A compliance glossary is a reference guide defining the key terms, concepts, and acronyms used in regulatory compliance, data protection, and corporate governance. This glossary covers over 50 essential compliance terms—from AML (Anti-Money Laundering) to Whistleblower—used by compliance professionals, data protection officers, and legal teams worldwide. Each definition is written in plain language to help professionals quickly understand compliance terminology across frameworks including GDPR, HIPAA, SOX, FCPA, NIS2, and the EU AI Act.
About This Glossary
This glossary contains definitions of key terms in compliance, data protection, cybersecurity, and corporate governance. Designed for professionals who need to understand regulatory requirements that apply to business operations.
"Clear, consistent terminology is the foundation of effective compliance communication. When everyone in the organisation speaks the same compliance language, policies are better understood and more consistently followed."
— Joseph Murphy, Director of Public Policy, Society of Corporate Compliance and Ethics (SCCE), corporatecompliance.org
A
AML (Anti-Money Laundering)
Definition: AML refers to laws, regulations, and procedures designed to prevent criminals from disguising illegally obtained funds as legitimate income. AML compliance is mandatory for financial institutions, including know-your-customer (KYC) requirements and suspicious activity reporting.
Audit Trail
Definition: A chronological record of system activities that enables the reconstruction and examination of a sequence of events. Essential for compliance documentation and incident investigation.
B
Breach Notification
Definition: The process of informing relevant parties (regulators, affected individuals) about a data breach. Under GDPR, organizations must notify supervisory authorities within 72 hours of becoming aware of a personal data breach.
Business Continuity
Definition: An organization's ability to maintain essential functions during and after a disaster. NIS2 requires covered entities to implement business continuity plans including backup management and disaster recovery.
C
CCPA (California Consumer Privacy Act)
Definition: California's data privacy law giving consumers rights over their personal information. Similar to GDPR, it provides rights to know, delete, and opt-out of the sale of personal information.
Compliance
Definition: Compliance is the act of conforming to laws, regulations, standards, and internal policies. A compliance program includes identifying obligations, implementing controls, and continuous monitoring of adherence.
Consent (GDPR)
Definition: One of six legal bases for processing personal data under GDPR. Valid consent must be freely given, specific, informed, and unambiguous. Data subjects can withdraw consent at any time.
Controller (Data Controller)
Definition: Under GDPR, the natural or legal person that determines the purposes and means of processing personal data. The controller is responsible for GDPR compliance and must be able to demonstrate it.
D
Data Breach
Definition: A security incident resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. Must be reported to authorities within 72 hours under GDPR if it poses a risk to individuals' rights.
Data Minimization
Definition: A GDPR principle requiring that personal data collected must be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
Data Subject
Definition: Under GDPR, a data subject is an identified or identifiable natural person whose personal data is being processed. Data subjects have rights including access, rectification, erasure, and portability.
DPO (Data Protection Officer)
Definition: A person responsible for overseeing an organization's GDPR compliance. Mandatory for public authorities, organizations conducting large-scale systematic monitoring, and those processing special categories of data at large scale.
DORA (Digital Operational Resilience Act)
Definition: EU regulation establishing ICT risk management requirements for the financial sector. Covers ICT risk management, incident reporting, resilience testing, and third-party risk management.
E
ESG (Environmental, Social, Governance)
Definition: Three key factors for measuring sustainability and ethical impact of a company: Environmental (E), Social (S), and Governance (G). Increasingly important for investors, regulators, and stakeholders.
Essential Entity
Definition: Under NIS2, essential entities are large entities (250+ employees or >€50M turnover) in sectors of high criticality. Subject to proactive supervision with fines up to €10 million.
F
FCPA (Foreign Corrupt Practices Act)
Definition: U.S. law prohibiting bribery of foreign officials. Has extraterritorial reach and applies to companies listed on U.S. exchanges or doing business in the U.S. Penalties can reach hundreds of millions of dollars.
G
Gap Analysis
Definition: The process of comparing current compliance status against regulatory requirements to identify gaps that need to be addressed. A critical first step in any compliance project.
GDPR (General Data Protection Regulation)
Definition: EU regulation governing the processing of personal data of individuals. In effect since May 25, 2018. Establishes processing principles, data subject rights, controller obligations, and fines up to €20 million or 4% of global turnover.
H
HIPAA (Health Insurance Portability and Accountability Act)
Definition: U.S. law protecting the privacy and security of health information. Establishes Privacy Rule, Security Rule, and Breach Notification Rule. Violations can result in fines up to $1.9 million per violation category.
I
Important Entity
Definition: Under NIS2, important entities are medium and large entities in all covered sectors that don't meet criteria for essential entities. Subject to reactive supervision with fines up to €7 million.
Incident (Cyber)
Definition: An event that threatens the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data or services. Under NIS2, significant incidents must be reported within 24 hours.
L
Legitimate Interest
Definition: One of six legal bases for processing personal data under GDPR (Article 6(1)(f)). Used when a controller has a justified interest in processing that is not overridden by the data subject's rights. Requires conducting a balancing test.
M
MFA (Multi-Factor Authentication)
Definition: Security mechanism requiring two or more verification factors to gain access to a resource. NIS2 explicitly requires MFA or continuous authentication where appropriate.
N
NIS2 (Network and Information Security Directive 2)
Definition: EU cybersecurity directive replacing NIS1 from 2016. Expands obligations to 18 sectors, introduces stricter penalties (up to €10M), and establishes management liability. Transposition deadline: October 2024.
P
Personal Data
Definition: Under GDPR, personal data is any information relating to an identified or identifiable natural person. Includes: name, address, email, IP address, location data, genetic data, biometric data, and other identifiers.
Phishing
Definition: A type of cyberattack where attackers use deceptive messages (email, SMS, calls) to trick victims into revealing sensitive information or installing malware. Responsible for 90% of successful cyberattacks.
Processing (Data)
Definition: Any operation performed on personal data: collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.
Processor (Data Processor)
Definition: Under GDPR, a processor is a natural or legal person that processes personal data on behalf of the controller. Must only act on documented instructions from the controller and implement appropriate security measures.
R
Ransomware
Definition: Malicious software that encrypts victim's data and demands ransom payment for the decryption key. One of the most significant cybersecurity threats to organizations.
Right to Erasure ("Right to be Forgotten")
Definition: Under GDPR Article 17, data subjects have the right to request deletion of their personal data in certain circumstances. Controllers must erase data without undue delay unless exceptions apply.
S
Social Engineering
Definition: Manipulation technique where attackers exploit human psychology (trust, fear, urgency) to trick victims into actions that compromise security. Phishing is the most common form.
SOX (Sarbanes-Oxley Act)
Definition: U.S. law establishing requirements for public company boards, management, and accounting firms. Section 404 requires management assessment of internal controls over financial reporting.
Subject Access Request (SAR)
Definition: A request by a data subject to access their personal data under GDPR Article 15. Controllers must respond within 30 days with a copy of the data and information about processing.
T
Third-Party Risk
Definition: The potential risk posed by vendors, suppliers, and other external parties that have access to an organization's systems or data. NIS2 explicitly requires supply chain security risk management.
W
Whistleblower
Definition: A person who reports misconduct (corruption, legal violations, health or environmental dangers) within an organization or to authorities. EU Whistleblower Directive ensures protection from retaliation.
Need Compliance Training?
CompliQuest offers online courses covering GDPR, NIS2, anti-corruption, cybersecurity awareness, and other compliance topics. Our courses help organizations educate employees and meet regulatory training requirements.
Definitions in this glossary serve as an informational guide and do not constitute legal advice.