Built around
your obligations.
Co.Marc doesn't sit alongside your GDPR compliance programme — it implements it. Every feature maps to a specific obligation, and every action produces the evidence that demonstrates it.
The regulations require it.
Co.Marc evidences it.
GDPR and DPA 2018 create specific, enforceable obligations. Co.Marc is designed to help you meet them — and to produce the documentation that shows you have.
& Default
Protection built in. Not bolted on.
Article 25 requires that data protection is embedded into your systems and processes from the outset — not addressed as an afterthought. For most organisations, achieving this in existing database environments is the hard part.
Co.Marc implements Privacy by Design in two ways. First, the local-first architecture ensures that personal data values are never transmitted to the cloud — the Marc component that analyses your databases runs on your own infrastructure, and only structural information ever leaves your network. Second, R2 protections are applied at the database level — so that access controls and masking are in place regardless of how data is accessed, not dependent on any particular application enforcing them.
Know what you hold.
Keep only what you need.
Article 5 establishes the data minimisation and storage limitation principles — you should hold no more personal data than necessary, and for no longer than required. These are not aspirational guidelines; they are enforceable obligations.
Co.Marc gives you the tools to meet both. Discovery finds everything — including columns you didn't know existed in legacy systems and integrations. The 3Rs framework then guides your team to make deliberate decisions about everything that's found. R3 treatment, with configurable retention rules, ensures that scheduled deletion happens systematically rather than being perpetually deferred.
& Storage Limitation
Subject Access
DPA 2018 Section 45
Respond to subject access requests with confidence.
Every data subject has the right to know what personal data you hold about them. You have one calendar month to respond — and the response must be complete, accurate, and documented.
Co.Marc handles Subject Access Requests through a dedicated workflow. A single search query is run across all connected databases simultaneously. Every matched record is gathered and presented in a structured summary. The response is formalised as a signed Subject Access Certificate — a document you can provide to the data subject and retain as evidence of your compliance with the request.
If the subject also exercises their right to erasure, the same process immediately initiates an R3 workflow for the relevant records.
Systematic deletion.
Not wishful thinking.
The Right to Erasure under Article 17 and the Storage Limitation principle under Article 5 both create deletion obligations. In practice, these are among the hardest obligations to actually implement — because databases accumulate data passively, deletion requires active intervention, and the people who understand retention policy are rarely the people who can write the queries to enforce it.
Co.Marc closes that gap. Your compliance team defines retention rules in plain terms — which event triggers the clock, and how long after that event the data should be kept. Marc evaluates those rules against live data on a continuous schedule. When records become due for deletion, they are queued for operator review. Once approved, deletion happens automatically and is logged permanently.
The same workflow applies to Right to Erasure requests. Whether the trigger is a scheduled retention expiry or an explicit request from a data subject, the process is controlled, documented, and evidenced.
& Retention Enforcement
Article 5 Storage Limitation
Your evidence is produced as you work.
The most common obstacle compliance teams face when responding to regulatory enquiries or ICO investigations isn't the absence of good practice — it's the absence of documentation. Co.Marc builds that documentation automatically, at every step.
Immutable audit log
Every action — classification, governance decision, enforcement, deletion, access request — is written to a permanent log that cannot be altered. The record shows who did what, and when.
Human accountability
Every governance decision is attributed to a named individual. You can demonstrate not just that a decision was made, but who made it, with any supporting rationale they recorded at the time.
Exportable records
Audit records and compliance summaries are exportable for ICO submissions, internal audit processes, board reporting, and external assurance reviews.
Continuous, not point-in-time
Compliance isn't evidenced by a single annual review. Co.Marc runs continuously — scanning for new data, evaluating retention rules, monitoring enforcements — and every action it takes is logged.