
💬 DPOs should be covered under the organization’s Directors & Officers (D&O) insurance and indemnification arrangements.
Independence and Proper Resourcing
The law requires direct reporting to the CEO and prohibits conflicts of interest.
💬 This ensures that the DPO can operate with true authority and autonomy.
Separation from the CISO Role
The CISO cannot simultaneously serve as the DPO, as these are distinct roles that may create conflicts if combined.
💬 Organizations must carefully consider role separation to maintain the effectiveness of both functions.
Extensive Responsibilities
The DPO is tasked with advising management, training employees, monitoring compliance, handling data subject requests, and serving as a liaison with the Authority.
💬 This is a proactive, cross-functional leadership role – not a symbolic appointment.
Bottom Line
Amendment 13 is a game-changer. Organizations must act now to identify qualified candidates, define the DPO’s scope, and properly embed the role into their governance frameworks.
The draft opinion is open for public comments.
👉 For guidance and support in aligning your organization with the new requirements, the teams at ClearPath and Or-Hof Law are here to help.
Disclaimer:
Our team at Or-Hof and ClearPath is here to support your compliance efforts, help you navigate the evolving requirements of UK Data Protection Law, and align your privacy compliance framework with these new changes.
For further information or legal assistance, feel free to contact us at [email protected].
– The Or-Hof Law Team
