Tue, Nov 7, 2023

GDPR Assessment and U.S. Data Privacy Laws Action Plan for a Global Biopharmaceutical Company

A California-based clinical-stage biopharmaceutical company with U.S. and UK operations wanted to step up its compliance with U.S. and EU/UK data privacy laws. The company was in need of a plan that required a privacy compliance roadmap to deploy adequate controls and governance, where necessary, to demonstrate appropriate and sustainable compliance and accountability with the General Data Protection Regulation (GDPR) and relevant U.S. Data Privacy Laws, including HIPAA.



  • Biopharmaceutical


  • Compliance with privacy regulations
  • Data mapping, sanitization and retention
  • Operational workflows and employee privacy awareness


Kroll Services
  • Standards-based cyber risk assessments
  • Data mapping
  • Privacy program management
  • Transparent data mapping
  • Privacy controls, policies and training adaptable for long-term needs

The Challenge

The company collects and maintains anonymized and de-identified clinical trial patient data. However, when this data is linked with additional available personal information, the potential risk of re-identification of trial participants increases, raising potential privacy concerns. The company also collects personal information from vendors, partners, employees and other third parties.

The company currently has an active compliance program in motion. Still, they wanted to show that they are dedicated to and capable of complying with the EU GDPR and major U.S. data privacy laws. To help them achieve their goals, the company enlisted Kroll’s expertise to craft a privacy compliance roadmap to establish the necessary controls and governance to support its goals.

The Solution

The client urgently needed an aggressive implementation timeline for launching clinical trials in the EU. To help them meet this goal, Kroll joined forces with Red Clover Advisors, a trusted privacy operations partner. We collaborated closely with the client’s compliance team and EU-based data protection officer to assess the company's core business, marketing activities and employee practices against the stringent requirements of the EU GDPR and various U.S. data privacy laws. To gather insight, our team interviewed key stakeholders to identify the scope of activities that process personal information, documenting the client’s collection, storage and access practices.

We subsequently configured the OneTrust Data Mapping module, tailoring it to fit the client’s specific needs. This comprehensive data map inventory became the cornerstone of our approach, enabling us to prioritize a holistic privacy compliance initiative. It allowed us to review the client’s data collection, sharing and consent practices thoroughly. In addition, our collaboration supported a variety of supplementary activities and best practices, including but not limited to:

  • Developing external and employee privacy notices
  • Establishing processes for individual rights requests
  • Building operational workflows, policies and training aligned with the OneTrust configuration
  • Customize general employee privacy awareness and training programs supported with standard operating procedures (SOP)

The Impact

The data mapping activities carried out by Kroll and Red Clover Advisors offered valuable insights into the storage and transfer of personal information. This transparency allowed the client to pinpoint potential risks related to its clinical trials, core business and privacy regulations. With this comprehensive understanding in hand, we helped the client establish detailed privacy controls, policies, SOP and training materials. These crucial resources now form the foundation of a robust compliance program that addresses current regulatory requirements and serves as a proactive approach to meeting new privacy regulations. Throughout the process, we worked as a trusted partner, working hand in hand with the client to accomplish these tasks within an aggressive timetable.
Seeing our collaborative efforts result in tangible outcomes that benefit our clients and ensure their adherence to privacy regulations is always rewarding.

Data Privacy and Digital Trust Consultancy

Practical data privacy solutions from cyber security, compliance and valuations experts.

HIPAA Security Risk Assessments

Kroll’s HIPAA security risk assessments are unique in how they help you meet HIPAA standards.

Data Mapping for GDPR, CCPA and Privacy Regulations

Cyber security and privacy experts from Kroll lead CCPA and GDPR data mapping exercises to identify and catalog crucial data categories, elements and processing activities, helping meet different regulatory requirements.

Data Protection Officer (DPO) Consultancy Services

Kroll's data privacy team provide DPO consultancy services to help you become and stay compliant with regulatory mandates.

Incident Response and Litigation Support

Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.

Notification, Call Centers and Monitoring

Kroll’s data breach notification, call centers and monitoring team brings global breach response expertise to efficiently manage regulatory and reputational needs.