Data Privacy & Protection for Life Sciences Companies
Baker Tilly’s life sciences practice works with clients to manage their data privacy risks by designing, building and implementing data privacy programs. Our team of Value Architects™ develops privacy solutions that satisfy local and international privacy obligations with an eye towards future regulatory complexity.
Every increase in digitalization elevates the importance of safeguarding systems and data against unauthorized use and breach. Many countries have adopted data privacy and transparency legislation or rules, while in the U.S., the lack of a federal data privacy law has led to a patchwork of state and local obligations.
Baker Tilly’s life sciences practice is experienced in helping clients navigate the current privacy landscape. Our team understands the unique challenges that privacy obligations present to life sciences companies. Product research, development, marketing and commercialization often span multiple jurisdictions, each implicating different sets of privacy considerations. Life sciences companies also maintain and process vast amounts of personal information related to healthcare professionals (HCPs), adding another layer of risk unique to the industry.
Data privacy laws
With a rise in privacy regulation and data protection policies evolving across the globe, organizations will be held accountable by increasingly stringent regulations. It is imperative for organizations to ensure a sound privacy management program is in place that addresses current and emerging issues and compliance. Because it’s not just about compliance – it’s about building a strong practice now, for tomorrow. Some of the key privacy requirements affecting life sciences companies today include:
The General Data Protection Regulation (GDPR)
GDPR is a comprehensive regulation adopted by the European Union (EU) covering the collection, processing, storage, and use of data in the EU. GDPR also applies to non-EU organizations that engage in specific activities, including offering goods and services to EU citizens and monitoring the online behavior of people in the EU.
The California Consumer Protection Act (CCPA)
CCPA is the most expansive privacy law passed to date in the United States. The law applies to certain California companies and to specific companies doing business in the state.
CCPA’s scope and the size of the California market mean that the law has significant extraterritorial reach and many organizations are adopting its provisions as a default privacy standard.
The California Online Privacy Protection Act (CalOPPA)
CalOPPA is an earlier California privacy law requiring websites that collect personally identifiable information from California residents to post their privacy policy online. Additionally, this policy must detail the information collected and with whom the information is shared.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HIPAA, among other things, required the United States Department of Health and Human Services (HHS) to establish standards to protect the privacy of patient information and control the use and access to a person’s medical information. The rules apply to “covered entities” and “business associates” and impose national standards around handling “protected health information.”
Our solutions
Baker Tilly supports life sciences companies meet new and existing privacy obligations through the following:
- Needs assessments to evaluate existing privacy controls
- Readiness assessments in advance of new laws or regulations becoming effective
- Policy, procedure, privacy manual and training development
- Website and digital infrastructure risk assessments
- Data repository construction
- Process and people mapping to allow companies to efficiently respond to an individual exercising a right under GDPR and/or CCPA
- Advisory services for companies navigating clinical trial site and study data privacy concerns
- DPO resourcing and selection
- Data privacy procurement protocols and checklists
Periodic review of an organization’s privacy program is an effective way to ensure that recent legal or administrative developments are reflected. Baker Tilly understands that there is not a “one size fits all” solution to meeting many privacy obligations. Our experienced team designs and implements plans to fit the size, operations and resourcing of our clients.