UK Software Architecture Guide (2026)

🏗️ Architecture⚖️ FCA PS21/3🏥 NHS DTAC🔒 UK GDPR🆓 Free Review
March 202613 min readJames Whitmore, CTO

Direct Answer

UK regulated software architecture is shaped by three frameworks: FCA PS21/3 (IBS isolation — each Important Business Service must be independently resilient), NHS DTAC (data flow documentation — every data movement documented per domain), and UK GDPR Article 25 (Privacy by Design — personal data minimisation at architecture level). ClickMasters architects for all three from Sprint 1, not as a retrofit.

Architecture Decision Framework — UK Regulated Context

DecisionStart HereMove to This WhenUK Regulatory Driver
Monolith vs MicroservicesModular Monolith (always)Microservices when > 3 independent teams neededFCA PS21/3: IBS isolation; NHS DTAC: evidence complexity
Database strategySingle PostgreSQL (module schemas)Database per service when teams own dataUK GDPR Article 25: data minimisation + RLS
API style (internal)tRPC (TypeScript full-stack)REST + OpenAPI when non-TS consumersFCA/NHS/GDS: OpenAPI 3.0 for external APIs
ComputeECS Fargate (NHS/FCA), Lambda (events)Kubernetes when > 50 servicesNHS DTAC D3: VPC isolation; FCA PS21/3: consistent latency
AuthenticationAWS Cognito (regulated), Clerk (SaaS)Auth0 enterprise when complex MFA neededNHS NHS Login; FCA PS21/3: identity audit trail
CI/CDGitHub ActionsGitLab CI if self-hosted requiredCyber Essentials A2: 14-day CVE patching evidence
IaCAWS CDK TypeScriptTerraform for multi-cloudFCA PS21/3: CloudFormation change sets as audit trail
ObservabilityCloudWatch + X-RayDatadog for complex multi-serviceFCA PS21/3: IBS availability measurement; NHS DSP Toolkit

FCA PS21/3 Important Business Service (IBS) Architecture

ClickMasters PS21/3 architecture review: included in every FCA-regulated project. We map your IBSs, design the failure domains, and configure the Impact Tolerance monitoring before Sprint 1 feature development begins.

UK GDPR Data Architecture — Privacy by Design

GDPR RequirementArchitecture ImplementationTechnologyEvidence
Article 25 (Privacy by Design)No personal data collected unless required for stated purposeZod schema — strict() rejects extra fieldsZod schema reviewed in PR
Article 25 (Data Minimisation)Select only needed fields at query levelPrisma select: { field: true }Code review — no findMany({}) without select
Article 5(1)(e) (Storage Limitation)S3 lifecycle policy — delete after retention periodS3 lifecycle rules in CDKCloudFormation resource definition
Article 32 (Security)Encryption at rest + in transit + access controlKMS, TLS, IAM + RLSAWS Config compliance rules
Article 30 (ROPA)Data flow diagram documents all processingMermaid diagram in project repo + dbt DAGUpdated in every sprint with data changes
Article 17 (Right to Erasure)Erasure API endpoint per data subjectPostgreSQL RLS + soft delete → hard delete scheduleErasure API tested in CI/CD

Frequently Asked Questions

Common questions about uk software architecture guide (2026).

ClickMasters software architecture review: (1) sprint 1 architecture design (included in all ClickMasters projects — not billed separately — 2–5 days), (2) standalone architecture review of existing system (assessment of existing architecture for FCA PS21/3, NHS DTAC, or UK GDPR compliance): £3,500–£8,000 (2–4 weeks). Deliverables: architecture decision records (ADRs), IBS map (if FCA regulated), data flow diagram (DTAC/GDPR), identified risks and remediation roadmap. Architecture review ROI: typical UK software delivery failure involves £100,000–£500,000 wasted on wrong architecture choices. £5,000 architecture review prevents £200,000 rework — the most leveraged investment in a software project.

Modular Monolith: a single deployable application with clear internal module boundaries (enforced by code — not just convention). Module boundaries: (1) each module has its own folder (src/modules/payments/, src/modules/accounts/), (2) modules communicate via well-defined interfaces (exported service classes — not direct database access across module boundaries), (3) PostgreSQL schemas per module (payments schema, accounts schema — each module owns its tables), (4) no cross-module direct database queries (module A cannot query module B's tables — must call B's service interface). Why ClickMasters recommends it: (1) operational simplicity (one deployment, one CI/CD pipeline, one monitoring dashboard), (2) future-proof (module boundaries defined upfront — extract any module to microservice when justified, not before), (3) NHS DTAC simplicity (one DTAC evidence pack, one penetration test scope), (4) FCA PS21/3 simplicity (IBS boundaries enforced in code — same as microservices but without operational overhead).

About the Author

James Whitmore, CTO UK software architect — FCA PS21/3, NHS DTAC, UK GDPR by design ClickMasters architects every project for UK regulatory compliance from Sprint 1. Architecture is not a retrofit.

Free Architecture Review ClickMasters will review...

Free Architecture Review ClickMasters will review your architecture against FCA PS21/3, NHS DTAC, and UK GDPR requirements. → clickmasterssoftwaredevelopmentcompany.co.uk/contact/

Book a Free Consultation