Yesterday, I introduced the Department of Justice’s (DOJ) new Data Security Program (DSP), which was released on April 8, 2025, and implemented under Executive Order 14117. Today, I want to begin reviewing key actions you can take now to prepare for the full effective date of October 6, 2025. We will complete our review of key steps to take tomorrow.

1. Review your current data governance and privacy policies—align them with DSP risk categories.

Data governance is no longer just about classification and access rights; it’s now a frontline national security function. The DSP requires fundamentally rethinking how organizations define, inventory, and control sensitive data. Compliance officers must start with a forensic review of current data governance frameworks: What data are you collecting? Who touches it? Where does it live? Who can access it, and how is it transferred internally and externally? Once mapped, each dataset must be examined through the DSP lens: Is it government-related? Does it contain bulk sensitive personal data? Is it linked to current or former U.S. government personnel? These are not simply IT questions. These are compliance questions with profound legal implications.

Next, organizations must evaluate their privacy policies for blind spots. Many policies were written for GDPR or CCPA, not for adversarial data exfiltration by foreign intelligence services. If your data policies are not risk-aligned to DSP categories, such as data brokered to third parties or aggregated in ways that make re-identification likely, you are flying blind in a regulatory minefield. This isn’t a call for a quick redline but a strategic overhaul of how you structure data controls, policies, and risk frameworks. Collaborate with your CISO, but lead with your compliance hat on. The DOJ is not asking for IT security alone, and they are demanding accountable, auditable compliance with national security-grade rigor. Treat this like an FCPA compliance program: document everything, know your risk vectors, and escalate anomalies. The age of “data policy as an afterthought” is over. In the DSP era, data is not just a privacy concern but a geopolitical flashpoint.

2. Audit your third-party vendor agreements for exposure to covered persons or countries of concern.

Third-party risk just got geopolitical. Under the DSP, vendor due diligence has become a national security obligation. You must now screen for performance and financial viability and whether any foreign vendor, subcontractor, or partner is a “covered person” or tied to a country of concern like China, Russia, Iran, North Korea, Venezuela, or Cuba. Even indirect ownership or residency triggers a compliance obligation. That friendly cloud storage provider with a branch in Shenzhen? Is that IT support firm subcontracting code maintenance to Belarus? They may now be regulatory liabilities under the DSP.

Start with a comprehensive audit of all current vendor agreements, focusing on data-sharing terms, sub-licensing permissions, and geographic exposure. Can the vendor access, process, or host government-related or bulk-sensitive personal data? If so, is there a clause prohibiting onward transfer to covered persons or countries of concern? If not, you’re potentially out of compliance. You may need to renegotiate or terminate contracts that create risks you can’t control. Relying on “we didn’t know” is insufficient, as the DSP holds U.S. persons accountable for failing to implement reasonable and proportionate due diligence.

Also, consider implementing a DSP-specific screening protocol that goes beyond sanctions and AML lists and includes the DOJ’s Covered Persons List. Integrate this into your vendor onboarding, renewal, and periodic review processes. Remember, under the DSP, even inadvertent exposure can constitute a violation. That means it’s no longer enough to run a vendor through OFAC and call it a day. You need a national security screening lens. Compliance must lead this effort, not procurement, legal, or IT. If a vendor relationship enables DSP-prohibited access, the legal liability will land squarely on your doorstep.

3. Draft contractual clauses that prohibit data resale or access by covered entities.

The DSP has thrown a wrench into how we think about contract drafting. Referencing generic data use terms or standard confidentiality clauses is no longer sufficient. You’re exposed if your contracts do not explicitly prohibit the onward sale or transfer of covered data to countries of concern or covered persons. Under the DSP, exposure is not simply reputational but both civil and criminal.

Compliance teams should immediately collaborate with legal and procurement to update all relevant agreements. That includes data-sharing contracts, licensing, cloud service agreements, vendor onboarding templates, and M&A data room protocols. Insert clauses prohibiting foreign counterparties from transferring sensitive personal or government-related data to any covered person or country of concern. Go further: mandate that they notify you of any suspected breach and certify compliance annually.

Do not stop at language insertion. Require enforceability mechanisms, termination clauses, indemnification provisions, and audit rights. The DOJ clarified that including boilerplate language will not shield you from enforcement. You may have committed a prohibited transaction if you knew or should have known that a foreign vendor resold data to a hostile actor. Even the best legalese won’t save you without operational controls to back it up.

Consider maintaining a DSP Clause Library, a set of pre-approved terms for use across contracts by legal and compliance staff. Train your contract managers on red flags. Build escalation protocols when counterparties push back. And do not forget to update your templates as the DOJ issues more guidance. In short, think of DSP compliance clauses the way you would anti-corruption reps and warranties in an FCPA context: a first line of defense, but only effective when part of a broader compliance architecture.

The Department of Justice’s new Data Security Program, effective October 6, 2025, is a game-changer for corporate compliance. It redefines data governance as a national security obligation, requiring companies to align privacy policies with DSP risk categories and scrutinize third-party vendors for ties to covered persons or countries of concern. Compliance professionals must proactively draft enforceable contracts, build auditable training and reporting systems, and educate C-suites and boards that DSP is not “just privacy”; rather, it is national security compliance. With the clock ticking, the time to act is now. Join us tomorrow for Part 2, where we continue the roadmap to DSP readiness.