On 8 April 2025, the US Department of Justice’s Data Security Program — codified at 28 CFR Part 202 and implementing Executive Order 14117 — took effect. By 6 October 2025, the affirmative compliance obligations had kicked in: written Data Compliance Programs, annual audits, recordkeeping, certifications, and annual reports on restricted transactions. The grace period for “good faith efforts” had ended in July. Active enforcement was now on.
For US companies — and for the vendors that serve them — this is one of the most consequential cross-border regulatory developments of the decade. The rule treats certain categories of data sharing with countries of concern, or with persons subject to their control, as the equivalent of an export control violation. Penalties run to civil fines of the greater of $368,136 or twice the value of the transaction, and criminal penalties of up to $1 million and twenty years in prison. The rule applies regardless of whether the data has been anonymised, pseudonymised, de-identified, or encrypted.
For HR, BGV, and workforce services, the rule has structural implications that most CHROs and general counsels are still working through. Background verification data, employment records, payroll information, biometric verification artefacts, and identity documents collectively include several of the data categories the rule was specifically designed to protect. The offshore service delivery model that has underpinned global HR operations for two decades is, for the first time, a regulated activity rather than a commercial choice.
This is a landscape view of what the rule actually does, why HR data is in scope, and what the operational implications are.
The Six Categories of Covered Data
The DSP Rule protects six categories of US sensitive personal data, each with its own bulk threshold measured over a rolling twelve-month period:
Covered personal identifiers — at 100,000 or more US persons. This is the broadest category. It includes any “listed identifier” (full name, government-issued identifier, financial account number, device identifier, advertising identifier, network-based identifier, IP address linked to a person, account-authentication data, contact information) when combined with, linked, or linkable to any other listed identifier. For a US workforce of meaningful size, almost any HR or BGV database meets this threshold within months of operation.
Personal health data — at 10,000 or more US persons. The definition is broader than HIPAA’s, including data such as height and weight that many businesses routinely collect without any HIPAA implications. For HR teams running employee wellness programmes, occupational health screening, or drug testing, this category is squarely in scope.
Personal financial data — at 10,000 or more US persons. Includes credit scores, account balances, transaction histories, income information, and payment data. Compensation records, payroll data, expense reimbursement information, and BGV credit check outputs all qualify.
Biometric identifiers — at 1,000 or more US persons. Fingerprints, voice prints, iris scans, facial recognition templates. Many BGV programmes use biometric identity verification at hire. Many HR operations use biometric attendance systems or biometric authentication for sensitive system access. The 1,000-person threshold is reached quickly.
Precise geolocation data — at 1,000 or more US devices. Location data accurate to within 1,000 metres. Employee monitoring systems, mobile workforce applications, and many enterprise security platforms generate precisely this data.
Human ‘omic data — at 1,000 or more US persons. Genomic, proteomic, epigenomic, transcriptomic data. This category receives special treatment: transactions involving human ‘omic data with countries of concern are prohibited outright, even with CISA security requirements in place.
Above these thresholds, and the rule’s prohibitions and restrictions apply. The thresholds are measured per same-parties transaction over a twelve-month rolling window. Multiple smaller transactions with the same counterparties aggregate. The thresholds are low enough that any meaningful HR or BGV operation working with a US workforce crosses several of them within the normal course of operations.
The Countries of Concern and the Covered Persons
The DSP Rule restricts data flows to two categories of recipients: countries of concern, and covered persons.
The countries of concern are six: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. The DOJ’s stated rationale is that these jurisdictions have demonstrated intent and capability to use US government-related data and Americans’ bulk sensitive personal data to commit espionage, conduct surveillance, develop AI and military capabilities, and otherwise undermine US national security.
The covered persons category is where the rule’s reach extends significantly beyond the obvious. Covered persons include:
— Foreign entities organised or chartered under the laws of, headquartered in, or principally located in a country of concern.
— Foreign entities that are 50% or more owned, individually or in the aggregate, by countries of concern or covered persons.
— Foreign individuals who are residents of a country of concern.
— Foreign individuals who are employees, agents, or contractors of any covered person entity — regardless of where the individual personally lives or works.
— Foreign individuals who are citizens or nationals of countries of concern, even if they reside in a third country.
— Anyone specifically designated by the US Attorney General as a covered person based on conduct or affiliations.
