Under the Protection of Privacy Regulations (Data Security) 5777-2017 (the “Regulation”), there are three substantial levels or risks associated with the processing of Data, as defined under the Protection of Privacy Law, 5741-1981 – Basic, medium and high. Obligations on database owners, holders, and managers to secure the Data vary based on these levels of risk. The criteria for the risk levels include the sensitivity of the data, the volume of records, and the number of authorized users with access permissions.
Some general obligations under the Regulation apply to all security levels, such as obligations to formulate certain information security-related documents, obligations relating to network security, access management, and backup. Higher levels of risk require additional layers of security, including risk assessments and penetration tests, and also require the report of Severe Security Incidents, as defined under the regulations, to the Privacy Protection Authority (See: “Do you have to Manage Security Incidents and Report Data Breaches?”).