[ETR #25] GDPR, DSAR, PII & U


Extract. Transform. Read.

A newsletter from Pipeline.

Hi past, present or future data professional!

When I worked at Disney there was one line (aside from “Have a Magical Day”) that was borderline beaten into us: “We are all custodial employees.” The line meant, of course, to keep areas under your purview neat and presentable (“show ready” in Disney-speak).

Using the same logic, I’d like to emphasize that while the various data roles (data analyst, data scientist, data engineer, etc.) have their distinct responsibilities, we are all one thing:

Guardians of data security.

Ok, maybe that’s a bit dramatic. But to be even more dramatic, you should have 1.2 billion reasons to care about data privacy. That’s the amount Meta (the artist formerly known as Facebook) paid after violating perhaps the world’s most comprehensive data privacy framework, the EU’s General Data Protection Regulation (GDPR).

And if you think that’s an isolated incident, there are literally listicles being written about fines issued under just the GDPR; sure “20 biggest GDPR fines” doesn’t have the same ring as “30 Under 30”, but it is a stark compilation that should be taken seriously; it can happen to you (or your org).

As someone who has been the instigator of data privacy claims, I was shocked to find one (against a realtor illegally using my data for in-person solicitation) was taken deadly seriously while another (against a hospital that sent my wife’s health data to the wrong address) was met with a shrug.

Be the former. Doing that begins with understanding both your individual responsibility as someone who works with sensitive data AND understanding or spearheading any effort within your org to standardize sensitive data storage or encryption.

At an individual level

  • (Tactfully) Question requests that might unnecessarily require sensitive user data; do you really need a credit card and social security number?
  • Leverage cloud-based tools to encrypt data in-transit and at-rest; I’m partial to GCP’s Sensitive Data Protection suite
  • Work with your security team to restrict access to your data warehouse and any larger repositories that might contain sensitive data

At an organizational level

  • Hire or distinguish who is “in charge” of privacy; for the best results this probably shouldn’t be someone already busy like a director of data science
  • Define and adhere to a clear and consistent deletion policy (after x months we delete records)
  • Publicize your data privacy protection efforts and let your users know how to request a deletion

Aside from running an ethical operation and remaining transparent for users, why put this much effort into data protection?

To paraphrase Marshawn Lynch: I’m just doing this so I don’t get fined.

You won’t get fined if you don’t read these, but here are this week’s links.

Thanks for ingesting,

-Zach Quinn

Extract. Transform. Read.

Reaching 20k+ readers on Medium and nearly 3k learners by email, I draw on my 4 years of experience as a Senior Data Engineer to demystify data science, cloud and programming concepts while sharing job hunt strategies so you can land and excel in data-driven roles. Subscribe for 500 words of actionable advice every Thursday.

Read more from Extract. Transform. Read.

Extract. Transform. Read. A newsletter from Pipeline Hi past, present or future data professional! It’s hardly controversial to say debugging is everyone’s least favorite part of programming. One widely-used debugging method is the rubber duck method, popularized in Pragmatic Programming, which suggests you talk through your code, aloud, to an inanimate object. Being able to speak intelligently about what prompted a technical decision is one of the most underrated data engineering skills. One...

Extract. Transform. Read. A newsletter from Pipeline Hi past, present or future data professional! If you’re like me, in school you were always envious of your classmates that may not have applied themselves academically but were “good test takers.” Fortunately (for them at least), these folks would likely do well on what is quietly becoming the SAT of programming the GCA, or General Coding Assessment. Now, the General Coding Assessment isn’t any kind of board certifying test like the Bar...

Extract. Transform. Read. A newsletter from Pipeline Hi past, present or future data professional! While many tech-oriented companies have (in one way or another) reneged on remote working arrangements, my employer made an extreme gesture to demonstrate its commitment to the ongoing office-less lifestyle: It removed an entire floor of our two-floor New Jersey office space. Other companies, like Spotify, have unveiled slogans like “Our employees aren’t children. Spotify will continue working...