Skip to content

UK GDPR Compliance Mapping Matrix — Scout CV Screening System

Project: Sable AI Ltd — AI Governance Framework Stage: Stage 3 — Regulatory Alignment Status: Draft Version: v1 Date: 2026-03-01 Assumptions: Built on outline assumptions — not verified against real Sable AI Ltd data

1. Purpose and Scope

This document maps Scout's data processing activities against the applicable obligations of the UK General Data Protection Regulation (as retained in UK law and as amended by the Data (Use and Access) Act 2025), identifying the compliance approach adopted for each and the actions required to achieve or maintain compliance.

Scout processing activities covered by this matrix:

Ref Processing Activity
P-01 CV ingestion — receipt of candidate CV from recruiter customer
P-02 CV parsing — extraction of structured data from CV text
P-03 Job description ingestion — receipt of role specification from recruiter
P-04 Anthropic Claude API call — CV content and job description transmitted for AI assessment
P-05 Shortlist output generation — Scout produces structured recommendation/suitability assessment
P-06 Human review — recruiter reviews Scout output before any candidate contact
P-07 Recruiter action — candidate advanced or rejected on basis of human decision
P-08 Data storage and retrieval — candidate data and outputs stored in Scout platform
P-09 Retention and deletion — data lifecycle management through to deletion
P-10 Data subject rights handling — processing access, rectification, erasure and contest requests

Important note on Art. 22: The original UK GDPR Article 22 (automated decision-making) was replaced in UK law by new Articles 22A–22D, inserted by section 80 of the Data (Use and Access) Act 2025, which came into force on 5 February 2026 (Commencement No. 6 and Transitional and Saving Provisions Regulations 2026, reg. 2(j)). All references in this document use the new numbering. The saving provision (reg. 5) confirms these amendments do not apply to decisions taken before 5 February 2026.

2. Matrix: Obligation-by-Obligation Analysis

2.1 Lawful Basis for Processing — UK GDPR Article 6

[LEGAL REVIEW REQUIRED] — The lawful basis determination affects all downstream processing and has not been confirmed by qualified legal counsel.

Processing Activity Obligation Compliance Approach Action Required Risk Level
P-01 to P-05: CV ingestion, parsing, API processing, output generation Art. 6(1): All processing requires a lawful basis Primary approach [ASSUMPTION]: Art. 6(1)(f) legitimate interests — recruiter has a legitimate interest in processing CVs to assess candidate suitability for a vacancy; candidate has a reasonable expectation that a submitted CV will be processed for that purpose. A legitimate interests assessment (LIA) is required to document the balance between recruiter interests and candidate rights. Conduct and document a Legitimate Interests Assessment for Scout processing; review ICO legitimate interests guidance. [LEGAL REVIEW REQUIRED] HIGH
P-01 to P-05: Same Art. 6(1)(b): Performance of a contract or pre-contractual steps Secondary analysis [ASSUMPTION]: Art. 6(1)(b) may apply to processing strictly necessary to progress a candidate's application — i.e., steps taken at the candidate's implicit request by submitting a CV. However, the candidate is typically not party to the recruiter–employer contract. Reliance on Art. 6(1)(b) should not be the primary basis without legal advice. [LEGAL REVIEW REQUIRED] on whether Art. 6(1)(b) applies and which activities it would cover. HIGH
All activities Art. 6(1)(a): Consent Consent is not the recommended primary lawful basis in a recruitment context. ICO guidance and courts have consistently noted the power imbalance between candidates and those assessing them undermines the freely given requirement. Do not rely on consent as the primary basis. Review any consent mechanisms for talent pool or optional processing separately. MEDIUM
P-06, P-07: Human review and recruiter action Art. 6(1)(f) applies equally The human review stage and recruiter decision are processing activities in their own right. The same legitimate interests basis should cover these. Ensure the LIA covers the full Scout workflow, not just the AI-processing step. MEDIUM
P-08, P-09: Storage and retention Art. 6(1)(f) / Art. 6(1)(b) as appropriate Continued storage must be justified under the same (or a separately documented) lawful basis. Time-limited retention periods must align with the original processing purpose. Define retention periods linked to purpose (see section 2.7); ensure continued storage is not an unrelated further processing. MEDIUM

2.2 Special Category Data — UK GDPR Article 9 and DPA 2018 Schedule 1

[LEGAL REVIEW REQUIRED] — Article 9 conclusions are high-stakes; legal advice is required before finalising the approach.