The breadth of this definition is what catches most companies off-guard. A Chinese national working remotely from Singapore for an Indian software company can be a covered person. A German engineering firm that is 51% owned by a Russian holding company is a covered person. An Indian BPO that employs a Chinese national who has logical access to client data is, with respect to that individual’s access, engaged in a covered data transaction.
The pattern most companies discover when they begin their data compliance program work is that the covered persons exposure is significantly broader than they expected, and almost none of their existing vendor due diligence captured it.
The Four Transaction Types
The rule applies to four specific transaction types that involve access by a country of concern or covered person to bulk US sensitive personal data:
Data brokerage transactions with countries of concern or covered persons are prohibited outright. This is the strictest category. Selling, licensing, or otherwise commercially transferring bulk sensitive data to these counterparties is not permitted, and contractual safeguards cannot cure the prohibition.
Vendor agreements that grant access to bulk sensitive data are restricted transactions. They can proceed, but only if the US company implements the CISA Security Requirements, maintains a Data Compliance Program, files annual reports, and performs annual audits.
Employment agreements that grant access to bulk sensitive data are also restricted transactions, with the same compliance overhead. This includes US companies hiring covered persons as employees — including remote employees, contractors, and certain categories of consultants.
Investment agreements where covered persons take equity positions that include access to or governance over bulk sensitive data are similarly restricted.
For HR, BGV, and workforce services, the vendor and employment transaction types are the operational core. A US company that engages an offshore BGV vendor whose workforce includes covered persons is engaged in a restricted transaction. A US company that hires a covered person as a remote employee with access to HR data is engaged in a restricted transaction. The structure of the relationship — whether it is labelled vendor, contractor, employee, or consultant — does not change the analysis.
Why “Access” Is the Word That Matters
One of the most operationally significant aspects of the rule is the definition of “access.” The DOJ has been explicit, in both the final rule text and the published FAQs, that access means any logical or physical access without regard to whether security measures actually prevent the recipient from viewing the data.
The practical effect is that an organisation cannot escape the rule by deploying role-based access controls that deny covered persons the ability to actually see the data. If a covered person has logical access to a database containing bulk sensitive personal data — meaning the system architecture would permit the person to access the data in the absence of access controls — the rule treats that as access for compliance purposes. The risk the rule is trying to mitigate is the existence of the access pathway, not whether the pathway is currently being exercised.
This definition has significant implications for the way most companies have historically thought about data segregation. The instinct, when faced with sensitive data and a globally distributed workforce, has been to allow logical access to the underlying systems while using access controls to enforce data segregation. Under the DSP Rule, that approach does not suffice for covered persons exposure. The architecture has to actually prevent covered persons from being in a position to access the data, not merely to deny them the access if they were to try.
The CISA Security Requirements published alongside the rule provide specific guidance: organisations must “implement a combination of mitigations, which taken together prevents access to covered data that is linkable, identifiable, unencrypted, or decryptable using commonly available technology.” The mitigations have to be cumulative and architectural, not just policy-driven.
Why “We Don’t Operate in China” Doesn’t End the Inquiry
The most common initial reaction US companies have to the DSP Rule is to check whether they have operations in China or any other country of concern, conclude they do not, and assume the rule does not apply. The covered persons definition makes this short-circuit unreliable.
A US company with no operations in any country of concern can still be engaged in covered data transactions through:
Its offshore vendor stack, where vendors in third countries — India, the Philippines, Eastern Europe, Latin America — may employ individuals who are nationals of countries of concern. The Indian BPO industry, for example, includes a meaningful population of Chinese nationals working in India under various visa arrangements. Their access to US client data, depending on the role and the data category, can constitute a covered data transaction.
Its remote workforce, where US companies have hired internationally distributed talent through Employer of Record arrangements, contractor agreements, or direct employment in third countries. Each such individual’s nationality and residency status needs to be considered against the covered persons definition.
Its sub-processor and downstream vendor chain, where the primary vendor’s own vendors may have covered persons exposure that the primary contract did not surface.
Its corporate ownership structure, where investors at the parent or holding company level may include entities with country-of-concern ties that bring the operating entities within the covered persons net through the 50% beneficial ownership test.
Its cloud and infrastructure providers, where the underlying platform may include personnel or sub-processors that introduce covered persons exposure into the data chain.
