The U.S. Department of Justice’s (DOJ) new rule under Executive Order 14117 marks a significant shift in how businesses handle bulk sensitive personal data, especially regarding transfers to foreign adversaries like China, Russia and Iran. This regulation, rooted in national security concerns, goes beyond traditional privacy laws such as GDPR or CCPA by imposing stringent controls on data, even when anonymized or encrypted, if re-identification is possible. For businesses, the key challenge is to adapt compliance strategies to meet these requirements, safeguarding sensitive data while mitigating risks tied to espionage or coercion. 

To navigate this complex regulatory landscape, organizations must prioritize several key actions. First, they need to build comprehensive data inventories to understand where sensitive information resides, how it’s used, and who has access to it. Business processes should be modernized to isolate or eliminate restricted data transfers, and robust security controls, including encryption, data minimization and regular audits, must be implemented in alignment with the Cybersecurity and Infrastructure Security Agency’s (CISA) standards. 

Key Takeaways

• Develop detailed data inventories to map sensitive information and its usage.
• Update business processes to avoid or manage restricted data transfers effectively.
• Strengthen security measures with tools like encryption, audits and data minimization.
• Perform readiness assessments to identify risks and align practices with regulatory standards.