The ICO's November 2024 AI in Recruitment Outcomes Report found that several providers "estimated or inferred people's gender, ethnicity, and other characteristics from their job application or even just their name." The ICO found this processing was "often processed without a lawful basis and without the candidate's knowledge." This finding identifies the principal Art. 9 risk for Scout.

Processing Activity Obligation Compliance Approach Action Required Risk Level
P-02: CV parsing Art. 9(1): Prohibition on processing data revealing racial/ethnic origin, religious beliefs, health, trade union membership, biometric or genetic data CVs frequently contain information from which special category attributes may be directly stated or inferred (e.g., health conditions disclosed in a gap explanation; name suggesting ethnic origin; educational institutions associated with religious background). Processing these attributes without an Art. 9(2) condition and DPA 2018 Schedule 1 condition is unlawful. Primary control: Design Scout to avoid parsing or acting on any field or inference that engages special category data. Implement content filtering and prompt instructions that prevent Scout from surfacing or weighting any attribute that could reveal a protected characteristic. CRITICAL
P-04: Anthropic Claude API call Art. 9(1): Same risk — AI inference from CV text The Claude API may, when processing unstructured CV text, identify or infer special category attributes as part of generating a suitability assessment. Scout must actively prevent this via prompt design and output filtering. [ASSUMPTION] — Prompt instructions to the Claude API must explicitly exclude any evaluation based on, or inference of, protected characteristics. Output validation should check for presence of sensitive attributes in generated text. Document these controls as a technical safeguard. [LEGAL REVIEW REQUIRED] CRITICAL
P-05: Shortlist output Art. 9(1): Output must not contain or rely on inferred special category data Scout shortlist outputs must not reference, score against, or encode inferred protected characteristics. The ICO has confirmed inferred data is not accurate enough for bias monitoring purposes and is processed without lawful basis where unsolicited. Implement structured output schema that excludes fields for protected characteristics; audit outputs periodically for unintended inclusion. HIGH
Equality monitoring (if implemented separately) Art. 9(2)(g) + DPA 2018 Sch. 1 Part 2, para 8(1) If Sable AI Ltd or its customers wish to process special category data for equality monitoring, DPA 2018 Sch. 1 Part 2, para 8(1) provides a condition for "identifying or keeping under review the existence or absence of equality of opportunity." However, para 8(3) expressly provides that "processing does not meet the condition in sub-paragraph (1) if it is carried out for the purposes of measures or decisions with respect to a particular data subject." Equality monitoring cannot be used to make individual recruitment decisions. Any equality monitoring programme must be designed to operate separately from Scout's individual candidate assessment pipeline; individual-level decisions must not be affected. [LEGAL REVIEW REQUIRED] HIGH
Diversity initiatives (senior hiring) DPA 2018 Sch. 1 Part 2, para 9(1) Where processing reveals racial/ethnic origin in a senior-role identification process for diversity purposes, para 9(1) provides a condition — but only where it "can reasonably be carried out without the consent of the data subject" and is "not likely to cause substantial damage or substantial distress" (para 9(3)). This condition is narrow and context-specific. If applicable, [LEGAL REVIEW REQUIRED] before relying on it. MEDIUM

