Navigating the DOJ Final Rule on Bulk Sensitive Personal Data: What Does It Mean for Your Business?

Preview Image
Image
screenshot of the first page of Navigating the DOJ Final Rule on Bulk Sensitive Personal Data: What Does It Mean for Your Business?
By
Protiviti

Three Action Items for Navigating the DOJ Final Rule

Understand the DOJ final rule on bulk sensitive personal data, a directive under Executive Order 14117, setting strict controls on data transactions with certain countries. The U.S. Department of Justice's new rule, under Executive Order 14117, introduces stringent measures on the transfer of bulk sensitive personal data to foreign adversaries, specifically targeting nations like China, Russia, Iran, North Korea, Cuba and Venezuela. This regulation is a departure from conventional privacy laws as it is primarily rooted in national security, aiming to prevent the misuse of data transfers for espionage or coercion. It uniquely applies to both anonymized and encrypted data if there is a reasonable possibility of re-identification, thus broadening its scope significantly. Organizations are now compelled to overhaul their compliance strategies, focusing intensively on data discovery, inventory management and the management of cross-border data flows.

Critical actions recommended include the establishment of robust data inventories to fully understand where sensitive data is stored, how it is utilized, and who has access to it. Additionally, businesses must modernize their operational processes to either eliminate or properly secure in-scope data transfers. To align with the Cybersecurity and Infrastructure Security Agency’s (CISA) stringent requirements, the implementation of targeted security controls such as data minimization, encryption, access management and regular audits is imperative. Organizations should also undertake comprehensive readiness assessments to pinpoint impacted systems, data sets, vendors and business processes. For transactions that fall under restricted categories, such as data brokerage involving genomic data, immediate cessation is required. Furthermore, for those transactions that are permissible, meticulous documentation and justification of exemptions for routine business functions are essential.