How-To
Database Definition Document — Full Guide
The Database Definition Document is the foundational document required by Israel’s 2017 Security Regulations for every database at medium or high security level. It defines the database’s "identity": owners, responsible parties, purpose, data types, security level, vendors, and retention period. Without a valid document — the organization doesn’t meet 2017 regulations, and Amendment 13 also requires this information.
Content
15 essential fields
| Field | Detail |
|---|---|
| Database name | Descriptive name + formal name as registered with Authority (if registered) |
| Database owner | Legal entity holding and maintaining the database (company, NGO, authority) |
| Database manager | Physical person directly bound to the owner — usually CEO / company manager |
| Information security manager | Person responsible for database security — usually CISO or IT Manager |
| Data Protection Officer (DPO) | If required under Amendment 13 — name, contact details |
| Database purpose | Why data is collected and used — specifically, not "business management" |
| Legal basis | Consent / contract / legal obligation / legitimate interest |
| Data types | Field details: name, ID, address, banking details, medical data, etc. |
| Data subject types | Employees, customers, vendors, volunteers, members, etc. |
| Data source | How data arrives — directly from person, vendor, government body |
| Record count | Estimate — important for determining security level |
| Security level | Basic / Medium / High — per 2017 regulations |
| Processed via | Systems, vendors, processors that touch the database |
| Retention period | How long data is retained, when deleted |
| Update date | Last document update date |
Sensitivity
How to determine security level
Security level drives every technical and organizational requirement. 2017 regulations define three levels, with a "minimum" per data type classification.
| Data type | Min. security level |
|---|---|
| Basic data | Basic |
| Financial data | Medium |
| Medical data | High |
| Data on minors | High |
| Biometric data | High |
| Opinions & identity data | High |
Frequent questions about Database Definition Document
Difference between Database Definition Document and RoPA?
Database Definition Document is a requirement of Israel’s 2017 Security Regulations. RoPA (Records of Processing Activities) is a GDPR Article 30 requirement. Similar content, not identical. Organization operating both in Israel and Europe — maintains both, sometimes in a single unified table.
Which databases require a Database Definition Document?
Every database at Medium or High security level requires a formal Database Definition Document. Basic-level databases — not mandatory, but recommended. Mid-size organization usually has 5-15 databases requiring a formal document.
How to determine security level?
2017 regulations set three levels: Basic (up to 10,000 records + non-sensitive data), Medium (10,000-100,000 + non-sensitive, or under 10,000 + sensitive), High (over 100,000 + non-sensitive, or over 10,000 + sensitive, or any medical database).
Is there an Authority template?
Yes. The Israeli Privacy Authority published an official Database Definition Document template, available on the Authority website. We use the template, but expand per organizational structure.
Who signs the document?
Typically: database owner (usually CEO), information security manager, sometimes DPO. In larger databases — also chair of audit committee or information security committee.
Validity period?
No defined expiration. Required to update on significant database change: new field, new purpose, new vendor. Practically — recommended annual review of all database definition documents.
What if we don’t have documents?
Required to prepare. We help: in data mapping service we prepare all required Database Definition Documents, in 3-14 weeks by organization size.
What if the database was registered with Authority years ago — does it need updating?
Yes. Authority registration does not eliminate the obligation for a full Database Definition Document. Old registration must also meet 2017 regulations and Amendment 13 requirements.
Need Database Definition Documents?
Data mapping service prepares all required documents — professional, organized, yours to keep.
Data mapping service