GDPR · DPA 2018 · Privacy by Design

Know what you hold.
Control what you keep.

Co.Marc gives compliance and data protection teams a clear, auditable path from unknown personal data to governed, protected, and evidenced compliance — without disrupting operations.

See How It Works View Compliance Coverage
UK GDPR EU GDPR DPA 2018 ICO compliant approach Article 25 Privacy by Design

Designed around the regulations that matter to UK and EU organisations

UK GDPR
EU GDPR (2016/679)
Data Protection Act 2018
Privacy by Design · Article 25
Subject Access Rights · Article 15
Storage Limitation · Article 5
The Challenge

Most organisations don't know
all the personal data they hold.

Records grow over years. New information is collected, systems are integrated, data is copied. What started as manageable becomes an undocumented accumulation of personal information — and regulators expect you to account for every piece of it.

The uncomfortable truth

The ICO doesn't accept "we weren't sure what we had" as a defence. GDPR requires you to know what personal data you hold, protect it appropriately, and delete it when the time comes — and to be able to prove all three.

For most organisations, that's currently a manual, incomplete, and hard-to-evidence process.

Regulatory fines are real

GDPR fines reach €20M or 4% of global annual turnover. The ICO expects documented evidence — not best intentions.

Unprotected data is a breach waiting to happen

Personal data you haven't identified can't be protected. Internal systems and working copies of data are particularly exposed.

Keeping data too long is a violation

The Storage Limitation principle requires deletion when data is no longer needed. Manual processes rarely keep up.

Subject Access Requests need fast, accurate answers

You have one month to respond. Without a complete picture of what you hold, compiling an accurate response is difficult and risky.

The Solution

From discovery to enforcement.
All in one place.

Co.Marc connects to your databases, finds the personal data, helps your team make the right decisions, and applies them automatically — while building the audit evidence you need to demonstrate compliance.

Discover

Marc automatically maps every column across your databases that may contain personal data — SQL Server, PostgreSQL, MySQL, Snowflake, Oracle, and more. No manual cataloguing. No assumptions about what's clean.

Classify

Each piece of data is categorised — names, email addresses, national insurance numbers, financial identifiers — with a confidence score so your team focuses on what matters most.

Decide

Your DPO or compliance lead makes a deliberate, documented decision for every finding using the 3Rs framework — Retain, Protect, or Delete. Every decision is recorded with who made it and when.

Enforce

Decisions are applied automatically. Personal data is masked, access-controlled, or deleted on schedule — without developers needing to build custom solutions.

Evidence

Everything is logged — decisions, enforcement actions, deletions, and access requests. Your audit trail is built as you work, not assembled in a panic before an inspection.

Full walkthrough
The 3Rs Framework

One decision for
every piece of personal data.

The 3Rs give your team a clear, consistent vocabulary for data governance. No ambiguity. No ungoverned columns. Every finding gets a deliberate, documented treatment.

R1 — Retain

This data is fine as it is.

Order references, status codes, system identifiers — low-risk data that doesn't need treatment. The decision is recorded and attributed. R1 is not inaction; it's a deliberate, documented assessment.

No action needed Decision documented Audit-ready
R2 — Protected

Keep it — but control who sees it.

Names, email addresses, national insurance numbers. Data your business needs to keep but must protect. Marc applies access controls automatically — masking data for those who don't need to see it, while legitimate users retain full access.

Automatic masking Access controlled Reversible
R3 — Delete

Delete it when the time comes.

Data that must go when its retention period expires. You define the rule — account closed, application rejected, consent withdrawn. Marc evaluates on schedule, presents records for your approval, then deletes them. Every deletion is logged.

Scheduled deletion Operator approved Per-record audit log
Explore the 3Rs in detail
Why Co.Marc

Built for the people who carry the compliance responsibility.

Always audit-ready

Every classification, decision, and enforcement action is logged with who did it and when. If the ICO comes calling, your evidence is already prepared.

SARs answered in minutes

Find every record held about a data subject across all your databases with a single search. Generate a signed certificate of findings. Respond with confidence, on time.

Your data never leaves your building

Marc works with metadata — not personal data values. The on-premises component processes everything locally. Nothing sensitive is transmitted, ever.

Continuous, not one-off

Databases change — new columns, new tables, new data flows. Marc monitors continuously, surfacing new personal data for review as it appears. Compliance doesn't go stale.

Your team stays in control

Marc discovers and classifies — but humans make every governance decision. Every treatment is reviewed, approved, and attributed. You are always the decision-maker.

Retention managed automatically

Set the rules once — account closed plus 7 years, consent withdrawn plus 30 days. Marc evaluates on schedule and prepares deletion batches for your approval. Storage limitation, systematised.

Article 25 — Privacy by Design

Your data stays
on your terms.

Co.Marc is built around a principle that should be non-negotiable: the personal data in your databases never needs to leave your network for you to govern it properly.

The Marc component that connects to your databases runs on your own infrastructure. It sends only structural information — column names, data types, findings — to the governance portal. The actual values inside your databases are never transmitted, ever. This isn't a feature you configure; it's the way the system is built.

Read about Privacy by Design
Compliance coverage

Comprehensive governance.
From day one.

Co.Marc addresses every key dimension of your GDPR obligations — not just discovery, but ongoing governance that scales with your databases.

View full compliance coverage
14
personal data categories automatically identified
100%
schema coverage — no column is missed
0
personal data values transmitted outside your network
audit history retained — never deleted
Get Started

See Co.Marc with
your own data.

Book a guided walkthrough with one of our compliance specialists. We'll show you the discovery, classification, and decision workflow applied to your own environment.

We process your details only to respond to your enquiry. No marketing. No third-party sharing.