The 3Rs
A clear, consistent framework for every piece of personal data your organisation holds. One deliberate decision per finding. No ambiguity. No ungoverned columns.
Every column needs an answer.
GDPR doesn't allow vagueness. You must be able to justify holding any personal data, protect it appropriately, and delete it when retention periods expire. The challenge for most organisations isn't understanding the obligation — it's making it manageable across hundreds of tables and thousands of columns.
The 3Rs give your team a shared language and a systematic approach. Every piece of personal data gets exactly one of three treatment designations. Once a decision is made, it's documented, attributed, and enforced.
Low-risk data. Keep as-is. Decision documented, no enforcement action required.
Sensitive data that must be kept. Protection applied — access controlled, masked, or secured.
Data that must go. Retention trigger defined. Deletion scheduled, reviewed, and logged.
Retain: a deliberate decision,
not the absence of one.
Not every column in a database carries meaningful privacy risk. Order IDs, status codes, system-generated references, lookup values — these are the kinds of data where holding them is entirely reasonable and presents no significant compliance concern.
R1 doesn't mean you've done nothing. It means you've looked at the data, assessed the risk, and made an informed, documented decision that no treatment is required. That assessment is recorded, attributed to the person who made it, and forms part of your compliance audit trail.
The practical value is significant. R1 allows your team to work through findings systematically and move quickly on low-risk data — saving time and attention for the columns that genuinely need more careful handling.
Manage: protect the data
your business needs to keep.
Much of the personal data held by organisations is there for a legitimate reason — customer names for account management, email addresses for service delivery, national insurance numbers for payroll. GDPR doesn't require you to delete it; it requires you to protect it appropriately.
R2 is the treatment designation for data that you have a legitimate basis to hold, but which must be controlled. Marc applies protections automatically — so that unauthorised access is restricted, and individuals who don't need to see personal data in full simply can't.
Protections are applied at the database level, meaning they work regardless of which application or tool is used to access the data. Development teams working with copies of production data are protected too — personal data can be substituted with realistic but non-identifiable values automatically.
Sensitive values are replaced automatically for users who don't have authorised access. Privileged users see full data.
Sensitive data is replaced with a secure token. The original value is stored in an encrypted vault, retrievable only by authorised processes.
Access to sensitive columns is controlled at the database level. Restricted roles see only what they need to perform their function.
Delete: systematic enforcement
of storage limitation.
The Storage Limitation principle in UK GDPR requires that personal data is not retained beyond the period for which it was collected. Knowing this obligation exists is straightforward. Actually enforcing it, at scale, across multiple databases, is where most organisations struggle.
R3 turns a policy obligation into a managed, repeatable process. Your compliance team defines a retention rule — for example, "delete customer records seven years after account closure" — and Marc evaluates that rule on an ongoing basis. When records become due for deletion, they are surfaced for review. Your team approves the deletion batch, and Marc carries it out. Every deletion is logged individually and permanently.
The Right to Erasure under Article 17 is also handled through the same mechanism. Consent withdrawal, objection to processing, or a specific deletion request can each trigger an R3 treatment, with the same controlled and audited deletion process.
Specify the trigger event and the retention period. Set once; applies to all future records.
Marc checks on schedule which records have passed their retention date.
Expired records are presented for approval before any action is taken.
Approved records are deleted. A permanent, immutable record of each deletion is created.
Every column. Every decision. All documented.
The value of the 3Rs isn't just in the individual decisions — it's in having a framework that covers everything. No column is left ungoverned. No data goes unassessed. When an auditor or regulator asks how you manage personal data, you have a clear, structured, evidence-backed answer.
How It Works
See how Marc discovers personal data, guides your team through decisions, and applies enforcement — end to end.
AlsoCompliance Coverage
Understand exactly which GDPR and DPA 2018 obligations Co.Marc helps you address, and the evidence it produces.
Get startedRequest a Demo
See the 3Rs in practice with a guided walkthrough using your own database environment.