The gatekeeper every company is now required to have
Why data protection officers have become central to business, technology, and regulatory risk.
It happens dozens of times a day, often without us noticing or thinking about it. When we activate a parking app, our exact location and vehicle number are stored in the company’s databases. When we register a child for a municipal kindergarten, the child’s data is transferred to the servers of an external company that operates the registration system for the municipality. Even when we simply walk down the street, smart cameras monitor our movement. And when we swipe a biometric employee card at the entrance to the office, our fingerprint is converted into a line of code stored in a biometric database.
Data, the information being collected, is the engine of the artificial intelligence revolution. The risk this collection poses to the privacy of each and every one of us has given rise to a new profession. New professions usually emerge in response to market needs. In this case, however, it was impossible to rely on market forces alone or on the goodwill of companies and organizations that collect data. As a result, the regulator intervened and created a legal obligation to appoint a specific individual to protect privacy.
“I can’t remember the last time a profession was invented and someone said, ‘In one year we will need 2,000 of these,’” says attorney Alon Bachar, former head of Israel’s Privacy Protection Authority and co-founder of PrivMatch, a platform for DPO and privacy professionals training and placement. This sentence sums up the drama unfolding across thousands of organizations that, following an amendment to the Privacy Protection Law, are now required to appoint a Data Protection Officer, and immediately. The main problem is simple: there are not enough qualified professionals available. This is a role that sits at the intersection of technology and law, with very specific and extensive requirements that are defined by statute.
At a time when professions are disappearing and tech companies are laying off hundreds of employees, the field of privacy protection is actually growing. This growth is both organic and driven by a deadline set by the Privacy Protection Authority as part of Amendment 13 to the law. Although the amendment came into force in August, active enforcement is only now beginning, triggering a race to fill DPO positions.
What Is a DPO?
A Data Protection Officer serves as a gatekeeper whose role is to identify privacy risks before they materialize. The position requires legal expertise in privacy law as well as technological knowledge related to data processing. According to the role’s requirements, a DPO must identify high-risk data processing activities, such as data collection through apps or surveillance cameras, and conduct privacy impact assessments in order to prevent harm before a product is launched.
The scope of responsibility is broad and includes managing data breach and cyber incidents in real time, drawing lessons, and reporting to the regulator. In addition, the DPO must operate with full professional independence, avoid conflicts of interest, and report directly to senior management in order to influence substantive organizational decisions. “The DPO is the central pivot when a data breach occurs,” Bachar explains. “He or she connects the technical, legal, and regulatory aspects.”
Even before enforcement of Amendment 13 began, demand for lawyers specializing in privacy surged fivefold compared to the previous year, while overall demand for lawyers grew by only 1.12 times during the same period, according to data from Codex, a legal recruitment and career advisory firm. “This increase reflects growing concern among organizations about legal exposure and the desire to meet regulatory requirements, reduce the risk of legal proceedings, financial sanctions, and even public disclosure of non-compliant organizations. Privacy, which was once perceived as a narrow legal specialty, has become an integral part of business and technological activity,” says Liat Ben-Zvi Shevach, CEO of Codex and a partner in the PrivMatch platform.
One-third of newly advertised privacy-related legal positions are in companies, while the rest are in law firms. Most roles are aimed at lawyers with two to four years of experience, accounting for 45 percent of positions, while about a quarter are open to junior candidates. In addition, most privacy roles combine privacy law with technology, IT, or cybersecurity.
“There is a shortage of experienced professionals, alongside growing opportunities for young lawyers entering the field. The demand reflects a real need for people who can connect law, technology, and business. Those who can do this become a significant asset to an organization,” she says.
Now that the grace period for implementing Amendment 13 has ended and enforcement has begun, demand for organizational privacy officers has increased even further.
Who Is This Role For?
The DPO role is neither a classic legal position nor a classic cybersecurity or IT role. On the one hand, it requires deep regulatory and legal understanding. On the other, it demands technological expertise in information systems, information security, and cybersecurity in order to identify exactly where data is stored and how it is protected.
