Loading...
Plain-English definitions of the acronyms, frameworks, and concepts that show up in compliance work โ from GDPR to NIS2, AML to ESG.
AI governance is the framework of policies, processes, roles, and controls that organizations implement to ensure artificial intelligence systems are developed and used responsibly, ethically, and in compliance with applicable regulations.
Algorithmic bias occurs when an AI or automated system produces systematically unfair outcomes that disproportionately affect certain groups based on characteristics like race, gender, age, or disability. It can arise from biased training data, flawed model design, or unrepresentative development processes.
Anti-Money Laundering refers to the laws, regulations, and procedures designed to prevent criminals from disguising illegally obtained funds as legitimate income. AML compliance requires customer due diligence, transaction monitoring, suspicious activity reporting, and staff training.
An audit trail is a chronological record of system activities, user actions, and data changes that enables reconstruction and examination of events. Audit trails are essential for compliance documentation, incident investigation, and demonstrating regulatory adherence.
Breach notification is the legal obligation to report a personal data breach to the relevant supervisory authority and, in cases of high risk, to the affected individuals. Under GDPR, notification to the authority must occur within 72 hours of becoming aware of the breach.
Bribery is the act of offering, giving, receiving, or soliciting something of value to influence the actions of a person in a position of power or trust. It is a criminal offense in virtually every jurisdiction, with major laws including the US FCPA, UK Bribery Act, and EU anti-corruption framework.
Business continuity is an organization's ability to maintain essential functions during and after a disruption โ whether from cyberattacks, natural disasters, pandemics, or supply chain failures. It encompasses planning, preparedness, response, and recovery activities.
The California Consumer Privacy Act, as amended by the CPRA, is a comprehensive US state privacy law that grants California residents rights over their personal information, including the right to know, delete, opt out of sale, and non-discrimination. It applies to businesses meeting revenue, data volume, or data sale thresholds.
A code of conduct is a formal document that outlines the ethical principles, behavioral expectations, and compliance obligations that apply to all employees, directors, and sometimes contractors and partners of an organization.
Compliance is the practice of ensuring that an organization adheres to applicable laws, regulations, standards, and internal policies. It encompasses regulatory compliance, corporate governance, ethics, risk management, and internal controls across all business operations.
Compliance monitoring is the ongoing process of evaluating whether an organization's activities, policies, and procedures conform to applicable laws, regulations, and internal standards. It includes regular testing, auditing, key risk indicator tracking, and reporting to management and regulators.
A conflict of interest occurs when an individual's personal interests โ financial, familial, or otherwise โ could improperly influence or appear to influence their professional judgment or decisions. In compliance, managing conflicts is essential to prevent fraud, corruption, and breaches of fiduciary duty.
Under GDPR, consent is a freely given, specific, informed, and unambiguous indication of a data subject's wishes, by which they agree to the processing of their personal data. Consent must be demonstrable and as easy to withdraw as it is to give.
Consumer rights are the legal protections that ensure fair treatment, safety, accurate information, and recourse for individuals who purchase goods and services. They include the right to safety, the right to information, the right to choose, and the right to be heard.
Cookie consent is the requirement to obtain a website visitor's informed, freely given permission before setting non-essential cookies or similar tracking technologies. Under EU law (ePrivacy Directive + GDPR), consent must be active opt-in โ pre-ticked boxes and implied consent are invalid.
Corporate governance is the system of rules, practices, and processes by which a company is directed and controlled. It defines the relationships between the board of directors, management, shareholders, and other stakeholders, ensuring accountability, transparency, and ethical decision-making.
A cross-border data transfer is the movement of personal data from one country or jurisdiction to another. Under GDPR, transferring personal data outside the European Economic Area requires specific safeguards such as adequacy decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules.
Cybersecurity is the practice of protecting systems, networks, devices, and data from digital attacks, unauthorized access, and damage. It encompasses technology, processes, and people controls designed to defend against threats like malware, phishing, ransomware, and insider attacks.
A data breach is a security incident in which personal, confidential, or protected information is accessed, disclosed, altered, or destroyed without authorization. Data breaches can result from cyberattacks, human error, system vulnerabilities, or insider threats.
A data controller is the entity (person, company, or organization) that determines the purposes and means of processing personal data. The controller bears primary responsibility for GDPR compliance.
