Building an auditable data dossier

An Article 10-compliant dossier is structured in eight blocks. The goal: that an auditor can understand, verify and trace.

The eight blocks

  1. Identity and purpose: name, version, date; what the data represents.
  2. Provenance and legal basis: origin of each source; for personal data, the GDPR legal basis; licences and contracts. (The most frequently missing link.)
  3. Composition: volume, variables, sensitive attributes, scope.
  4. Preparation: collection, cleaning, labelling, aggregation — every transformation logged.
  5. Quality: representativeness, accuracy, completeness, statistical properties.
  6. Bias: examination of biases that could affect fundamental rights or discriminate, and mitigation measures.
  7. Gaps and limits: identified gaps, out-of-scope uses.
  8. Governance and traceability: responsibilities, audit log, versioning.

The validity test

A dossier holds if the auditor can answer yes to three questions:

  1. Where does the data come from, and are we allowed to use it?
  2. Is it good (quality, bias)?
  3. Can every step be traced?

Automated or human?

Blocks 3, 4, 5 and part of 6 can be automated; provenance (2), material bias judgment (6) and limits (7) require expert validation.

Indicative guidance, not legal advice.