GDPR Principles and Compliance Questions
The General Data Protection Regulation in depth: the six lawful bases, data subject rights, accountability and records obligations, DPO requirements, and enforcement and fines. Covers how GDPR principles translate into concrete engineering and product controls. Includes controller and processor obligations and demonstrating compliance.
HardTechnical
83 practiced
Discuss how GDPR and similar regulations affect the ML lifecycle. Specifically address data subject access and deletion requests, the right to explanation, data minimization, and how you would design data pipelines and model versioning so you can delete or anonymize data while preserving auditability and reproducibility of models.
Sample Answer
Situation: As a data scientist building production ML, regulations like GDPR/CCPA change how you collect, store, train, and serve models. Below I outline concrete design patterns and trade-offs that satisfy data subject access/deletion, right-to-explanation, data minimization, and preserve auditability/reproducibility.Key requirements and implications- Data subject access/deletion (DSAR): must be able to locate an individual’s personal data and delete or export it.- Right to explanation: must give meaningful information about automated decisions (features, logic, confidence).- Data minimization: only keep data necessary for purpose; limit retention.- Auditability & reproducibility: keep enough metadata to reproduce model behavior without storing personal data indefinitely.Design patterns and practices1. Data catalog & lineage- Maintain a catalog with schema, source, consent status, retention policy, and lineage pointers (not raw PII).- Use unique stable record IDs in raw store; store a hash/pseudonym of PII (salted, keyed) rather than plain PII for indexing.2. Pseudonymization & reversible mapping- Store PII in an encrypted, access-controlled "PII vault" separate from feature stores.- Feature store holds only pseudonyms (hashes) and derived features. On DSAR delete, remove mapping in PII vault and scramble the pseudonym so the subject cannot be re-identified.- Benefit: downstream features remain but cannot be re-associated to the subject.3. Feature store & tombstoning- Implement feature-level tombstones: when a subject is deleted, mark corresponding feature rows as deleted or nullify sensitive features.- Keep immutable feature version metadata (which transformation, code commit, feature version) without storing PII.- Use retention windows and TTLs to enforce minimization.4. Model training, versioning and reproducibility- Store training artifacts immutably: code repo commit hash, training data query (SQL or data snapshot identifier), feature transformation pipelines, random seeds, dependencies, and hyperparameters.- For privacy, training "data snapshot identifier" should reference encrypted snapshots or a manifest of hashed record IDs (not raw PII). This allows reproducibility of the exact dataset selection while not storing PII.- If a deletion occurs after training, you must evaluate legal requirements: GDPR may require model update/removal if personal data materially contributed. Options: - Retrain model on a dataset with deleted records removed (best compliance). - Use unlearning techniques (machine unlearning, influence functions, sharding, SISA) to remove influence of specific records without full retrain for efficiency.- Keep model lineage linking model artifact → training manifest → feature versions → code commit. This preserves auditability (who, when, how) without leaking PII.5. Right to explanation- Produce model cards and decision explanations: feature importances (SHAP/LIME), counterfactuals, confidence intervals, and decision rules. Store these artifacts per model version.- For deterministic explanations, log the feature vector (non-PII or hashed) used to make the decision and the explanation artifact. For DSAR access, decrypt mapping if user requests their data export (from PII vault) and show the related decision explanation.6. Data minimization & synthetic / DP approaches- Prefer storing derived features rather than raw PII.- Apply differential privacy or aggregate-only logging where possible to reduce risk.- For reproducibility, keep noise seeds and DP parameters with model metadata.Operational controls and governance- Automate DSAR handling: given a subject ID, the system queries PII vault, finds pseudonym/hash, triggers tombstone/nullification in feature store, and enqueues model unlearning or retraining workflows as policy dictates.- Maintain audit logs (who requested deletion, what was removed, when) in an append-only ledger that contains only metadata (no PII).- Periodic privacy reviews and validation tests to ensure deleted data is unrecoverable.Trade-offs and practical notes- Full retrain ensures strongest compliance but is costly. Unlearning techniques are evolving — use them where validated but be conservative.- Storing hashed IDs and manifests preserves reproducibility but if regulator requires raw data for audit, have legal/secure processes to decrypt PII vault under strict controls.- Explanations should be meaningful and avoid exposing sensitive model internals that could enable gaming.Example workflow for a deletion request1. Receive DSAR with identifier.2. Authenticate/authorize request.3. Lookup PII vault → obtain pseudonym hash.4. Record an audit entry (no PII).5. Nullify the subject’s features in the feature store (tombstone).6. Flag affected models; either queue unlearning or retrain depending on policy.7. Return confirmation to user and preserve explanation artifacts (model version, decision explanation) with non-PII context.This approach balances compliance, model integrity, and reproducibility: keep immutable metadata (manifests, code commits, parameters) to reproduce models, while isolating and removing personal data promptly via vaults, pseudonymization, tombstones, and selective unlearning.
HardTechnical
97 practiced
Explain a project where regulatory constraints (GDPR, HIPAA, CCPA) materially affected data collection and model deployment. Detail the legal requirements you addressed, technical controls you implemented (data minimization, encryption, consent management, access controls), and how you balanced compliance with maintaining model utility.