Data minimization is a core GDPR principle requiring that personal data collected must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
A data processor is an entity that processes personal data on behalf of a data controller, following the controller's documented instructions. Processors include cloud providers, payroll services, email platforms, and any third party handling data for another organization.
Data protection is the set of legal frameworks, policies, and technical measures designed to safeguard personal data from unauthorized access, misuse, loss, or destruction. It ensures individuals maintain control over how their information is collected, processed, stored, and shared.
A data subject is any identified or identifiable natural person whose personal data is being collected, held, or processed. Under GDPR, data subjects have specific rights including access, rectification, erasure, portability, and the right to object to processing.
Diversity, Equity, and Inclusion is an organizational framework that promotes the representation (diversity) of different groups, ensures fair treatment and access to opportunities (equity), and creates an environment where all individuals feel valued and able to participate fully (inclusion).
DORA is an EU regulation that establishes a comprehensive framework for digital operational resilience in the financial sector. It requires financial entities to manage ICT risks, report incidents, test resilience, and oversee third-party ICT providers.
A Data Protection Impact Assessment is a structured process to identify and minimize the data protection risks of a project or processing activity. DPIAs are mandatory under GDPR when processing is likely to result in high risk to individuals' rights and freedoms.
A Data Protection Officer is an independent expert appointed by an organization to oversee compliance with data protection laws, advise on obligations, and serve as the contact point for supervisory authorities and data subjects.
Due diligence is the process of investigating, verifying, and evaluating a person, company, or transaction before entering into a business relationship or agreement. In compliance, it covers customer due diligence (AML), vendor due diligence, M&A due diligence, and regulatory due diligence.
ESG refers to the three central pillars used to evaluate a company's sustainability and ethical impact. Environmental covers climate and resource use; Social covers labor practices, diversity, and community impact; Governance covers board structure, ethics, and transparency.
An ethical dilemma is a situation where a person must choose between two or more conflicting moral principles, where following one principle means violating another. In the workplace, ethical dilemmas arise when business pressures conflict with legal obligations, company values, or personal integrity.
The EU AI Act is the world's first comprehensive legal framework for artificial intelligence, establishing rules based on risk levels โ from prohibited practices to transparency obligations โ that apply to providers, deployers, and importers of AI systems in the European Union.
A gap analysis is a systematic assessment that compares an organization's current practices against the requirements of a regulation, standard, or framework to identify areas of non-compliance or weakness that need to be addressed.
The General Data Protection Regulation is the European Union's comprehensive data protection law that governs how organizations collect, store, process, and share personal data of individuals in the European Economic Area.
Under the EU AI Act, high-risk AI systems are those used in sensitive areas like biometrics, critical infrastructure, employment, credit scoring, and law enforcement. They face the strictest compliance requirements including risk management, technical documentation, human oversight, and conformity assessments.
HIPAA is a US federal law that establishes national standards for protecting the privacy and security of individuals' health information. It applies to healthcare providers, health plans, clearinghouses, and their business associates.
A hostile work environment exists when unwelcome conduct based on a protected characteristic (race, sex, religion, disability, age, etc.) is severe or pervasive enough to create a work environment that a reasonable person would consider intimidating, hostile, or abusive.
Incident response is the organized approach to preparing for, detecting, containing, eradicating, and recovering from security incidents and data breaches. An effective incident response plan minimizes damage, reduces recovery time, and ensures regulatory compliance.
Insider trading is the buying or selling of securities based on material, non-public information (MNPI) in breach of a duty of trust or confidence. It is illegal in virtually every jurisdiction and carries severe criminal and civil penalties.
ISO 27001 is the international standard for Information Security Management Systems (ISMS). It provides a systematic framework for managing sensitive information through risk assessment, security controls, and continuous improvement, and is the most widely recognized information security certification worldwide.
Multi-factor authentication is a security mechanism that requires users to provide two or more verification factors to access an account or system. Factors include something you know (password), something you have (phone/token), and something you are (biometrics).
Microaggressions are brief, everyday verbal or behavioral slights โ whether intentional or unintentional โ that communicate hostile, derogatory, or negative messages to members of marginalized groups. They differ from overt discrimination in that they are often subtle and can be committed without conscious awareness.
Money laundering is the process of making illegally obtained money appear legitimate by moving it through a series of transactions or business activities. It typically involves three stages: placement, layering, and integration.
