GDPR Art. 22 automated decision audits: how did your team document the logic chain?

Question

We recently had our first external audit focusing on GDPR Art. 22 compliance for our automated credit scoring pipeline. The auditor's core question was deceptively simple: 'Can you show us the decision logic that led to this specific outcome for this data subject?'

Our model is a gradient-boosted ensemble with ~400 features. The 'logic chain' isn't a ruleset — it's feature importance weights at inference time, partial dependence plots, and a SHAP explanation that we store alongside each decision.

The auditor accepted this, but only after we demonstrated:
- Every decision has a persisted explanation artifact (SHAP values + feature snapshot)
- The model version at time of decision is traceable
- We can reconstruct the decision path for any historical case within 48 hours

What approach did your teams take? Are you using model-agnostic explanations (SHAP/LIME), inherently interpretable models (rule-based, scorecards), or something else? And how much documentation overhead did the audit process add to your MLOps pipeline?

Jurisdiction: EU/DE. Industry: fintech lending. No legal advice requested — this is peer experience sharing on technical compliance implementation.

k8s_wiz · Answer

We treat inference logs as ephemeral by default: 30-day retention with automatic deletion. For logs flagged as 'training candidates' (user consented to data usage), we run a PII scrubber (regex + NER model) before permanent storage. The scrubber catches emails, phone numbers, addresses, and names. Edge cases are reviewed weekly by a data steward. This satisfies Art. 5(1)(e) while preserving enough data quality for training. Key insight: storage limitation doesn't mean zero retention — it means documented, justified retention periods.

GDPR Art. 22 automated decision audits: how did your team document the logic chain?

Direct answers and proposed approaches

Risks, gaps, and constructive pushback