Data science is hard. Figuring out how to integrate data science into your risk management and compliance frameworks is even harder. Employees, customers, investors, and regulators, however, don’t care if it’s not easy; they just want to know that you have a responsible plan to make it happen. That’s why we’re open-sourcing a Responsible Data Science Policy framework to help organizations get started on this journey.

This framework has been developed to respond to a perceived market need for better internal risk management and external trust-building, especially as data science topics emerge in conversations with customers, regulators, investors, or the broader public. The framework is designed around principles, listed in the policy, that have been chosen to produce technical, legal, and ethical results that both internal and external stakeholders can agree to. As such, this framework is not the most legally conservative or financially aggressive; it makes a number of assumptions and compromises that organizations should carefully consider prior to adoption.

Furthermore, this framework is not intended to provide sufficient controls to meet any specific law or regulation. While many of the elements of this policy are necessary for compliance with laws such as GDPR or CCPA or standards such as SOC2/TSC, this policy alone is not sufficient for such compliance. Organizations should carefully consider how this policy fits into their overall legal and contractual requirements prior to adoption, ensuring that any relevant sections, e.g., related to consent or notice, are conformant.


This policy framework is designed to be flexible and adaptable. That is, it can both cover a wide range of organizations and it can change with those organizations over time. In order to accomplish this, the policy is designed around a parent procedure that routes specific use cases or projects through two types of sub-procedures. Prescriptive sub-procedures give data science teams guardrails and a path for low-friction compliance. Adjudicative sub-procedures centralize decision-making with an individual or group like a risk committee. Organizations can mix and match prescriptive and adjudicative sub-procedures to meet their needs.

The diagram below helps visualize the structure of the framework.


This policy framework is available under a Creative Commons BY-4.0 license. You can download the entire framework as a ZIP file.

The framework contains the following files:

  • Help and Reference Material
    • Design and Implementation Guide
  • Responsible Data Science Policy and Procedure Templates
    • Responsible Data Science Policy
    • Concepts and Techniques Inventory
    • Parent Procedure
    • Adjudicative Sub-Procedure Template
    • Prescriptive Sub-Procedure Template
  • Sample Artifacts
    • Data Science Proposal Form
    • Data Science Review Form
    • Data Science Release Form
    • Proposal Review Log
    • Policy Exception Log
  • Diagrams
    • Responsible Data Science Policy – Conceptual Design (PNG, SVG)
    • Responsible Data Science Policy – Example Procedure Flow (PNG, SVG)


You can email us or use the contact form below! Whether you have helpful feedback or want to work together customizing and implementing within your organization, we’d love to talk.

If you want to stay informed as we improve or correct this policy framework, please sign up for our mailing list.

Let us know how we can help.

Whether you’re looking for more information about one of our products or need to talk about custom services, don’t be afraid to ask.