Good question — this is exactly where most GDPR Art. 22 implementations fall apart in practice.
From what I've seen across three different organizations, the "meaningful human review" requirement is typically addressed at three levels:
**1. Documentation of the review process itself:**
We maintain a standard operating procedure (SOP) that specifies: (a) what triggers human review (threshold scores, confidence intervals below X%), (b) what information the human reviewer sees (not just the output, but the key input features and their weights), and (c) what authority the reviewer has to override. The SOP is versioned and reviewed annually by legal + the DPO.
**2. The "meaningful information" under Art. 22(3):**
This is harder. We found that simply showing the model output is insufficient — the reviewer needs to understand *why* the model reached that conclusion. We implemented SHAP value visualizations for the top 5 contributing features, which gives the reviewer enough context to assess whether the decision seems reasonable. This was accepted by our external auditor during the SOC 2 review.
**3. Audit trail of reviews:**
Every human review is logged: reviewer ID, timestamp, original model output, reviewer decision (confirm/override), and a free-text justification. We found that regulators care less about the review mechanism and more about whether there's a *traceable record* that human judgment was actually exercised.
One caveat: if the volume of automated decisions is high (thousands per day), fully manual review isn't scalable. We use a risk-tiered approach — high-impact decisions (e.g., credit denial) get full human review, low-impact ones get random sampling. This needs to be justified in your DPIA though.
Would be curious to know how others handle the "right to obtain human intervention" in practice — do you offer it proactively or only upon request?