Extract. Transform. Read.

A newsletter from Pipeline.

Hi past, present or future data professional!

​When I worked at Disney there was one line (aside from “Have a Magical Day”) that was borderline beaten into us: “We are all custodial employees.” The line meant, of course, to keep areas under your purview neat and presentable (“show ready” in Disney-speak).

Using the same logic, I’d like to emphasize that while the various data roles (data analyst, data scientist, data engineer, etc.) have their distinct responsibilities, we are all one thing:

Guardians of data security.

Ok, maybe that’s a bit dramatic. But to be even more dramatic, you should have 1.2 billion reasons to care about data privacy. That’s the amount Meta (the artist formerly known as Facebook) paid after violating perhaps the world’s most comprehensive data privacy framework, the EU’s General Data Protection Regulation (GDPR).

And if you think that’s an isolated incident, there are literally listicles being written about fines issued under just the GDPR; sure “20 biggest GDPR fines” doesn’t have the same ring as “30 Under 30”, but it is a stark compilation that should be taken seriously; it can happen to you (or your org).

As someone who has been the instigator of data privacy claims, I was shocked to find one (against a realtor illegally using my data for in-person solicitation) was taken deadly seriously while another (against a hospital that sent my wife’s health data to the wrong address) was met with a shrug.

Be the former. Doing that begins with understanding both your individual responsibility as someone who works with sensitive data AND understanding or spearheading any effort within your org to standardize sensitive data storage or encryption.

At an individual level

• (Tactfully) Question requests that might unnecessarily require sensitive user data; do you really need a credit card and social security number?
• Leverage cloud-based tools to encrypt data in-transit and at-rest; I’m partial to GCP’s Sensitive Data Protection suite
• Work with your security team to restrict access to your data warehouse and any larger repositories that might contain sensitive data

At an organizational level

• Hire or distinguish who is “in charge” of privacy; for the best results this probably shouldn’t be someone already busy like a director of data science
• Define and adhere to a clear and consistent deletion policy (after x months we delete records)
• Publicize your data privacy protection efforts and let your users know how to request a deletion​

Aside from running an ethical operation and remaining transparent for users, why put this much effort into data protection?

To paraphrase Marshawn Lynch: I’m just doing this so I don’t get fined.

You won’t get fined if you don’t read these, but here are this week’s links.

• ​Just Another Day Working At Pandemic-Era Disney World​
• ​GDPR​
• ​20 biggest GDPR fines so far [2024] – Data Privacy Manager​
• ​How to Write A DSAR (With Template)​
• ​A Hospital Leaked My Family’s Data. So I Taught It About Data Privacy.​
• ​Clear Storage: The Ethics of Retention Policies for Stored Facial Images​
• ​4 Reasons Why Data Privacy Regulation Is Good For Data Science​

Thanks for ingesting,

-Zach Quinn