Data Subject Rights and Request Handling Questions
Operationalizing individual rights: access, rectification, erasure, portability, restriction, and objection requests. Covers identity verification, response timelines, locating data across systems to fulfill a request, and handling edge cases and exemptions. Includes designing systems that can execute deletion and export reliably at scale.
HardTechnical
79 practiced
Propose a data and model governance policy for an organization that must comply with GDPR and allow data subject access requests (DSARs). Cover data retention, model explainability, deletion handling, and audit trails.
Sample Answer
Policy goals: GDPR compliance, enable DSARs, maintain auditability. Components: 1) Data inventory & classification: catalog personal data, processors, retention policies. 2) Data retention & deletion: enforce purpose-based retention (e.g., store personal data only as long as needed), implement automated deletion workflows in data stores and feature store; flag datasets used for models and keep provenance metadata. 3) DSAR handling: provide processes to retrieve all personal data and model-inference records within legal timelines; support data export and deletion requests. For model outputs: retain inference logs (user id hash, input fingerprint, model version, prediction, timestamp) for X months (balanced with minimization) to answer DSARs. 4) Model explainability: maintain model cards and per-model documentation (training data scope, features, performance, known biases). Provide counterfactual explanations and local explanations (SHAP summaries) for subject requests where feasible. 5) Deletion handling: when data subject requests deletion, remove personal data from raw stores and mark affected model training data; schedule retrain pipeline to remove influence (if immediate removal required, consider targeted unlearning or retraining from retained data sans deleted records). 6) Audit trails: immutable logs of data access, model training runs, dataset and model version hashes, approvals, and deployments. 7) Governance: data protection officer oversight, periodic audits, role-based access, encryption, and retention review. Trade-offs: full retraining on deletion is expensive; implement selective unlearning or document limits and communicate to DSAR requesters. This policy balances compliance, explainability, and operational feasibility.
Unlock Full Question Bank
Get access to hundreds of Data Subject Rights and Request Handling interview questions and detailed answers.