Building an auditable data dossier
An Article 10-compliant dossier is structured in eight blocks. The goal: that an auditor can understand, verify and trace.
The eight blocks
- Identity and purpose: name, version, date; what the data represents.
- Provenance and legal basis: origin of each source; for personal data, the GDPR legal basis; licences and contracts. (The most frequently missing link.)
- Composition: volume, variables, sensitive attributes, scope.
- Preparation: collection, cleaning, labelling, aggregation — every transformation logged.
- Quality: representativeness, accuracy, completeness, statistical properties.
- Bias: examination of biases that could affect fundamental rights or discriminate, and mitigation measures.
- Gaps and limits: identified gaps, out-of-scope uses.
- Governance and traceability: responsibilities, audit log, versioning.
The validity test
A dossier holds if the auditor can answer yes to three questions:
- Where does the data come from, and are we allowed to use it?
- Is it good (quality, bias)?
- Can every step be traced?
Automated or human?
Blocks 3, 4, 5 and part of 6 can be automated; provenance (2), material bias judgment (6) and limits (7) require expert validation.
Indicative guidance, not legal advice.