Case Study
Karuna
Transforming Data Protection into Strategic Value
How Kirke’s expertise powered Karuna’s successful clinical trials and acquisition.
Transforming Data Protection into Strategic Value
How Kirke’s expertise powered Karuna’s successful clinical trials and acquisition.
“We engaged Kirke in 2020 to guide us through our GDPR compliance implementation. Kirke developed a Privacy Program that was compliant with most data protection regulations around the globe and they acted as our DPO. During the acquisition process we went through with Bristol Myers Squibb (BMS), Kirke was instrumental in demonstrating that Karuna was compliant with data protection requirements. Subsequently, they played a key role in transitioning data protection policies, procedures and documentation to BMS.”
Karuna, a pioneering biopharmaceutical company focused on developing therapies for neurological and psychiatric conditions, including schizophrenia and Alzheimer’s disease psychosis, faced a critical challenge: safeguarding sensitive clinical trial data while strengthening data governance and data protection practices across a complex global environment and preparing for increased scrutiny related to growth and acquisition readiness.
As Karuna advanced global clinical trials, the organization needed to ensure sensitive clinical and personal data was handled responsibly and in compliance with evolving data protection regulations, including GDPR.
At the same time, Karuna faced increasing complexity in how data was managed across systems, vendors, and teams. Without clear visibility into data flows and accountability, there was growing risk not only from a compliance perspective, but also as the company prepared for increased scrutiny tied to growth and potential acquisition.
Karuna needed practical support to strengthen privacy, data protection, and data governance, while ensuring their data practices would stand up to regulatory review and due diligence from potential M&A opportunities.
Establishing a consistent, compliant approach to data protection and governance that adhered to global regulatory requirements while providing clear visibility into how sensitive data was handled.
Embedding privacy and data governance into day-to-day operations, so teams understood their responsibilities and data was managed consistently across the organization.
Gaining clarity and control over how vendors handled sensitive data, ensuring appropriate protections, accountability, and governance aligned with Karuna’s role as data controller.
Scaling privacy and data governance practices across regions and trials in a way that supported regulatory requirements without creating unnecessary complexity or operational burden.
Recognizing these challenges, Karuna partnered with Kirke to support and mature their privacy and data protection program, with a strong focus on data governance for sensitive and regulated data.
Rather than introducing heavy frameworks, Kirke focused on bringing structure, clarity, and consistency to how data was managed in practice. The work was designed to support both day-to-day operations and the documentation and transparency required for external review.
This approach helped Karuna move beyond reactive compliance toward more confident, well-governed data management.
Kirke conducted a comprehensive data mapping exercise to create clear visibility into how sensitive clinical and personal data was collected, used, shared, and stored across internal systems and third-party partners. This work supported both GDPR compliance and stronger data governance by clarifying data flows, ownership, and accountability, and culminated in the creation of a GDPR-compliant Record of Processing Activities (Article 30).
Kirke supported Karuna through a Data Protection Impact Assessment (Article 35) to identify and prioritize risks associated with regulated data. The findings informed the development of a practical data protection and governance structure, along with clear policies and Standard Operating Procedures (SOPs) that reflected how data was actually managed across the organization and could be sustained over time.
Kirke evaluated third-party vendor agreements and data relationships to ensure appropriate data protection obligations, governance expectations, and safeguards were in place. This work increased transparency into vendor data handling practices and helped Karuna meet its responsibilities as a data controller while reducing third-party risk.
Kirke guided Karuna through the certification process under the EU-US Data Privacy Framework, a more efficient data transfer mechanism that allows companies to bypass standard contractual clauses. This certification streamlined the process of signing contracts with vendors and clinical sites, reducing lengthy review and negotiation periods.
To support long-term sustainability, Kirke delivered targeted training and guidance that helped teams understand their roles in protecting and managing sensitive data. This approach reinforced a shared responsibility for privacy and data governance and supported consistent data handling practices across the organization.
Kirke’s strategic, practical and governance-led approach enabled Karuna to support global clinical trial approvals by demonstrating strong and compliant data protection and data governance practices. With clear visibility into sensitive data and well-documented controls in place, Karuna was able to meet regulatory expectations while maintaining momentum across its clinical programs.
As Karuna’s trials progressed, the organization’s strengthened privacy and data governance posture contributed to increased confidence from external stakeholders. This clarity and readiness became especially important as Karuna entered acquisition discussions with Bristol Myers Squibb, where data protection and governance practices were a critical component of due diligence.
Kirke’s work helped ensure Karuna could clearly demonstrate how sensitive data was governed, protected, and managed in practice. And how reducing risk and uncertainty during the diligence process supported a smooth acquisition.
Following the successful acquisition, Kirke continued to support the transition of Karuna’s data protection and governance program to Bristol Myers Squibb, helping ensure continuity, consistency, and sustained compliance post-transaction.
This engagement highlighted how strong privacy and data governance foundations not only support regulatory compliance, but also play a critical role in enabling business growth, value creation, and successful M&A outcomes.
Ready to transform data complexity into clarity? Tell us about your privacy, AI, or data strategy needs and we'll schedule a time to discuss how we can help.