Welcome to the Proposed Regulations on Cross-Border Data Transfers
Hey there! Have you heard about the latest buzz from the US Department of Justice (DOJ)? On October 29, 2024, they dropped a bombshell by issuing a Notice of Proposed Rulemaking (NPRM) in the Federal Register. This NPRM is all about shaking things up with new regulations for cross-border data transfers to countries considered national security threats. And guess what? They want your input during a 30-day public consultation period. These regulations, if put into action, will set strict rules for companies dealing with sensitive data to safeguard crucial information and plug security holes.
Get to Know the Heart of the Proposed Regulations
Spotlight on Countries of Concern
The DOJ has named and shamed six nations as “countries of concern”: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. These countries have been singled out for activities that pose a threat to US national security.
Who’s in the Hot Seat? Covered Entities
The rules target “covered entities,” which means organisations in the US involved in collecting, processing, or transferring sensitive personal data overseas. Even businesses that handle these transfers for others are under the microscope.
Decoding Covered Data Transactions
A “covered data transaction” refers to moving sensitive personal data from a US-based organisation to someone in a country of concern. The goal? Tight regulation to ensure security and compliance.
Crucial Categories of Sensitive Personal Data
The proposal outlines six key types of sensitive personal data that trigger compliance requirements if thresholds are crossed:
- Genetic Information: Data from genetic testing or analysis.(Bulk threshold: 100 US persons)
- Biometric Data: Unique identifiers like fingerprints, retinal scans, or facial details. (Bulk threshold: 1,000 US persons)
- Health Information: Medical history, treatment details, or other health data.(Bulk threshold: 10,000 US persons)
- Financial Records: Account numbers, payment details, or credit card info.(Bulk threshold: 10,000 US persons)
- Geolocation Tracking: Detailed location tracking. (Bulk threshold: 1,000 US persons)
- Covered Personal Identifiers include data brokerage, vendor agreements, employment agreements, and investment agreements. (Bulk threshold: 100,000+ US persons)
Each category has specific volume and sensitivity thresholds that, when exceeded, mean following the new rules.
What’s Allowed and What’s Not in Cross-Border Data Transfers
The proposal splits transactions into two camps:
- Prohibited Transactions: These involve major national security risks or ultra-sensitive data and are a no-go.
- Restricted Transactions: Proceed with caution. These transfers need rigorous checks and green lights from US authorities.
Your Compliance To-Do List
Due Diligence Demands
Organisations must set up robust compliance programmes. This means digging deep into covered data transactions, assessing risks, and keeping an eye on foreign vendors and data recipients.
Recordkeeping Rules
Covered entities need to keep detailed records of:
- Types of sensitive data moved.
- Logs of data flows and destinations.
- Info on third-party vendors and partners in the transactions.
Store these records securely for at least 10 years for long-term accountability.
Annual Audits
Companies must conduct independent audits each year to check compliance, security, and meeting DOJ standards. These audits find weak spots and boost ongoing compliance.
Getting Ready for Compliance: Your Action Plan
To gear up for these regulations, here’s what you need to do:
- Review Your Data Flows: Check your international data transfers to see if you’re exposed to countries of concern.
- Build Strong Compliance Programs: Craft internal policies to handle due diligence, recordkeeping, and audits.
- Train Your Team: Make sure everyone knows the new rules and can meet them.
- Get Expert Help: Partner with pros to navigate these rules and embed best practices in your workflows.
Formiti: Your Go-To for Compliance Triumph
Navigating changing regulations, especially with national security twists, can be tricky. That’s where Formiti comes in. They offer tailored services to help you navigate data privacy rules smoothly. With their expertise in global data protection laws, Formiti can guide you in setting up compliance frameworks, doing risk assessments, and staying on top of tough regulatory demands.
Secure your business’s future—team up with Formiti to meet the DOJ’s proposed requirements confidently and effortlessly.