Navigating the DOJ final rule on bulk sensitive personal data: What does it mean for your business? Download By Sameer Ansari Managing Director, Privacy and Security practiceMultinational organisations must now comply with a sweeping new U.S. Department of Justice rule that restricts the transfer of bulk sensitive personal data to foreign adversaries. The rule, established under Executive Order 14117, went into effect earlier this month and introduces prohibitions and controls on data transactions involving countries of concern such as China, Russia, Iran, North Korea, Cuba and Venezuela.Unlike traditional data privacy laws, this rule is rooted in national security and emphasizes the risk of seemingly lawful data transfers being exploited for espionage or coercion. It applies even to anonymised or encrypted data if re-identification is reasonably possible. Organisations will need to rethink compliance strategies, especially around data discovery, inventory management and cross-border data flows. Download Topics Cybersecurity and Privacy Risk Management and Regulatory Compliance Industries Government Why it mattersThe DOJ rule is fundamentally different from existing privacy regimes like the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). Its unique definitions, low thresholds, and security requirements necessitate a strategic approach that combines legal, operational and cybersecurity capabilities. I believe organisations should take immediate action in three key areas:Establish holistic data inventories: Understand where sensitive data resides, how it's used and who has access to it.Modernise business processes: Review and update operations to eliminate or isolate in-scope data transfers.Implement targeted security controls: Align with the Cybersecurity and Infrastructure Security Agency’s (CISA) mandated controls for restricted transactions, including data minimisation, encryption, access management and ongoing audits.What they say Todd Blanche, United States Deputy Attorney General“If you’re a foreign adversary, why would you go through the trouble of complicated cyber intrusions and theft to get Americans’ data when you can just buy it on the open market or force a company under your jurisdiction to give you access? The Data Security Programme makes getting that data a lot harder.”What we sayThe rule’s scope means organisations will need to enhance their data classification and processing inventories, especially for U.S.-based operations where such capabilities have lagged international counterparts. To avoid costly missteps, companies should prioritise business process-level assessments before diving into system-level discovery; leverage automation and multiple discovery tools to surface hidden data flows; and expand third-party due diligence to include country-specific metadata. In addition, businesses should consider redesigning U.S. record of processing activities to include DOJ-specific data types and thresholds as well as data de-identification strategies to enable compliant restricted transactions.The bottom lineIn a climate where data can be a national security asset or liability, it is important companies have the clarity, tools and foresight to respond with purpose and precision. Organisations should start by conducting a readiness assessment to identify impacted systems, data sets, vendors and business processes. Transactions falling under prohibited categories, such as data brokerage involving genomic data, must cease. For restricted transactions, security controls and due diligence must meet CISA's high standards. Exemptions provide limited relief for routine business functions, but companies must document and justify their applicability. About Protiviti Protiviti (www.protiviti.com) is a global consulting firm that delivers deep expertise, objective insights, a tailored approach, and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independent and locally owned Member Firms provide clients with consulting and managed solutions in finance, technology, operations, data, analytics, digital, legal, HR, governance, risk, and internal audit through our network of more than 85 offices in over 25 countries. Named to the 2024 Fortune 100 Best Companies to Work For® list, Protiviti has served more than 80 percent of Fortune 100 and nearly 80 percent of Fortune 500 companies. The firm also works with smaller, growing companies, including those looking to go public, and with government agencies. Protiviti is a CMMCAB RPO organisation and has been supporting companies with CMMC services for seven years. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index. About VISION by Protiviti VISION by Protiviti is a global content resource exploring big, transformational topics that will alter business over the next decade and beyond. Written for the C-suite and boardroom executives worldwide, VISION by Protiviti examines the impacts of disruptive forces shaping the world today and in the future. Through a variety of voices and a diversity of thought, VISION by Protiviti provides perspectives on what business will look like in a decade and beyond.
