Fatskills
Practice. Master. Repeat.
Study Guide: Data Science and Machine Learning 101: Business Applications and Soft Skills Ethics and Privacy in Data Science GDPR Anonymization Consent
Source: https://www.fatskills.com/data-science/chapter/data-science-and-machine-learning-data-science-and-machine-learning-business-applications-and-soft-skills-ethics-and-privacy-in-data-science-gdpr-anonymization-consent

Data Science and Machine Learning 101: Business Applications and Soft Skills Ethics and Privacy in Data Science GDPR Anonymization Consent

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~5 min read

What This Is

Ethics and privacy in data science are the set of principles, laws, and technical safeguards that ensure personal data is collected, stored, processed, and shared responsibly. In a typical workflow—e.g., building a churn‑prediction model for a telecom provider—you must verify that every row of customer data was obtained with valid consent, that any personally‑identifiable information (PII) is anonymized or pseudonymized, and that the final model complies with regulations such as the EU GDPR. Ignoring these steps can lead to legal penalties, loss of trust, and biased or unsafe models (e.g., a medical‑image classifier that inadvertently reveals patient IDs).


Key Terms & Formulas

  • GDPR (General Data Protection Regulation) – EU law giving individuals rights over their personal data (right to be informed, access, rectification, erasure, portability, objection).
  • Consent – Freely given, specific, informed, and unambiguous indication of willingness to process personal data; must be recorded (timestamp, version of privacy notice).
  • k‑Anonymity – A dataset satisfies k‑anonymity if each record is indistinguishable from at least k‑1 others on the quasi‑identifiers.
    [ \forall \text{record } r,\; |{r' \mid QI(r') = QI(r)}| \ge k ]
  • ℓ‑Diversity – Extends k‑anonymity by requiring at least ℓ “well‑represented” sensitive values within each equivalence class.
  • Differential Privacy (DP) – Guarantees that the output of a computation is statistically indistinguishable whether any single individual's data is included or not.
    [ \Pr[\mathcal{M}(D_1) \in S] \le e^{\varepsilon}\,\Pr[\mathcal{M}(D_2) \in S] ]
    ε (epsilon) controls privacy loss; smaller ε → stronger privacy.
  • Pseudonymization – Replaces direct identifiers with reversible tokens (e.g., hashing user IDs). Allows re‑linking under strict controls.
  • Data Minimization – Collect only the attributes needed for the stated purpose; discard everything else.
  • Right to be Forgotten (RTBF) – Individuals can request deletion of their data; DS pipelines must support selective removal without breaking model integrity.
  • Bias‑Mitigation Auditing – Systematic check (e.g., using fairlearn or AIF360) to ensure protected groups are not unfairly disadvantaged after anonymization.


Step‑by‑Step / Process Flow

  1. Ingest with Consent Log
    python
    consent_df = pd.read_csv('consent_log.csv') # columns: user_id, consent_ts, version
    raw_df = pd.read_csv('raw_features.csv')
    df = raw_df.merge(consent_df, on='user_id')
    assert df['consent'].all() # abort if any missing consent

  2. Apply Data Minimization & Quasi‑Identifier Selection
    python
    keep_cols = ['age', 'zip', 'plan_type', 'churn'] # drop free‑text comments, email
    df = df[keep_cols]
    qi = ['age', 'zip'] # quasi‑identifiers

  3. Anonymize / Pseudonymize
    python
    # k‑anonymize using generalization
    df['age_bin'] = pd.cut(df['age'], bins=[0,20,30,40,50,60,100], labels=False)
    df['zip_prefix'] = df['zip'].astype(str).str[:3] # 3‑digit prefix
    # Pseudonymize user_id for downstream joins
    df['user_hash'] = df['user_id'].apply(lambda x: hashlib.sha256(str(x).encode()).hexdigest())

  4. Differentially‑Private Model Training (optional)
    python
    from tensorflow_privacy import DPGradientDescentGaussianOptimizer
    optimizer = DPGradientDescentGaussianOptimizer(l2_norm_clip=1.0,
    noise_multiplier=1.1,
    num_microbatches=256,
    learning_rate=0.01)
    model.compile(optimizer=optimizer, loss='binary_crossentropy')
    model.fit(X_train, y_train, epochs=5)

  5. Validate Legal & Ethical Compliance

  6. Run fairness audit (fairlearn.metrics.demographic_parity_difference) on the anonymized test set.
  7. Verify RTBF by deleting a user’s rows and re‑computing model predictions on the remaining data.