A Politically Exposed Person is an individual who holds or has held a prominent public function โ such as head of state, senior politician, military officer, or state-owned enterprise executive โ and is considered higher risk for bribery and corruption due to their position and influence.
Personal data is any information relating to an identified or identifiable natural person. This includes names, email addresses, IP addresses, location data, cookie identifiers, and any other information that can directly or indirectly identify an individual.
Phishing is a type of cyberattack where attackers impersonate trusted entities through email, text messages, or websites to trick individuals into revealing sensitive information such as passwords, credit card numbers, or personal data.
A privacy policy is a legal document that explains how an organization collects, uses, stores, shares, and protects personal data. It is required by virtually every data protection law worldwide and must be written in clear, accessible language.
Ransomware is a type of malicious software that encrypts an organization's data or systems and demands payment (a ransom) for the decryption key. Modern ransomware attacks often include data theft and threats to publish stolen data (double extortion).
Records of Processing Activities is a mandatory GDPR documentation requirement (Article 30) that obligates organizations to maintain a detailed written record of all personal data processing activities, including purposes, data categories, recipients, retention periods, and security measures.
Regulatory compliance is the process of ensuring that an organization adheres to the laws, regulations, guidelines, and specifications set by government authorities and regulatory bodies relevant to its industry and operations.
Retaliation in the workplace occurs when an employer takes adverse action against an employee for engaging in a legally protected activity, such as filing a discrimination complaint, reporting a safety violation, participating in an investigation, or whistleblowing.
The right to erasure, also known as the right to be forgotten, allows individuals to request the deletion of their personal data when it is no longer necessary, when consent is withdrawn, or when processing is unlawful.
A risk assessment is a systematic process of identifying potential hazards or threats, evaluating their likelihood and impact, and determining appropriate measures to mitigate or manage the risks. In compliance, risk assessments are required by GDPR, NIS2, AML regulations, and most governance frameworks.
A risk management framework is a structured approach for identifying, assessing, mitigating, and monitoring risks across an organization. Common frameworks include NIST RMF, ISO 31000, COSO ERM, and the Three Lines Model, each providing methodologies for systematic risk governance.
Sanctions are restrictive measures imposed by governments or international bodies against countries, entities, or individuals to achieve foreign policy or national security objectives. Sanctions compliance requires organizations to screen transactions, customers, and business partners against sanctions lists.
Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. In cybersecurity, it exploits human trust, authority, urgency, and helpfulness rather than technical vulnerabilities.
The Sarbanes-Oxley Act is a US federal law enacted in 2002 that establishes requirements for financial reporting, internal controls, and corporate governance for publicly traded companies. It was passed in response to major accounting scandals at Enron, WorldCom, and Tyco.
A Subject Access Request is a formal request by an individual (data subject) to obtain a copy of all personal data an organization holds about them, along with information about how that data is processed. Organizations must respond within one month under GDPR.
A Suspicious Activity Report is a mandatory filing submitted by regulated entities to their national Financial Intelligence Unit when they detect transactions or activities that may indicate money laundering, terrorism financing, fraud, or other financial crime.
Third-party risk management (TPRM) is the process of identifying, assessing, and controlling risks arising from an organization's relationships with external vendors, suppliers, contractors, and service providers who have access to its data, systems, or operations.
The Three Lines Model (formerly Three Lines of Defense) is a governance framework developed by the Institute of Internal Auditors (IIA) that clarifies roles and responsibilities for risk management and compliance across three organizational functions: management, oversight functions, and internal audit.
A whistleblower is an individual who reports illegal, unethical, or non-compliant activities within an organization to internal channels, regulatory authorities, or the public. Both EU and US law provide protections against retaliation for whistleblowers who report in good faith.
Workplace harassment is unwelcome conduct based on a protected characteristic that affects a person's employment, unreasonably interferes with their work performance, or creates an intimidating, hostile, or offensive work environment. It includes sexual harassment, racial harassment, and other forms of discriminatory behavior.
Workplace safety encompasses the policies, procedures, and practices designed to protect employees from hazards, injuries, illnesses, and fatalities in the work environment. It is governed by regulations like OSHA in the US and the EU Framework Directive on Safety and Health at Work.
Knowing the term is one thing. Training a team to act on it is another. We turn glossary entries into role-relevant training.