Technical Debt Categories — UK Engineering Context
| Category | Description | UK Compliance Risk | Typical Cost to Fix |
|---|---|---|---|
| Security debt | Known vulnerabilities not patched, outdated dependencies | Cyber Essentials failure, ICO fine risk | £5K–£50K remediation |
| Architecture debt | Monolith that needs to scale, missing service boundaries | FCA PS21/3 Impact Tolerance risk | £50K–£200K re-architecture |
| Test debt | Low test coverage, no CI/CD, manual QA only | NHS DTAC Domain 3 evidence gap | £15K–£60K test suite build |
| GDPR debt | No consent management, excessive data retention, missing DSAR tooling | ICO enforcement, fines up to 4% global turnover | £8K–£40K compliance implementation |
| Accessibility debt | WCAG 2.1 AA failures, no screen reader testing | Equality Act, GDS/NHS non-compliance | £10K–£50K audit and remediation |
| Documentation debt | No API docs, no runbooks, no architecture diagrams | FCA audit gap, knowledge risk | £5K–£25K documentation sprint |
| Infrastructure debt | Manual deployments, no IaC, outdated OS/runtime | Cyber Essentials patching failure | £15K–£60K DevOps modernisation |
How to Quantify Technical Debt in GBP
Total Technical Debt Cost Example: £10M turnover SaaS, 8-person team with high debt. Velocity loss: £18,000/quarter. Defect cost: £12,000/quarter. Compliance risk: £20,000/quarter. Total: £50,000/quarter = £200,000/year. Fix cost: £60,000 (one-time). Payback: under 4 months.
Refactor vs Rewrite — UK Decision Framework
| Situation | Recommendation | Rationale |
|---|---|---|
| Legacy system: core logic sound, UI outdated | Refactor | Preserve working business logic — rewrite risk unnecessary |
| Legacy system: core logic wrong/unmaintainable | Rewrite | Refactoring broken foundations = expensive failure |
| Monolith needing partial scaling | Strangler Fig extraction | Extract only the components that need to scale — not a full rewrite |
| End-of-life platform (Magento 1, PHP 5) | Rewrite/migration | Security risk + no patches = compliance debt accumulating daily |
| Working system, just slow | Refactor hot paths only | Profile first — 80% of performance issues in 20% of code |
| FCA/NHS compliance gaps in legacy | Targeted compliance refactor | Compliance gaps cannot wait — address specifically with minimum disruption |
Compliance Debt — UK-Specific Priority
UK GDPR DSAR tooling: ICO enforcement of DSAR response deadlines is increasing. If you cannot respond to DSARs in 30 days, this is urgent debt.
Cyber Essentials expiry: if your Cyber Essentials certificate has expired or has never been obtained, NHS and government contract bids are blocked until remediated.
FCA Consumer Duty (ongoing): each annual Consumer Duty review cycle reveals new debt. Value assessments, outcome monitoring, and vulnerable customer frameworks require continuous investment.
NHS DTAC re-assessment: DTAC assessments have validity periods. Technology changes trigger re-assessment. Backlog of compliance evidence is technical debt.
UK compliance debt is uniquely urgent because regulatory deadlines are immovable. Current high-priority compliance debt triggers in the UK: