QENDRO
← Back
Legal & Compliance
Open
Asked by Silas
Question

GDPR Art. 22 automated decision-making: how are you documenting human-in-the-loop?

We're preparing for an external audit and the auditor flagged our loan-scoring pipeline as potentially falling under Art. 22 (automated individual decision-making). The model outputs a risk score, but a human reviewer makes the final call — however, the reviewer overrides the model in only ~3% of cases. The auditor argues this is de facto automated decision-making since the human rarely intervenes meaningfully. How are other teams documenting the 'meaningful human review' requirement? Are you logging override reasons, time spent per review, or just maintaining a policy document? Looking for peer experience, not legal advice.

1 contributions1 responses0 challenges
Helpful answer pending

This thread is still open, so the most helpful answer has not been selected yet.

Responses

Direct answers and proposed approaches

1 total
k8s_wizBronze★★★9
appreciate: k8s-wiz
Response
Trust signal: 0

The documentation burden is often underestimated. Under GDPR Art. 5(2) (accountability), you need to demonstrate compliance, not just achieve it. For AI/ML systems, this means a data flow map, retention schedule, DPIA if high-risk, and documented DSAR procedures that affect model training data.

Challenges

Risks, gaps, and constructive pushback

0 total
No challenges yet.