2.3 Transparency — UK GDPR Articles 13 and 14

Processing Activity Obligation Compliance Approach Action Required Risk Level
P-01: CV ingestion (direct from candidate) Art. 13(1)(a–e): Identity of controller, DPO contact, purpose, legal basis, recipients The recruiter customer (controller) must provide candidates with a privacy notice at or before the point CV data is collected. The notice must identify: the recruiter as controller; the purpose (CV screening using AI); the lawful basis; recipients (including Sable AI Ltd and Anthropic as processors/sub-processors). [ASSUMPTION] Sable AI Ltd should require this as a contractual obligation of its customers. Embed a transparency notice requirement in customer DPAs. Provide a template notice to customers — see L4-5.2-Candidate-Transparency-Notice-v1.md (forthcoming). HIGH
P-01: CV ingestion (direct from candidate) Art. 13(2)(f): Disclosure of automated decision-making including profiling Candidates must be informed of the existence of automated processing, the logic involved, and the significance and envisaged consequences. Even if Art. 22A does not apply (because meaningful human review breaks the "solely automated" chain — see section 2.5), Art. 13(2)(f) still requires disclosure of any automated profiling. Candidate transparency notice must describe Scout's function in plain English. See L4-5.2-Candidate-Transparency-Notice-v1.md (forthcoming). The ICO Nov 2024 report found this notice was "consistently absent from recruitment AI providers." HIGH
P-01: CV sourced from third party (e.g., job board, agency database) Art. 14(1)(a–d) and Art. 14(2)(a, b, g): Same information requirements, delivered within one month of obtaining data Where CVs are not obtained directly from the candidate, Art. 14 requires the controller to provide equivalent privacy information. The ICO Nov 2024 report found this was a common failure. Ensure recruiter contracts address third-party sourcing scenarios. [ASSUMPTION] Sable AI Ltd does not directly source CVs — the obligation sits with the recruiter customer — but must be contractually required. MEDIUM

2.4 Data Minimisation — UK GDPR Article 5(1)(c)

"adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" — UK GDPR Art. 5(1)(c)

Processing Activity Obligation Compliance Approach Action Required Risk Level
P-01, P-02: CV ingestion and parsing Art. 5(1)(c): Only data necessary for the purpose (CV screening against job criteria) may be processed Scout should ingest only the CV content and job description necessary to assess suitability. The ICO Nov 2024 report found providers "collected far more personal information than was needed" including scraping and combining data "from millions of peoples' profiles on job networking sites." Sable AI Ltd must not aggregate external profile data beyond what the candidate submitted. [ASSUMPTION] Define the data inputs to Scout formally: CV text + job description only. Prohibit Scout from ingesting social media profiles, public data or enrichment feeds without explicit legal basis and privacy notice. Document in L1-2.3-Data-Flow-Map-v1.md. HIGH
P-04: Anthropic Claude API call Art. 5(1)(c): Transmitted data must be limited [ASSUMPTION] Only the CV text and job description are transmitted to the Anthropic API (A-011). No additional personal data fields, contact details, or enrichment data should be included in the API payload. Audit API request payloads against the data minimisation principle. Implement technical controls to strip unnecessary fields before transmission. HIGH
P-08: Storage Art. 5(1)(c) applies to stored data Scout's platform should not retain more candidate data than is necessary for the processing purpose. Scout outputs (suitability assessments) that are no longer needed following a hiring decision should be identified for deletion. Define what data Scout retains post-decision; ensure retention is limited to what the recruiter legitimately needs. Link to retention policy (see section 2.7). MEDIUM

2.5 Accuracy — UK GDPR Article 5(1)(d)

"accurate and, where necessary, kept up to date... personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay" — UK GDPR Art. 5(1)(d)

