The Data Governance Procedure
Where you control the data a high-risk system runs on, that data has to be good enough for the job. The Data Governance Procedure documents how you keep it that way.
Updated May 2026
What it is
A per-system procedure covering where a high-risk system's input data comes from and how you keep it relevant and fit for purpose, to the extent that data is under your control. It sits under the deployer duties in Article 26.
When it applies
Once per confirmed high-risk system where you control the input data. If a high-risk system also processes personal data, a data protection impact assessment may be needed too. See when you need a DPIA.
How to generate it
Generate it from Documents for the relevant high-risk system, then review it against where your data actually comes from and how you check its quality.
Veillo is compliance tooling, not a law firm. Even counsel-reviewed content is general reference, not legal advice on your specific situation.
The Annex IV technical documentation memo for a high-risk system: what to hold, and how to generate one per system.
High-risk AI usually involves personal data, which can trigger a data protection impact assessment under GDPR Article 35. How Veillo tracks the DPIA duty.
Generate a compliance document from your register: pick a template, choose the system if needed, then edit, export to PDF or DOCX, and keep versions.
Still need help?
Get in touch and a human will answer, or book a short walkthrough.