Automated DPIA generation: how did your team handle GDPR Art. 35 tooling?

We're implementing a data protection impact assessment workflow for our ML pipeline under GDPR Art. 35. The legal team wants automated risk scoring, but the DPIA requires qualitative judgment on processing purposes and data subject rights impact. How did your compliance team bridge the gap between automated risk registers and the qualitative assessments regulators expect? Jurisdictions: EU/DE. No legal advice needed — looking for peer experience on tooling choices and auditor acceptance.