• |

    May 7, 2025

DOJ Guidance on Bulk Sensitive Data Rules: Enforcement Grace Period and Prohibited Transactions

The DOJ has issued guidance to facilitate compliance with its final rules, referred to as the Data Security Program (DSP), implementing former President Biden’s Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. Though much of the guidance material rearticulates language in the DSP, there was some notable new compliance information for organizations. This two-part article series highlights the key elements of the guidance, with commentary from Edward McNicholas, a partner at Ropes & Gray. This first installment covers the enforcement grace period, definitions of bulk data and covered persons, and prohibited transactions. Part two will distill guidance on restricted transactions, recordkeeping, reporting requirements, licenses and advisory opinions. See “Examining DOJ’s Final Rules on Access to Government and Sensitive U.S. Personal Data” (Jan. 29, 2025).

Benchmarking AI Governance Practices and Challenges

AI governance is critical to ensure systems are developed and used in a way that complies with legal, regulatory and ethical standards, and to mitigate potential risks, such as security vulnerabilities. IAPP and Credo AI surveyed more than 670 individuals from 45 countries about their organizations’ approaches to AI governance and issued a report with benchmarking data (Report), which includes steps taken by Mastercard, TELUS, Boston Consulting Group, Kroll, IBM, Randstad and Cohere. This article synthesizes the key takeaways from the Report and relevant insights shared during IAPP’s Global Privacy Summit 2025 by representatives of IAPP, Credo and IBM. See “AI Governance: Striking the Balance Between Innovation, Ethics and Accountability” (Feb. 12, 2025).

Rethinking Click-Through Training: Integration Into a Comprehensive Training Program

Given click-through training’s ease of deployment, scalability and trackability, its status as a compliance mainstay seems likely to persist. To deliver and reinforce long-lasting behavioral change, however, click-through trainings need to be embedded within a broader compliance training framework that mixes asynchronous online learning with live learning and leadership engagement. This final installment of a three-part series discusses how companies can embed click-through compliance training into a broader program and offers suggestions for choosing the right training vendor. The first article addressed the merits and drawbacks of click-through training. Part two offered suggestions on customization and strategies for measuring effectiveness. See “How Ericsson Made Compliance Training Must-See TV” (Apr. 23, 2025).

Most-Read Articles

Women to Watch: Contributions, Achievements and Observations of Outstanding Female Professionals

To mark International Women’s Day, women editors and reporters at ION Analytics interviewed outstanding women in the industries and jurisdictions we cover. In this part, Law Report Group editors Jill Abitbol, Robin L. Barton and Megan Zwiebel profile notable women in data privacy, cybersecurity, private funds and anti-corruption law, including Anne-Gabrielle Haie, Jessica Lee, Micaela McMurrough, Laura Perkins, Amanda Raad, Madelyn Calabrese, Ranah Esmaili and Genna Garver. Enjoy reading their inspiring remarks here.

Celebrating Data Privacy Day 2025

Read the full brief here.

Cybersecurity Awareness Month

Read the full brief here.