Co.Marc Governance Framework

The 3Rs

A clear, consistent framework for every piece of personal data your organisation holds. One deliberate decision per finding. No ambiguity. No ungoverned columns.

R1 — Retain R2 — Manage R3 — Delete
Why the 3Rs?

Every column needs an answer.

GDPR doesn't allow vagueness. You must be able to justify holding any personal data, protect it appropriately, and delete it when retention periods expire. The challenge for most organisations isn't understanding the obligation — it's making it manageable across hundreds of tables and thousands of columns.

The 3Rs give your team a shared language and a systematic approach. Every piece of personal data gets exactly one of three treatment designations. Once a decision is made, it's documented, attributed, and enforced.

R1
Retain

Low-risk data. Keep as-is. Decision documented, no enforcement action required.

R2
Manage

Sensitive data that must be kept. Protection applied — access controlled, masked, or secured.

R3
Delete

Data that must go. Retention trigger defined. Deletion scheduled, reviewed, and logged.

R1
Retain
This data needs no action.
Decision documented and attributed
No operational disruption
Reviewable as data changes over time
Part of complete audit evidence

Retain: a deliberate decision,
not the absence of one.

Not every column in a database carries meaningful privacy risk. Order IDs, status codes, system-generated references, lookup values — these are the kinds of data where holding them is entirely reasonable and presents no significant compliance concern.

R1 doesn't mean you've done nothing. It means you've looked at the data, assessed the risk, and made an informed, documented decision that no treatment is required. That assessment is recorded, attributed to the person who made it, and forms part of your compliance audit trail.

The practical value is significant. R1 allows your team to work through findings systematically and move quickly on low-risk data — saving time and attention for the columns that genuinely need more careful handling.

Typical R1 columns
AccountId OrderStatus CreatedDate ProductCode InvoiceRef Region CurrencyCode

Manage: protect the data
your business needs to keep.

Much of the personal data held by organisations is there for a legitimate reason — customer names for account management, email addresses for service delivery, national insurance numbers for payroll. GDPR doesn't require you to delete it; it requires you to protect it appropriately.

R2 is the treatment designation for data that you have a legitimate basis to hold, but which must be controlled. Marc applies protections automatically — so that unauthorised access is restricted, and individuals who don't need to see personal data in full simply can't.

Protections are applied at the database level, meaning they work regardless of which application or tool is used to access the data. Development teams working with copies of production data are protected too — personal data can be substituted with realistic but non-identifiable values automatically.

Protection approaches
Dynamic masking

Sensitive values are replaced automatically for users who don't have authorised access. Privileged users see full data.

Encrypted vault

Sensitive data is replaced with a secure token. The original value is stored in an encrypted vault, retrievable only by authorised processes.

Restricted views

Access to sensitive columns is controlled at the database level. Restricted roles see only what they need to perform their function.

Typical R2 columns
FullName EmailAddress PhoneNumber NationalInsuranceNo BankSortCode DateOfBirth HomeAddress
R2
Manage
Keep it — but control access to it.
Protections applied automatically
Works at database level, not application
Dev & test environments protected too
Reversible with appropriate authority
R3
Delete
Remove it when the time comes.
Retention rule defined once
Evaluated automatically on schedule
Operator reviews before deletion
Every deletion permanently logged

Delete: systematic enforcement
of storage limitation.

The Storage Limitation principle in UK GDPR requires that personal data is not retained beyond the period for which it was collected. Knowing this obligation exists is straightforward. Actually enforcing it, at scale, across multiple databases, is where most organisations struggle.

R3 turns a policy obligation into a managed, repeatable process. Your compliance team defines a retention rule — for example, "delete customer records seven years after account closure" — and Marc evaluates that rule on an ongoing basis. When records become due for deletion, they are surfaced for review. Your team approves the deletion batch, and Marc carries it out. Every deletion is logged individually and permanently.

The Right to Erasure under Article 17 is also handled through the same mechanism. Consent withdrawal, objection to processing, or a specific deletion request can each trigger an R3 treatment, with the same controlled and audited deletion process.

1
Rule defined

Specify the trigger event and the retention period. Set once; applies to all future records.

2
Continuous evaluation

Marc checks on schedule which records have passed their retention date.

3
Operator review

Expired records are presented for approval before any action is taken.

4
Deletion & audit log

Approved records are deleted. A permanent, immutable record of each deletion is created.

Example retention triggers
AccountClosedDate + 7 years ApplicationRejectedDate + 12 months ConsentWithdrawnDate + 30 days ContractEndDate + 6 years
One Framework, Complete Coverage

Every column. Every decision. All documented.

The value of the 3Rs isn't just in the individual decisions — it's in having a framework that covers everything. No column is left ungoverned. No data goes unassessed. When an auditor or regulator asks how you manage personal data, you have a clear, structured, evidence-backed answer.

Framework decision
Data type
Action taken
Audit evidence
Ongoing review
R1 Retain
Low-risk operational data
None required
Decision recorded, attributed
R2 Manage
Sensitive personal data
Protection enforced
Decision + enforcement log
R3 Delete
Retention-bound data
Scheduled deletion
Decision + per-record deletion log