“There are very few technologists who understand law and very few lawyers who understand technology,” says Bachar. He estimates that there are currently about 200 professionals in Israel who truly possess significant knowledge and experience in both core areas required of a DPO at the level needed for a large organization. Beyond them, many others have taken or are taking DPO courses and will gradually accumulate the necessary experience. This situation opens the door to the role for two main groups: lawyers who are dissatisfied with traditional legal practice and are willing to learn technology, and IT or information security professionals who want to advance into a managerial role.
Market demand has grown significantly following Amendment 13, which requires a wide range of organizations to appoint a DPO. “The law does not apply only to government ministries,” Bachar explains. “It goes down to the level of any organization whose core activity involves data processing.” This includes all public bodies, government ministries, local authorities, and municipal corporations, as well as financial institutions such as banks and insurance companies, healthcare providers such as health funds and hospitals, and data-collecting entities like parking apps such as Pango or Cellopark.
In addition, any external service provider that processes data on behalf of these organizations is also required to appoint a DPO. “Do the math,” Bachar says. “Hundreds of public and financial bodies, plus thousands of service providers that support them and hold data, and you quickly reach thousands of organizations that are required to appoint a data protection officer from day one of enforcement.”
This creates an immediate need for skilled professionals. In the public sector, the appointment must be internal according to Civil Service Commission rules. In the private sector, however, organizations may appoint an external DPO, allowing professionals to provide services to several organizations simultaneously. For example, Yazamco Pro offers regulatory DPO services to help organizations comply with the law. Cyberoot offers DPO as a service, as does Datawatch. However, Bachar believes this will not suffice for organizations with significant data collection activities. “If the authority discovers that an organization appointed an external provider who is not deeply familiar with the organization’s internal operations just to meet formal requirements, that organization will be exposed to sanctions as if no DPO had been appointed at all,” he says.
Starting Salary: NIS 16,000 per Month
High demand for privacy professionals has led to a 50 percent increase in salaries within a single year for employees with three to five years of experience, according to Codex data. In 2024, the average salary for experienced privacy professionals stood at NIS 15,000 per month. In 2025, it has risen to NIS 22,500 per month.
Entry-level professionals with zero to two years of experience also saw salary increases, though more modest. Average monthly pay rose from NIS 14,000 in 2024 to NIS 16,000 in 2025. Since a quarter of positions are open to junior candidates, this presents an opportunity for lawyers or IT professionals to enter a rapidly growing field. For professionals with six to ten years of experience, salary growth was more moderate at 7 percent, increasing from NIS 27,000 to NIS 29,000 per month.
The Threat of Multi-Million Shekel Fines
The biggest change compared to the past is enforcement. While privacy protection was always required, violations previously resulted mainly in reprimands or relatively low administrative fines. Amendment 13 now grants the authority the power to impose financial sanctions of hundreds of thousands of shekels for each individual violation. For organizations that handle large volumes of data and commit multiple violations, or fail to appoint a DPO, cumulative exposure can reach millions of shekels. As a result, companies face significant financial risk, making the need to fill DPO positions critical.
How Do You Become a DPO?
The shortage of privacy professionals, combined with regulatory appointment requirements, has led to the rapid emergence of training programs. Academic institutions such as Tel Aviv University’s Faculty of Law, the Technion, Bar-Ilan University, Sapir Academic College, and the Hebrew University offer dedicated training tracks, most of them coordinated with or recognized by the Privacy Protection Authority. The Israel Bar Association offers practical workshops for lawyers seeking to familiarize themselves with the DPO role.
PrivMatch, a collaboration between Codex, Bachar, and attorney Yaakov Oz, offers comprehensive DPO training alongside placement services and a privacy expert database for organizations. In addition, technological training companies such as John Bryce and See Security offer DPO courses. John Bryce targets lawyers, information security professionals, compliance and regulation specialists, as well as project managers and risk managers.
Training durations vary widely, ranging from 40 to 80 academic hours and between eight and twenty sessions for comprehensive professional programs, alongside shorter introductory courses and workshops for those already serving as DPOs or preparing to enter the role. Course costs start at around NIS 5,000 and can reach NIS 20,000 for comprehensive programs that include cybersecurity management.