Processing Activity Obligation Compliance Approach Action Required Risk Level
P-02: CV parsing Art. 5(1)(d): Extracted data must accurately represent the candidate's CV CV parsing errors (misread dates, misattributed skills, corrupted formatting) can produce inaccurate candidate profiles. These inaccuracies may affect downstream AI assessment. Implement parsing quality checks. Allow candidates to review and correct extracted data where feasible. Human review step (P-06) provides a backstop. MEDIUM
P-04, P-05: AI assessment output Art. 5(1)(d): Scout's suitability assessments must be accurate representations of the candidate's fit AI-generated suitability assessments may contain errors, hallucinations or misinterpretations of CV content. The ICO Nov 2024 report found "instances where there was a lack of accuracy testing." [ASSUMPTION] Mandatory human review (A-007) provides a check, but does not remove the obligation to test and monitor Scout's output accuracy. Implement accuracy testing for Scout outputs against known-good benchmarks. Establish feedback loop from recruiters on output quality. Cross-reference L3-4.1-Monitoring-Framework-v1.md (forthcoming) for accuracy metrics. HIGH
P-04: Inferred attributes Art. 5(1)(d): Inferred attributes are inherently less accurate than stated attributes The ICO confirmed that inferred protected characteristics are "not accurate enough" for any purpose. This makes reliance on inferred data doubly unlawful — it lacks both accuracy and a lawful Art. 9 basis. As above: prohibit Scout from generating or acting on inferred protected characteristic attributes. CRITICAL

2.6 Automated Decision-Making Safeguards — UK GDPR Articles 22A–22D (as substituted by the Data (Use and Access) Act 2025, s.80, in force 5 February 2026)

[LEGAL REVIEW REQUIRED] — Whether Art. 22A applies to Scout's operations is the most significant legal question in this framework. The following analysis is provisional and must be reviewed by qualified UK legal counsel before reliance.

Key question: Does Scout make a "solely automated decision" that produces "a legal effect concerning the data subject or similarly significantly affects the data subject"?

Relevant factors:

  • Scout generates a suitability assessment and shortlist recommendation.
  • [ASSUMPTION] A mandatory human review step (A-007) occurs before any candidate contact is made.
  • If the human review is genuine and meaningful — the recruiter applies independent judgment and can and does override Scout's output — then Scout's output may not constitute a "solely automated decision" and Art. 22A may not apply.
  • If the human review is a rubber stamp with limited practical ability to override, Art. 22A is likely to apply. See L1-2.2-Risk-Classification-Framework-v1.md for the risk tier analysis on this point.
  • The DSIT guidance states: "Employees must be able to meaningfully engage with the outputs of a system to feel confident in acting on the AI-enabled prediction, decision or recommendation." This is the operational test for meaningful human involvement.
Scenario Obligation Compliance Approach Action Required
If Art. 22A applies (solely automated decision, significant effect) Art. 22A: Prohibition unless Art. 22B exception met; if exception applies, Art. 22C safeguards required Art. 22C safeguards: right to meaningful human review; right to explanation of the logic involved; right to contest the decision. Art. 22D(2) gives the Secretary of State power to define "similarly significant effect" by regulation — monitor for any such regulations. [LEGAL REVIEW REQUIRED] Determine whether an Art. 22B exception applies. If yes, implement all Art. 22C safeguards. Document the safeguards in L4-5.2-Candidate-Transparency-Notice-v1.md (forthcoming).
If Art. 22A does not apply (genuine human review breaks the solely automated chain) Arts. 13(2)(f) / 14(2)(g): Transparency obligations still apply Even without Art. 22A, disclosure of automated profiling is required. Candidates must be told Scout is used, what it does, and the significance of its outputs. Transparency notice required regardless. Human review must be operationally robust and documented. See L1-2.5-Roles-and-Responsibilities-v1.md for RACI on human review.
Profiling (Art. 4(4)) UK GDPR Art. 4(4): Scout's analysis of CVs to evaluate candidate performance and suitability constitutes "profiling" regardless of whether Art. 22A applies Profiling is a defined activity under UK GDPR. It attracts transparency obligations and may feed into the Art. 22A analysis. Treat Scout's assessment as profiling in all documentation, notices and DPIAs, regardless of the Art. 22A conclusion.

