Co.Marc Regulatory Coverage

Built around
your obligations.

Co.Marc doesn't sit alongside your GDPR compliance programme — it implements it. Every feature maps to a specific obligation, and every action produces the evidence that demonstrates it.

Privacy by Design Data Minimisation Subject Access Retention & Erasure
What Co.Marc covers

The regulations require it.
Co.Marc evidences it.

GDPR and DPA 2018 create specific, enforceable obligations. Co.Marc is designed to help you meet them — and to produce the documentation that shows you have.

UK GDPR · Article 5
Data Minimisation & Storage Limitation
Continuous discovery identifies all personal data held. R3 treatment and retention rules enforce deletion at the appropriate time.
Covered
UK GDPR · Article 15
Subject Access Rights
Cross-database search finds all data held about a subject. Signed Subject Access Certificate generated as formal evidence of the response.
Covered
UK GDPR · Article 17
Right to Erasure
Erasure requests trigger an R3 workflow — records are identified, presented for approval, deleted, and logged with a permanent audit record.
Covered
UK GDPR · Article 25
Privacy by Design & Default
Protection is applied at the database level — not as an afterthought. The on-premises architecture means personal data never leaves your network.
Covered
UK GDPR · Article 30
Records of Processing Activities
The governance portal maintains a complete, queryable record of all personal data identified, the decisions made, and the treatments applied — a living RoPA.
Covered
DPA 2018 · Schedule 1
Special Category Data
Health data, biometric data, and other special category fields are flagged at discovery, classified with elevated risk, and directed to appropriate treatment.
Covered
Article 25
Privacy by Design
& Default
UK GDPR · EU GDPR

Protection built in. Not bolted on.

Article 25 requires that data protection is embedded into your systems and processes from the outset — not addressed as an afterthought. For most organisations, achieving this in existing database environments is the hard part.

Co.Marc implements Privacy by Design in two ways. First, the local-first architecture ensures that personal data values are never transmitted to the cloud — the Marc component that analyses your databases runs on your own infrastructure, and only structural information ever leaves your network. Second, R2 protections are applied at the database level — so that access controls and masking are in place regardless of how data is accessed, not dependent on any particular application enforcing them.

Evidence produced
Architecture documentation showing no personal data transmission
Enforcement log confirming database-level protections applied
Governance decisions attributed to named compliance personnel

Know what you hold.
Keep only what you need.

Article 5 establishes the data minimisation and storage limitation principles — you should hold no more personal data than necessary, and for no longer than required. These are not aspirational guidelines; they are enforceable obligations.

Co.Marc gives you the tools to meet both. Discovery finds everything — including columns you didn't know existed in legacy systems and integrations. The 3Rs framework then guides your team to make deliberate decisions about everything that's found. R3 treatment, with configurable retention rules, ensures that scheduled deletion happens systematically rather than being perpetually deferred.

Evidence produced
Complete inventory of personal data held across all databases
Decision record for every identified piece of personal data
Per-record deletion log with dates, approvals, and rationale
Article 5
Data Minimisation
& Storage Limitation
UK GDPR · EU GDPR
Article 15
Right of Access /
Subject Access
UK GDPR · EU GDPR
DPA 2018 Section 45

Respond to subject access requests with confidence.

Every data subject has the right to know what personal data you hold about them. You have one calendar month to respond — and the response must be complete, accurate, and documented.

Co.Marc handles Subject Access Requests through a dedicated workflow. A single search query is run across all connected databases simultaneously. Every matched record is gathered and presented in a structured summary. The response is formalised as a signed Subject Access Certificate — a document you can provide to the data subject and retain as evidence of your compliance with the request.

If the subject also exercises their right to erasure, the same process immediately initiates an R3 workflow for the relevant records.

Evidence produced
Signed Subject Access Certificate for each request
Request log showing date received, date responded, and outcome
Deletion audit trail where erasure was also requested

Systematic deletion.
Not wishful thinking.

The Right to Erasure under Article 17 and the Storage Limitation principle under Article 5 both create deletion obligations. In practice, these are among the hardest obligations to actually implement — because databases accumulate data passively, deletion requires active intervention, and the people who understand retention policy are rarely the people who can write the queries to enforce it.

Co.Marc closes that gap. Your compliance team defines retention rules in plain terms — which event triggers the clock, and how long after that event the data should be kept. Marc evaluates those rules against live data on a continuous schedule. When records become due for deletion, they are queued for operator review. Once approved, deletion happens automatically and is logged permanently.

The same workflow applies to Right to Erasure requests. Whether the trigger is a scheduled retention expiry or an explicit request from a data subject, the process is controlled, documented, and evidenced.

Evidence produced
Retention policy documentation with defined rules per data type
Immutable deletion log — per-record, with approval, date, and operator
Scheduler history showing continuous enforcement of retention rules
Article 17
Right to Erasure
& Retention Enforcement
UK GDPR · EU GDPR
Article 5 Storage Limitation
Audit & Evidence

Your evidence is produced as you work.

The most common obstacle compliance teams face when responding to regulatory enquiries or ICO investigations isn't the absence of good practice — it's the absence of documentation. Co.Marc builds that documentation automatically, at every step.

Immutable audit log

Every action — classification, governance decision, enforcement, deletion, access request — is written to a permanent log that cannot be altered. The record shows who did what, and when.

Human accountability

Every governance decision is attributed to a named individual. You can demonstrate not just that a decision was made, but who made it, with any supporting rationale they recorded at the time.

Exportable records

Audit records and compliance summaries are exportable for ICO submissions, internal audit processes, board reporting, and external assurance reviews.

Continuous, not point-in-time

Compliance isn't evidenced by a single annual review. Co.Marc runs continuously — scanning for new data, evaluating retention rules, monitoring enforcements — and every action it takes is logged.

Get started

Evidence-ready from day one.

See how Co.Marc maps to your specific compliance obligations in a personalised walkthrough with our team.

Request a Demo See How It Works