Privacy regulation is no longer a compliance footnote. Across Israel and internationally, organisations face expanding obligations to appoint a qualified Data Protection Officer — and where appointment is not legally required, the business case for doing so has never been stronger.

Pearl Cohen's Cyber, Privacy & Copyright Group offers a full external DPO service, combining hands-on privacy expertise with deep regulatory knowledge across Israeli law, GDPR, and a growing number of international frameworks.

What the Service Includes

Our DPO service is tailored to the client's business, sector, and applicable regulatory environment. It covers:

• Acting as the organisation's point of contact and subject matter expert for all privacy and data protection matters — toward employees, customers, regulators, and third parties
• Building, managing, and monitoring a client-tailored privacy programme aligned to the client's business objectives and applicable law
• Preparing privacy documentation: policies, procedures, Data Protection Impact Assessments (DPIAs), and Database Definition Documents
• Mapping vendors and sub-processors, and supporting privacy due diligence on prospective vendors
• Reviewing Data Processing Agreements (DPAs) and responding to data subject, regulator, and third-party inquiries
• Reviewing digital assets, including websites, cookie practices, and consent mechanisms
• Advising on sales and marketing activities involving personal data (targeted advertising, lead outreach, and similar)
• Privacy awareness training for employees, including team-specific guidance
• Ongoing support for product and feature development, data flows, audits, and incident handling
• Regular client syncs for updates and open task management

When Is a DPO Required?

The obligation to appoint a DPO was recently established in Amendment 13 to Israel's Privacy Protection Law (PPL). Mandatory appointment applies to:

• Public bodies that are controllers of databases and entities processing personal data on their behalf
• Data brokers and direct marketers — controllers of databases containing personal data on more than 10,000 individuals, where data is collected for transfer to others as a business or for consideration
• Large-scale monitoring organisations — controllers or processors whose primary activities include processing personal data derived from ongoing and systematic monitoring or tracking of individuals
• Sensitive data processors — controllers or processors whose primary activity includes processing especially sensitive data (medical, biometric, financial, location, political) on a significant scale

Equivalent obligations exist under the EU and UK GDPR, PIPEDA (Canada), LGPD (Brazil), and other international frameworks.

Why Appoint a DPO Even Without a Legal Requirement?

Many organisations benefit from appointing an external DPO regardless of whether the law mandates it:

• Competitive advantage — customers increasingly factor privacy maturity into procurement and vendor decisions
• Trust — a well-run privacy programme signals organisational responsibility and strengthens client relationships
• Transaction readiness — in due diligence, IPOs, and M&A processes, privacy programmes are examined closely; a functioning DPO arrangement is a concrete marker of maturity

The Team

The DPO service is headed by Adv. Guy Bakshi, who brings six years of experience as an external DPO across a wide range of sectors including. Read more about Guy and contact him, here.