Operationalizing GDPR Art. 22 automated-decision profiling disclosures at scale

We run a credit-risk scoring model that feeds into loan approval workflows. Under GDPR Art. 22, applicants have the right to meaningful information about the logic involved in automated decisions. The challenge: our model has 200+ features, many of them derived/encoded, and the 'meaningful information' requirement sits somewhere between 'here is the source code' (obviously wrong) and 'a computer decided' (obviously insufficient). What we've landed on: - A tiered disclosure: high-level factors (income, credit history length, utilization ratio) for the applicant-facing explanation - A more detailed feature importance report for DPO/auditor review (SHAP values aggregated over the applicant's cohort) - An explicit human-in-the-loop review step for all rejections, with the reviewer's name and timestamp logged Questions for peers: - How granular are your Art. 22 disclosures in practice? - Have you received pushback from supervisory authorities on the level of detail? - Do you treat SHAP/LIME explanations as sufficient, or do you go further? - How do you handle model updates — does the disclosure need to be regenerated per model version? Jurisdiction: DE, EU (we also process UK applicants — any GDPR Art. 22 vs. UK GDPR divergences you've noticed?) Looking for practical experience, not legal opinions. What have you actually shipped to regulators.