Note on pre-5 February 2026 legacy: The commencement saving (Commencement No. 6 Regulations 2026, reg. 5) confirms the new Art. 22A–22D regime does not affect decisions taken before 5 February 2026. Any processing since that date is subject to the new framework.

2.7 DPIA Obligation — UK GDPR Article 35

Processing Activity Obligation Compliance Approach Action Required Risk Level
Scout system as a whole Art. 35(1): DPIA required prior to processing where likely to result in high risk The ICO's published list of operations requiring a DPIA includes: (1) "innovative technology... combined with any of the criteria from the European guidelines" — Scout is an AI tool; (2) "Denial of service" — automated decisions affecting access to employment opportunities; (3) "Large-scale profiling" — Scout systematically evaluates candidates at scale. ICO has confirmed AI in recruitment triggers DPIA. A DPIA must be completed before Scout processes candidate data. See L2-3.4-DPIA-Template-v1.md (forthcoming) for the template structure. The ICO Nov 2024 report found several providers completed DPIAs retrospectively or incompletely — Sable AI Ltd must complete it prospectively and in sufficient detail. CRITICAL
Art. 35(3)(a) Systematic and extensive evaluation of personal aspects via automated processing, on which decisions are based that produce legal or similarly significant effects Scout's CV scoring and shortlisting activities fall squarely within Art. 35(3)(a), which independently triggers a DPIA requirement. DPIA must specifically address the Art. 35(3)(a) trigger. CRITICAL
Art. 35(3)(b) Large-scale processing of special category data If Scout processes any special category data (even incidentally), Art. 35(3)(b) provides a further DPIA trigger. Confirm Art. 9 approach (section 2.2) and reflect in DPIA. HIGH
DPIA content Art. 35 + ICO guidance ICO Nov 2024 report identified common DPIA failures: absent data flow map; no assessment of data protection principles; insufficient necessity/proportionality analysis; no consideration of less privacy-invasive alternatives. All must be included. The DPIA template at L2-3.4-DPIA-Template-v1.md (forthcoming) addresses all these points. HIGH

2.8 Data Subject Rights — UK GDPR Articles 15–22

Right Applicable Article Compliance Approach Action Required Risk Level
Right of access Art. 15(1): Candidate right to obtain confirmation of processing and access to personal data, including information on automated processing (Art. 15(1)(h)) Candidates may submit Subject Access Requests (SARs) relating to: CV data held by Scout; Scout's suitability assessment of them; whether automated processing has occurred and on what logic. [ASSUMPTION] The recruiter customer is the controller and the primary recipient of SARs; Sable AI Ltd must support the customer in responding (Art. 28(3)(e)). Build SAR response capability: ability to export candidate data and Scout outputs on request. Confirm SAR handling RACI in L1-2.5-Roles-and-Responsibilities-v1.md. Define the 1-month response timeline in operational procedures. HIGH
Right to erasure Art. 17(1): Erasure without undue delay where data is no longer necessary, consent withdrawn, or data unlawfully processed Candidates whose applications are unsuccessful have a strong case for erasure once the retention purpose expires. Define when erasure grounds are met; implement deletion workflow linked to retention schedule (see section 2.9). HIGH
Right to rectification Art. 16 [VERIFY AGAINST SOURCE — not in extraction file] Candidates may request correction of inaccurate CV-derived data or extracted fields. Implement rectification mechanism; ensure corrections propagate to any stored Scout outputs affected. MEDIUM
Right to restriction Art. 18 [VERIFY AGAINST SOURCE — not in extraction file] Candidates may request restriction of processing while accuracy or lawfulness is contested. Build technical capability to restrict processing without deleting data pending resolution. MEDIUM
Right to object Art. 21 [VERIFY AGAINST SOURCE — not in extraction file]: Right to object to processing based on legitimate interests (Art. 6(1)(f)) Where Scout processing relies on Art. 6(1)(f), candidates have an absolute right to object. The controller must stop processing unless compelling legitimate grounds override the candidate's interests. Define objection-handling procedure. Where objection is upheld, cease AI processing for that candidate and handle manually. HIGH
Right not to be subject to solely automated decisions Arts. 22A–22D (see section 2.6) If Art. 22A applies: candidate has the right to request human review, obtain an explanation, and contest the decision. Implement the three Art. 22C safeguards operationally. RACI in L1-2.5-Roles-and-Responsibilities-v1.md. Notice in L4-5.2-Candidate-Transparency-Notice-v1.md (forthcoming). HIGH

