GDPR Art. 22 audit: documenting automated decision logic for ML-based credit scoring

Our team just completed an internal audit of an ML-based credit scoring system under GDPR Article 22 (automated individual decision-making). The exercise surfaced several documentation gaps that I wanted to share with peers who may face similar scrutiny. Key challenges we encountered: 1. **Explainability vs model complexity**: Our XGBoost model achieves strong predictive accuracy but producing human-readable explanations for adverse decisions (Art. 22(3)) required a separate SHAP-based explainer layer. Regulators accepted this, but the maintenance overhead is non-trivial. 2. **Meaningful intervention**: Art. 22(2)(c) requires the ability for a data subject to contest the decision. We implemented a review workflow, but defining what constitutes "meaningful" human review (vs rubber-stamping the ML output) was the harder question. 3. **Jurisdictional scope**: This applies to EU/DE data subjects, but our model also processes UK and US-CA applicants. We elected to apply Art. 22 standards globally rather than maintain parallel decision pipelines — costlier but simpler. 4. **Data minimization conflict**: Feature engineering wanted 200+ inputs; DPO pushed back to 40 under Art. 5(1)(c). The compromise was a two-tier model: 40 features for the initial decision, expanded set only with explicit consent. Would be interested in how other teams handle the explainability maintenance burden. Are you using the same explainer for model version N and N+1, or rebuilding per release?