Sample Answer
Situation: At my last company I led development of a churn-prediction model for a US–EU hybrid customer base. The dataset included contact info, billing, usage logs and limited health-related fields for a healthcare-adjacent product, so GDPR, CCPA and HIPAA considerations materially changed both data collection and deployment.Task: Deliver a performant model while remaining fully compliant and auditable.Action:- Legal & governance: I worked with Legal to determine lawful bases (consent for marketing-related attributes, contract/legitimate interest for service-related processing) and triggered a Data Protection Impact Assessment (DPIA). For US customers in HIPAA scope we applied either Safe Harbor de-identification or the Expert Determination route; for CCPA we added opt-out mechanisms and disclosure fields.- Data minimization & retention: We reduced raw attributes to only features with proven predictive value, aggregated session-level metrics, and set strict retention (90–365 days depending on attribute). A feature review board required justification for each new field.- Pseudonymization & encryption: Personally identifiable fields were pseudonymized using a one-way salt + HMAC stored separately in an encrypted vault (AWS KMS). All data at rest used AES-256; TLS 1.2+ for in-transit.- Consent management & DSARs: Integrated consent flags from the Consent Management Platform; processing pipelines checked flags before ingest. Built automated DSAR tooling to pull, edit, or erase a subject’s data and trigger model re-training/blacklisting when required.- Access controls & auditing: Enforced least privilege via IAM roles, network isolation in private subnets, and multi-party approval for access to sensitive datasets. All queries and model scoring calls logged to an append-only audit store for 7 years.- Utility-preserving techniques: To retain model performance while reducing exposure, I used: - Feature engineering on aggregated or hashed identifiers instead of raw PII. - Differential privacy (epsilon tuned conservatively) on model outputs for analytics dashboards. - Federated learning prototype for partner-held records—training locally and aggregating gradients—so raw data never left partner environments. - Synthetic data generated from conditional generative models for experimentation and hyperparameter tuning.- Monitoring & validation: Deployed model explainability (SHAP) to detect spurious reliance on proxy PII; periodic revalidation to ensure de-identified inputs didn’t degrade performance.Result: We met GDPR/CCPA disclosure and DSAR SLAs, passed a third-party HIPAA audit (Expert Determination), and achieved 92% of the pre-compliance model AUC by using aggregated features, differential privacy, and synthetic data for tuning. The approach created a repeatable compliance playbook that reduced future DPIA time by ~40% and allowed product teams to scale analytics without legal friction.Learning: Compliance must be embedded into the ML lifecycle—technical controls, legal alignment, and measurement-driven trade-offs let you preserve utility while protecting rights.
EasyTechnical
78 practiced
Explain GDPR concepts that are especially relevant to ML systems: data subject rights (access, erasure), purpose limitation, data minimization, and the so-called 'right to explanation'. For each, describe operational implications for logging, data retention, model retraining, and handling data-subject requests.
Sample Answer
Data subject rights (access, erasure), purpose limitation, data minimization, and the “right to explanation” each have concrete operational implications for ML systems. Below I define each briefly and list what to change in logging, retention, retraining, and request handling.1) Data subject access & erasure- Definition: Individuals can request copies of their data and request deletion.- Logging: Record provenance (when/where data came from) and transformations so you can extract what was used for a given subject.- Retention: Implement ID-based retention policies and a metadata index mapping records to datasets/models.- Retraining: If deleted data contributed to models, track lineage so you can assess impact; for strong compliance, support selective retraining or model patching to remove influence.- Requests: Provide a secure export of raw and derived data; confirm erasure across backups and ML artifacts, document completion.2) Purpose limitation- Definition: Personal data must be collected for specified, explicit purposes.- Logging: Log declared purpose tags when ingesting data and enforce purpose-aware access controls.- Retention: Only keep data for purposes allowed; purge data that falls outside scope.- Retraining: Prevent using data for new research/targets unless re-consent or lawful basis exists; tag training sets by purpose.- Requests: Reject or require consent for repurposing; provide records of purpose usage.3) Data minimization- Definition: Collect and retain only data necessary for the purpose.- Logging: Log what fields are used in features and why; avoid logging sensitive fields unless required.- Retention: Store aggregated/hashed or pseudonymized versions; drop raw PII ASAP.- Retraining: Prefer models that use fewer/less sensitive features; maintain feature-selection audits.- Requests: Demonstrate necessity for each data element; remove nonessential elements on demand.4) Right to explanation / transparency- Definition: Individuals can obtain meaningful info about automated decisions and logic.- Logging: Persist model version, input features, decision outputs, explanation artifacts (SHAP, counterfactuals) per decision.- Retention: Keep explanation logs long enough to satisfy likely requests, balancing minimization.- Retraining: When model changes, maintain records linking previous explanations to versions; regenerate explanations for stored decisions where possible.- Requests: Provide human-readable rationale, key features, and remedy/appeal options; if needed, run counterfactual queries to show what changes would alter outcome.Cross-cutting best practices- Maintain data lineage, model versioning, and a privacy catalog.- Automate request workflows with auditable steps and SLA tracking.- Use pseudonymization, encryption, and differential privacy where appropriate to reduce exposure and simplify erasure.- Assess trade-offs: full retroactive model unlearning is expensive; document your approach and risk mitigation for compliance.
Unlock Full Question Bank
Get access to hundreds of GDPR Principles and Compliance interview questions and detailed answers.
Sign in to ContinueJoin thousands of developers preparing for their dream job.