2.9 Storage Limitation and Retention — UK GDPR Article 5(1)(e)

"kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed" — UK GDPR Art. 5(1)(e)

Processing Activity Obligation Compliance Approach Action Required Risk Level
P-09: Retention of candidate CV data Art. 5(1)(e): Retention limited to what is necessary [ASSUMPTION] Sable AI Ltd has not formally defined retention periods for candidate personal data (A-013). The retention period should be determined by the processing purpose: once a hiring decision is made and the purpose is fulfilled, continued retention requires separate justification. Define retention periods per purpose and customer type. Document in the Data Flow Map (L1-2.3-Data-Flow-Map-v1.md). Typical starting point for unsuccessful applicants: 6 months post-decision (aligns with limitation period for employment discrimination claims), subject to legal advice. [LEGAL REVIEW REQUIRED] HIGH
P-09: Retention of Scout outputs Art. 5(1)(e) applies equally to AI-generated outputs Scout's suitability assessments constitute personal data and are subject to the same retention rules as the underlying CV data. Ensure deletion of Scout outputs is linked to CV data deletion; do not retain outputs beyond the deletion date for the underlying data. HIGH
P-08: Storage security Art. 5(1)(f): Integrity and confidentiality Candidate data and Scout outputs must be protected against unauthorised access, loss or destruction. [ASSUMPTION] Hosted on AWS eu-west-2 (A-004). Security controls documented in customer DPAs and Sable AI Ltd security policy. Cross-reference L1-2.4-Governance-Policy-v1.md. MEDIUM

2.10 Sub-processor Obligations — UK GDPR Article 28

Processing Activity Obligation Compliance Approach Action Required Risk Level
P-04: Anthropic as sub-processor Art. 28(1): Controller may use only processors providing sufficient guarantees [ASSUMPTION] Anthropic is a sub-processor of Sable AI Ltd; a valid DPA is in place (A-005). Sable AI Ltd must verify that Anthropic provides sufficient guarantees and that the DPA meets Art. 28(3) requirements. Verify Anthropic DPA covers all Art. 28(3)(a–h) mandatory clauses. In particular: (d) sub-processor chain controls; (e) data subject rights assistance; (g) deletion at end of contract; (h) audit rights. HIGH
P-04: International transfer UK GDPR Chapter V: Transfers outside the UK require appropriate safeguards [ASSUMPTION] Anthropic processes Scout API requests outside the UK, likely in the USA (A-014), engaging UK GDPR Chapter V international transfer obligations. Confirm Anthropic's data processing locations. Verify the transfer mechanism in place (UK-US data bridge; standard contractual clauses; or other). [LEGAL REVIEW REQUIRED] HIGH
Sable AI Ltd as processor for recruiter customers Art. 28(3): Sable AI Ltd must have a qualifying DPA with each recruiter customer Sable AI Ltd's customer DPA must satisfy all Art. 28(3)(a–h) requirements. Where the customer is a joint controller (agency scenario), Art. 26 applies instead of Art. 28 — see L4-5.1-Data-Processing-Agreement-Template-v1.md (forthcoming). Ensure customer DPA template covers all mandatory Art. 28(3) clauses. See L4-5.1-Data-Processing-Agreement-Template-v1.md (forthcoming). The ICO Nov 2024 report found contracts were "too broad" and did not include sufficient detail on responsibilities, technical measures, or data handling at contract end. HIGH

3. Priority Action Summary

The following actions are highest priority based on this matrix. Items marked [LEGAL REVIEW REQUIRED] must be completed by qualified UK legal counsel before Scout processes live candidate data.

