Accueil
/ Publications
/ Service Sheets
/ Data Risk & Compliance: Navigating the DOJ’s DSP Final Rule

Data Risk & Compliance: Navigating the DOJ’s DSP Final Rule

FTI Consulting’s Data & Analytics team helps clients navigate their toughest data-driven challenges whether responding to high-stakes regulatory investigations and litigation, streamlining corporate operations, or driving innovation through the strategic deployment of advanced technology.

The National Security Division (“NSD”) of the U.S. Department of Justice (“DOJ”) has finalized a rule to implement Executive Order 14117 (“DSP” or “DSP Final Rule”), aimed at safeguarding sensitive personal and government-related data by restricting and prohibiting the transmission of “bulk” data to “countries of concern” or “covered persons.” To ensure conformity to the DSP Final Rule, the DOJ has imposed substantial consequences for both individuals and institutions which fail to adhere to the Executive Order, including civil penalties and criminal charges, effective on July 8, 2025. As such, companies should undertake good faith efforts immediately to ensure compliance with the DSP Final Rule.

To maintain effective data management, organizations must have a thorough understanding of their data, including the volume, data type, and counterparties involved in all current data intensive transactions. Additionally, companies must establish robust processes to analyze and monitor future transactions, ensuring ongoing visibility and control over their data landscape. This requirement can prove challenging for companies given the management of sprawling data estates within complex and disparate IT infrastructures. Further, common data protection controls such as encryption or redaction of sensitive data have been deemed insufficient by the DOJ and are prohibited per the terms of the rule, despite an organization’s efforts to obfuscate the information. Organizations must also review interactions with third parties who handle company-owned information and ensure both their processes and controls for handling data are rigorous enough to stand up to external audit scrutiny. Critically, recent DOJ guidance suggests that a U.S. company utilizing ad tracking pixels or software development kits on their website or mobile app may be categorized as a data brokerage and thus required to adhere to the DSP Final Rule.

How We Can Help

We provide clients with a broad range of data governance services that includes identifying, mapping, and securing applicable data to comply with the new DSP Final Rule. We have advised numerous clients on similar issues involving data privacy and sensitive data to conform with state and federal regulations or respond to litigation. For companies seeking to ensure compliance with the DSP Final Rule, FTI Consulting will collaborate with the client across all relevant business functions and third-party vendors to understand the universe of applicable data, relevant data transfers, and potential exemptions. Our experts leverage current technology, including AI, to deliver efficient solutions.

Data Identification & Classification

FTI Consulting helps organizations identify, classify, and map enterprise data to evaluate potential relevance to the DSP Final Rule across their ecosystem. Companies can often struggle to understand the full landscape of potential covered transactions due to historical mergers and acquisitions, technology migrations, siloed business units, employee turnover, and lack of reliable documentation. We team with clients to bring organization and clarity to the process through data discovery and data classification. Our experts will ensure companies understand the full set of data sets and data types that need to be securely managed to comply with the DSP Final Rule. We also help companies map and create lineage diagrams to document how data flows across the organization. Through these efforts, FTI Consulting will ensure clients have a full understanding of their data and any implications for the bulk data rule.

Data Security & Privacy

Companies need to ensure that the IT and data infrastructure has clear and documented procedures that support the protection of sensitive information in general and in relation to the DSP Final Rule. We perform targeted evaluations of systems at issue based on risk profile. We review existing company policies and help clients incorporate and implement key principles of data privacy by design into corporate policies and technical infrastructure to meet the current bulk data rule and prepare for future regulatory and legal standards. Our team also ensures clients appropriately handle identity access management to prevent unauthorized access to sensitive data covered by the bulk data rule. We create and enhance technology-driven solutions to flag potential issues for company review to ensure compliance. Our holistic risk-based approach of policies, controls, and systems determines whether existing processes meet the rule’s requirements or need enhancement and/or augmentation.

FTI COMPLY: Third-party Due Diligence Solution

Given the challenge of overseeing third parties in the face of additional regulatory scrutiny, FTI Consulting offers web-based proprietary tools for third party management that can be leveraged to validate vendor status as potential covered persons. Informed by our extensive experience in global investigations and due diligence matters on third parties, FTI Consulting’s solution is built on an interactive and customizable platform that enables companies to organize, track, and centrally manage third-party relationships. The solution incorporates automatic monitoring, workflow management, and risk profiling in a secure web-based platform, enabling personnel across jurisdictions to collaborate effectively.