The DOJ’s Data Security Program (DSP) rule takes effect October 6, 2025, tightening restrictions on sensitive U.S. data transactions involving designated countries. The practical work now is unglamorous but urgent: map data flows, constrain access, and build an auditable compliance program before enforcement risk becomes real.
DOJ DSP rule: cross-border sensitive data controls move from “privacy best practice” to enforcement requirement
WilmerHale flagged the approaching compliance deadline for the Department of Justice’s Data Security Program (DSP) rule, effective October 6, 2025. The rule introduces restrictions on the flow of sensitive data from the U.S. to “designated countries” identified as national security threats, including China and Russia. For organizations, this is not limited to obvious data exports; it can implicate routine business arrangements—such as vendor agreements and some employment relationships—if they involve access to bulk sensitive data.
The alert emphasizes that companies are expected to have a compliance program in place, report restricted transactions, and implement data security measures designed to prevent prohibited or risky transfers. DOJ frames the DSP as a national security measure aimed at preventing foreign adversaries from exploiting personal data for espionage or other harmful activity. WilmerHale also notes the enforcement exposure: firms that miss the mark could face civil and criminal penalties, and the breadth of “sensitive” data definitions may pull in organizations that do not currently view themselves as operating in a high-risk category.
- Data mapping becomes a control surface. Teams will need defensible inventories of cross-border data flows and remote access paths (including vendor and contractor access) to determine where DSP restrictions bite.
- Vendor and identity assurance move up the stack. Risk-based procedures to verify who is accessing what data—and from where—become compliance artifacts, not just security hygiene.
- Operational burden is long-lived. WilmerHale highlights annual reporting expectations for restricted transactions and a 10-year record retention posture, which will affect logging, evidence collection, and audit-readiness design.
- Synthetic data and minimization may become pragmatic mitigations. Where “bulk sensitive data” is the trigger, engineering options that reduce exposure (minimization, segmentation, or synthetic substitutes for analytics/testing) can lower the number of transactions that become compliance problems.