Priority Obligation Action Owner
P1 — Critical Art. 9 / Art. 5(1)(c) Design Scout to avoid ingesting or inferring special category data; implement prompt controls and output filtering CTO / Engineering Lead
P1 — Critical Art. 35 Complete DPIA before Scout processes candidate data; use template at L2-3.4-DPIA-Template-v1.md (forthcoming) CTO / CEO [ASSUMPTION]
P1 — Critical Arts. 13-14 / Art. 22C Provide candidate transparency notice meeting Art. 13/14 and Art. 22C requirements; use L4-5.2-Candidate-Transparency-Notice-v1.md (forthcoming) Customer Success Lead
P2 — High Art. 6 Conduct and document Legitimate Interests Assessment for Scout processing CEO / legal counsel [LEGAL REVIEW REQUIRED]
P2 — High Arts. 22A-22D Determine and document whether Art. 22A applies to Scout given the human review design; implement Art. 22C safeguards if it does CTO / legal counsel [LEGAL REVIEW REQUIRED]
P2 — High Art. 28 Verify Anthropic DPA; confirm international transfer mechanism; deploy compliant customer DPA template CEO / CTO [ASSUMPTION]
P3 — Medium Art. 5(1)(e) Define and document retention periods for CV data and Scout outputs CTO / Customer Success Lead
P3 — Medium Arts. 15-22 Implement SAR, erasure, objection and rectification handling procedures All: see RACI L1-2.5-Roles-and-Responsibilities-v1.md

The following conclusions in this document are provisional and require review by a qualified UK lawyer before operational reliance:

  1. Lawful basis selection (Art. 6): Whether Art. 6(1)(f) legitimate interests or Art. 6(1)(b) contract performance is the appropriate basis for each processing activity; whether an LIA would withstand regulatory scrutiny given the automated nature of Scout's processing.

  2. Special category data strategy (Art. 9): Whether the data minimisation / avoidance approach adequately addresses Art. 9 risk; what legal basis and DPA 2018 Schedule 1 condition would apply if special category data is unavoidably processed.

  3. Article 22A threshold (ADM): Whether Scout's output constitutes a "solely automated decision" with "similarly significant effect" for the purposes of the new Arts. 22A–22D regime; whether the human review step (A-007) is operationally sufficient to break the solely automated chain.

  4. Retention periods (Art. 5(1)(e)): Whether proposed retention periods are adequate to satisfy UK GDPR obligations and employment discrimination limitation periods.

  5. International transfers (Chapter V): Whether the transfer mechanism in place for Anthropic API processing in the USA is sufficient under the UK's post-Brexit international transfer regime.

5. Cross-References

Referenced Document Relationship
L1-2.1-AI-System-Inventory-v1.md Source of Scout system description and technical parameters
L1-2.2-Risk-Classification-Framework-v1.md Art. 22A threshold analysis and risk tier
L1-2.3-Data-Flow-Map-v1.md Data flows underpinning this matrix
L1-2.5-Roles-and-Responsibilities-v1.md RACI for obligations identified in this matrix
L2-3.4-DPIA-Template-v1.md DPIA structure (forthcoming)
L3-4.1-Monitoring-Framework-v1.md Accuracy and bias monitoring metrics (forthcoming)
L4-5.1-Data-Processing-Agreement-Template-v1.md Customer DPA clauses for Art. 28 compliance (forthcoming)
L4-5.2-Candidate-Transparency-Notice-v1.md Candidate-facing transparency notice (forthcoming)

This document forms part of the Sable AI Ltd AI Governance Framework. It is a proposal for compliance design and does not constitute legal advice. Review by a qualified UK lawyer is required before operational use. All assumptions about Sable AI Ltd are unverified as at the date of this document.