Man analyzes data on the computer

Data Privacy & Protection for Life Sciences Companies

Satisfy regulatory obligations through customized privacy support which protects the personal information of employees and clients.

Baker Tilly’s life sciences practice works with clients to manage their data privacy risks by designing, building and implementing data privacy programs. Our team of Value Architects™ develops privacy solutions that satisfy local and international privacy obligations with an eye towards future regulatory complexity.

    Every increase in digitalization elevates the importance of safeguarding systems and data against unauthorized use and breach. Many countries have adopted data privacy and transparency legislation or rules, while in the U.S., the lack of a federal data privacy law has led to a patchwork of state and local obligations. 

    Baker Tilly’s life sciences practice is experienced in helping clients navigate the current privacy landscape. Our team understands the unique challenges that privacy obligations present to life sciences companies. Product research, development, marketing and commercialization often span multiple jurisdictions, each implicating different sets of privacy considerations. Life sciences companies also maintain and process vast amounts of personal information related to healthcare professionals (HCPs), adding another layer of risk unique to the industry. 

    Data privacy laws

    With a rise in privacy regulation and data protection policies evolving across the globe, organizations will be held accountable by increasingly stringent regulations. It is imperative for organizations to ensure a sound privacy management program is in place that addresses current and emerging issues and compliance. Because it’s not just about compliance – it’s about building a strong practice now, for tomorrow. Some of the key privacy requirements affecting life sciences companies today include:

    The General Data Protection Regulation (GDPR)

    GDPR is a comprehensive regulation adopted by the European Union (EU) covering the collection, processing, storage, and use of data in the EU. GDPR also applies to non-EU organizations that engage in specific activities, including offering goods and services to EU citizens and monitoring the online behavior of people in the EU.

    The California Consumer Protection Act (CCPA)

    CCPA is the most expansive privacy law passed to date in the United States. The law applies to certain California companies and to specific companies doing business in the state.

    CCPA’s scope and the size of the California market mean that the law has significant extraterritorial reach and many organizations are adopting its provisions as a default privacy standard.

    The California Online Privacy Protection Act (CalOPPA)

    CalOPPA is an earlier California privacy law requiring websites that collect personally identifiable information from California residents to post their privacy policy online. Additionally, this policy must detail the information collected and with whom the information is shared. 

    The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

    HIPAA, among other things, required the United States Department of Health and Human Services (HHS) to establish standards to protect the privacy of patient information and control the use and access to a person’s medical information. The rules apply to “covered entities” and “business associates” and impose national standards around handling “protected health information.”