DPO DPO Israel
Open as Markdown
Active incident? Call now — not a form.

Privacy Incident
Response.

Data breach, ransomware, phishing, human error, or an Authority inquiry — every privacy incident requires coordinated response within hours. DPO support during the first 24-72 hours, Authority notification drafting, data-subject communications, and a formal post-mortem.

Timeline

The first 72 hours

Hours 0-2

Initial triage

What happened? When? What data is involved? How many subjects? Is the action ongoing? Is there immediate risk? Setting priority and freezing state.

Hours 2-6

Notification obligation assessment

Is Authority notification required under Amendment 13? Notification to data subjects? Under GDPR? Sector-specific regulation? Document decisions.

Hours 6-24

Information gathering & initial post-mortem

Work with IT / CISO / forensics — what was the breach scope, which databases, which subjects, which systems. Organized documentation.

Hours 24-72

Authority notification & message drafting

Formal notification to the Israeli Privacy Authority. Drafting messages for data subjects, management, customers, and media if required. Cross-department coordination.

Hours 72-7 days

Response and deepening

Handle subject inquiries, Authority queries, media. Expand investigation, find more affected records, deploy mitigations.

Hours 7-30 days

Formal post-mortem

Internal post-mortem report, fix list, required investments. Presentation to management and audit committee. Update policies.

Types

Eight incident types we handle

Data breach

Unauthorized access, exposed database, spreadsheet sent to wrong address. Most common type.

Ransomware

Forced encryption, ransom demand. Judgment call: pay or not, did the data also exfiltrate (Double extortion).

Phishing success

Employee clicked a link, gave credentials, external actors get in. Scope assessment, access blocking, password reset.

Human error

Email to wrong distribution list, unencrypted document batch, accidental site publication. Usually less severe — but still requires assessment.

Internal unauthorized access

Employee accessed a database they shouldn’t have. Question: intent? Misuse? How was it discovered?

Vendor breach

Your vendor was hit, and your data leaked. Still your duty to notify the Authority and data subjects — not theirs.

Authority inquiry

Authority opened an investigation, audit, or information request. Also an "incident" requiring professional coordination and precise drafting.

Lawsuit / legal threat

Data subject threatens lawsuit, contacts a lawyer, files a complaint with the Authority. Requires legal-privacy-PR coordination.

The notification

What goes in the Authority notification

FieldDetail
Incident description When, where, how discovered, who is involved
Scope How many subjects, what data types, whether special-category data
Processing purposes Why data was originally collected, on what legal basis
Security measures in place What was active, and why it didn’t prevent the incident
Mitigations taken What you did to stop the incident and prevent further harm
Future plan What change will prevent the next occurrence (controls, policies, training)
Communications to subjects Whether, when, and how you notified affected subjects
DPO contact / official point of contact Whom the Authority can reach for clarifications

Frequent questions about incident response

When is Authority notification mandatory?
Under Amendment 13, notify the Israeli Privacy Authority of an incident with "significant" privacy impact. Criteria: number of affected, sensitivity, likelihood of harm. Conservative recommendation — notify even when in doubt. Ignoring an incident that later surfaces is worse than over-notifying.

What is the timeline?
Amendment 13 doesn’t specify strict 72 hours like GDPR, but the Authority expects notification without undue delay. Recommendation: initial notification within 72 hours (even if not complete), with updates afterward. Submitted through the Authority’s online system.

What if investigation is still ongoing?
It’s correct to file a "preliminary" report stating investigation is ongoing, and update the Authority within 7-14 days. Better partial-timely than complete-late.

Must we notify data subjects?
Depends on risk severity. If subjects face "real" risk (identity theft, financial harm, substantial privacy impact) — must notify. If risk is low or mitigated by measures (encryption, password reset) — possibly not. Decision is always documented.

Do you offer 24/7 availability?
During an emergency — yes. Every DPO as a Service client gets an emergency phone reached 24/7 by the Chief DPO. Most incidents handled within hours, including nights, weekends, and holidays.

We are not your client — can we get urgent help?
Yes. A sudden security incident is one of the most common ways clients start with us. Contact us directly, we respond within 2 hours, and build a response plan within 24 hours.

How much does it cost?
Emergency rate: 450-850 ILS per hour (depending on urgency and time of day). Single-incident pack: 8,000-25,000 ILS by scope. Active DPO as a Service clients — 1-2 incidents per year included in the retainer.

What to do right now if I have an incident?
1) Take notes — write what you know. 2) Do not delete logs. 3) Freeze the affected account/system if still active. 4) Contact us / a DPO / a lawyer. 5) Don’t talk to media until you have an approved statement.

Have an active incident?

Don’t wait until morning. Contact us now — I respond within 2 hours, including nights and holidays.

Urgent contact