For most large US companies, the actual covered persons exposure picture is significantly more complicated than the initial “do we operate in China” question would suggest. The DOJ’s stated expectation, in the Compliance Guide, is that companies map their data flows specifically against the rule’s framework and document the analysis. The good-faith effort examples published by the DOJ — reviewing internal datasets, renegotiating vendor agreements, adjusting employee work locations and roles — make clear that the agency expects companies to find and remediate exposure they had not previously noticed.
The Indian BPO and GCC Question
For India-based BGV and workforce services vendors, the rule creates both an opportunity and a structural compliance burden.
India is not a country of concern. An Indian-owned, Indian-operated BGV vendor is, on its face, outside the rule’s scope. But the rule’s reach extends to the individual nationality of personnel and to the beneficial ownership of corporate counterparties. For an Indian vendor serving US clients, the operational implications are specific:
Workforce composition matters. Personnel who are nationals or residents of countries of concern — Chinese nationals working in India, Russian nationals working in India, individuals from other listed countries — represent covered persons exposure with respect to US client data they may access. Vendors who can certify the absence of such exposure across their workforce will be differentiated from those who cannot.
Beneficial ownership matters. An Indian vendor majority-owned by Indian capital is outside the rule. An Indian vendor with 51% Chinese investment is a covered person entity, and every US client engagement is a restricted transaction. Many Indian vendors have foreign investment that has not been mapped against the covered persons criteria.
Sub-processor chains matter. The Indian vendor’s own vendors — cloud providers, infrastructure, software, sub-contracted services — need to be mapped. Exposure several levels down still flows up the chain.
Documentation and certification matter. US clients are increasingly going to require their Indian vendors to provide structured attestation of the above, supported by documentation that survives audit. Vendors who can do this efficiently will win business. Vendors who cannot will lose it.
For the Indian Global Capability Centre model — captive offshore operations of US multinationals — the same analysis applies, with additional complexity around personnel rotation, contractor pools, and parent-subsidiary corporate group exemptions that may or may not apply depending on the transaction structure.
The Penalty Architecture
The DSP Rule has serious teeth. Civil violations carry penalties of the greater of $368,136 per violation or twice the value of the transaction. Criminal violations carry fines of up to $1 million and imprisonment of up to twenty years per individual.
The penalty structure attaches at the corporate level for civil violations and at the individual level for criminal violations. Senior executives, compliance officers, and directors who knowingly authorise or facilitate prohibited transactions, or who knowingly structure transactions to evade the rule, face personal criminal exposure. The DOJ has indicated that willful violations and attempts to evade are not subject to the good-faith effort grace periods that have governed civil enforcement to date.
The rule also includes a whistleblower provision: individuals — US or foreign — who provide information leading to a successful enforcement action with monetary penalties exceeding $1 million may be eligible for awards. The provision creates an incentive structure for current and former employees, contractors, and counterparties to report suspected violations, which is likely to make detection more efficient over time.
The Enforcement Posture
The DOJ National Security Division has begun active enforcement following the October 2025 transition. Civil and criminal cases are being built. Annual reports on restricted transactions, filed by March 1 each year, are giving the NSD a structured data set against which to identify outlier patterns. Whistleblower tips are flowing in. The DOJ’s Compliance Guide and FAQ updates suggest the agency’s enforcement priorities are first on willful and egregious violations, with a secondary focus on companies that have made no good-faith effort to scope or remediate.
For HR and BGV teams, the inflection point is now. The good-faith effort defence is no longer available to companies that have not started the compliance work. The annual certification requirement makes the question of “is your data compliance programme real or paper” auditable in a way that retroactive remediation cannot cure.
The Question That Sits Underneath
What the DSP Rule is doing — beyond the immediate compliance lift — is changing the structural definition of what it means to be a US workforce or vendor counterparty. Historically, sourcing decisions in HR and BGV have been driven by cost, capability, and capacity. Now they are also driven by structural compliance posture. A vendor’s workforce composition, its beneficial ownership, its sub-processor chain, and its ability to certify the absence of covered persons exposure have become commercial differentiators.
The vendors who internalise this and rebuild their structures and certifications to match will compete for higher-value work. The vendors who do not will gradually be screened out. For US companies, the work of mapping, remediating, and continuously certifying is no longer optional.
The compliance window is no longer open. Enforcement is live. The next twelve to eighteen months will determine which organisations were paying attention in 2025 and which were not.
AMS Inform provides background verification and workforce screening services across 160+ countries, with operations structured to support clients’ DSP compliance requirements. For US organisations pressure-testing their offshore BGV stack against the rule, visit AMSinform.com to speak with our team.
