In a rapidly evolving digital world, life sciences data privacyis becoming a top priority as life sciences companies are under increasing pressure to safeguard personal data while meeting a growing array of local, national and international privacy obligations. With every advancement in digitalization, from virtual clinical trials to cross-border data collaborations, the need for robust, compliant privacy practices becomes even more critical.
Navigating today’s global privacy landscape
Life sciences organizations face unique data privacy challenges due to the nature of their work. From handling sensitive data on healthcare professionals (HCPs) to managing multinational product development pipelines, companies must ensure personal information is processed lawfully across multiple jurisdictions. The fragmented legal landscape only heightens this complexity.
In the absence of a U.S. federal data privacy law, states continue to pass individual privacy laws, resulting in a patchwork of obligations. Meanwhile, international laws like the European Union’s General Data Protection Regulation (GDPR) remain highly influential, even for companies headquartered elsewhere due to its extraterritorial scope and principle-based approach to ensuring personal data is processed lawfully, fairly, and transparently.
Key developments currently shaping the regulatory environment include:
GDPR: Applies to organizations within and outside of the EU that process personal data of EU residents, setting a high bar for personal data processing standards including explicit informed consent and data subject rights.
The California Consumer Protection Act (CCPA): The first major U.S. state data privacy law which grants residents enhanced rights over their personal data and which opened the flood gates to some 20 other U.S. state privacy laws to date. The CCPA applies to certain businesses that collect personal data from California residents, regardless of where the business is located. The CCPA was strengthened by the California Privacy Rights Act (CPRA), which added new rights and limiting the use of sensitive personal information.
The California Online Privacy Protection Act (CalOPPA): An earlier California privacy law requiring websites that collect personally identifiable information from California residents to post their privacy policy online and may apply to smaller business that do not meet the CCPA’s applicability thresholds. Additionally, this policy must detail the information collected and with whom the information is shared.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) updates (2025): Updates to the HIPAA Security Rules include mandatory risk analysis, formal incident response plans, vendor oversight, updated technical safeguards and more. Additional protections for reproductive health data have also been added.
U.S. Department of Justice (DOJ) restrictions: As of April 2025, the DOJ, through the Data Security Program (DSP), prohibits the transfer of sensitive personal data, to include personal health data, amongst other categories like human 'omic data and biometric identifiers, to certain foreign entities. The DSP's definition of "bulk U.S. sensitive personal data" includes data that has been anonymized, pseudonymized, de-identified, or encrypted, provided it meets the specified bulk thresholds.
U.S. state law expansion: U.S. state data privacy laws are rapidly expanding, granting consumers significant control over their data; the Washington My Health My Data Act notably creates specific, strict protections for "consumer health data" falling outside of traditional HIPAA protections.
The European Health Data Space (EHDS): Adopted in early 2025, EHDS is a major EU initiative establishing a single, secure framework for sharing health data across borders, aimed at empowering individuals with control over their data while facilitating its reuse for research, innovation and policy-making under strict safeguards.
Implications for life sciences companies
These developments represent more than a compliance checklist — they require a shift in how companies collect, manage, share, secure or otherwise process personal data. The key impacts include:
Compliance complexity: The proliferation of state-level privacy laws in the U.S. necessitates a comprehensive approach to compliance, ensuring adherence to varying requirements across jurisdictions.
International data transfers: The DOJ rule, as well as the GDPR and the myriad of other international data protection regulations, impose stringent restrictions on how and when person data can be transferred, requiring companies to assess and potentially restructure international collaborations involving both personal and sensitive personal data.
Enhanced security measures: Updates to HIPAA and safeguards requirements established by other regulations underscore the need for organizations to have a thorough understanding of how they are protecting the confidentiality, availability, and integrity of personal data and assessing if those controls are adequate based upon the sensitivity of the data and potential negative impact the data could have if exposed.
Data minimization and purpose limitation: Laws like Maryland's Online Data Privacy Act emphasize the importance of establishing a data privacy program built upon data privacy best practices such as only collecting the personal data that is reasonably necessary and proportionate to provide the specific product or service and using that data solely for the specific purpose for which it was originally collected.
Building privacy resilience for the future
At Baker Tilly, our life sciences professionals help organizations stay ahead of the curve by designing and implementing tailored privacy programs that go beyond compliance. Our team of Value Architects™ builds scalable frameworks that align with evolving regulatory expectations, business operations and the unique needs of the life sciences industry.
Baker Tilly supports life sciences organizations in building sustainable privacy programs that meet today’s standards and anticipate tomorrow’s requirements. Our solutions include:
Privacy assessments
Policy and procedure development, including privacy manuals and training programs
Website and digital infrastructure risk reviews
Data mapping and repository creation for efficient rights response (GDPR/CCPA)
Clinical trial privacy advisory services
DPO advisory support
Privacy procurement protocols and checklists
We also recommend periodic program reviews to account for regulatory and operational changes. Our experienced professionals understand that privacy compliance is not one-size-fits-all. That’s why we design programs tailored to your size, operations and privacy maturity.
With the regulatory environment continuing to evolve, life sciences companies need a proactive alliance to manage risk and maintain trust. Baker Tilly’s life sciences team helps companies navigate complexity, build internal capability and establish the data privacy resilience organizations need to thrive.