  8. Deploy with Monitoring

  9. Log model decisions without PII.
  10. Set up alerts for drift that could re‑identify individuals (e.g., unusually high confidence on rare combos of quasi‑identifiers).

Common Mistakes

  • Mistake: “I can keep the raw email column because I’ll drop it later.”
    Correction: Store only the minimum needed; retaining raw identifiers even temporarily can breach GDPR’s data‑minimization principle and increase breach risk.

  • Mistake: “k‑anonymity alone protects privacy.”
    Correction: k‑anonymity is vulnerable to homogeneity and background‑knowledge attacks; combine with ℓ‑diversity or differential privacy for stronger guarantees.

  • Mistake: “Hashing user IDs is enough for anonymization.”
    Correction: Simple hashes are reversible with rainbow tables; use salted hashes or HMAC and treat them as pseudonyms, not full anonymization.

  • Mistake: “I can ignore consent because the data is already public.”
    Correction: Public data still requires a legal basis; if the original collection lacked consent for the new purpose, you must obtain it or fall back to a legitimate‑interest assessment.

  • Mistake: “Differential privacy is free—just add noise and go.”
    Correction: DP introduces a privacy budget (ε); you must track cumulative ε across analyses and understand the trade‑off between utility and privacy.


Data Science Interview / Practical Insights

  1. “Explain the difference between anonymization and pseudonymization.”
  2. Anonymization is irreversible (no way to re‑identify); pseudonymization is reversible under controlled conditions (e.g., salted hash).

  3. “How would you implement k‑anonymity on a dataset with age and zip code?”

  4. Generalize age into bins, truncate zip to a prefix, then verify each equivalence class size ≥ k; if not, increase bin width or suppress outliers.

  5. “What is the privacy‑utility trade‑off in differential privacy?”

  6. Adding more noise (lower ε) improves privacy but degrades model accuracy; interviewers expect you to discuss budgeting ε across multiple queries.

  7. “When is a data‑subject’s right to be forgotten technically impossible, and what do you do?”

  8. If the model is trained on aggregated statistics that cannot be decomposed, you may need to re‑train the model without that subject’s data or provide a summary‑only deletion.

Quick Check Questions

  1. Scenario: Your churn model uses a feature “full address”.
    Q: What privacy step must you take before training?
    A: Generalize or remove the address (e.g., keep only zip‑prefix) to satisfy data minimization and reduce re‑identification risk.

  2. Scenario: A regulator asks for proof of consent for a specific user.
    Q: How should you have stored this information?
    A: Immutable consent log with timestamp, version of privacy notice, and user identifier (hashed) to demonstrate compliance.

  3. Scenario: After applying k‑anonymity (k=5), you notice one equivalence class still has only 3 records.
    Q: What is the quickest fix?
    A: Suppress or generalize additional attributes (e.g., broaden age bins) until the class reaches size ≥ 5.


Last‑Minute Cram Sheet (10 one‑liners)

  1. GDPR = 6 rights + 2 duties (transparency, accountability).
  2. k‑anonymity → group size ≥ k on quasi‑identifiers; ℓ‑diversity adds diversity of sensitive attributes.
  3. ε (epsilon) in DP: lower → stronger privacy, higher → better utility.
  4. Pseudonymization ≠ anonymization; it’s reversible under strict controls.
  5. Data minimization = collect only what you need; discard everything else ASAP.
  6. Consent must be granular (separate for marketing, analytics, etc.) and recorded (timestamp + version).
  7. Right to be Forgotten → ability to delete a subject’s rows and optionally re‑train the model.
  8. Differential privacy budget is additive across queries; track cumulative ε.
  9. ⚠️ Simple hashing without a salt is reversible; always use a cryptographic HMAC or salted hash.
  10. ⚠️ k‑anonymity alone does not protect against attribute disclosure; combine with ℓ‑diversity or DP.


ADVERTISEMENT