New Eip Logo
EIP Talent Student access
  • es_ES
  • en_GB

Share on social networks!

2024: Updated Compliance Glossary

by
Compliance

In this Compliance Glossary, we begin a journey through the Compliance and Data Protection functions by defining some of the related terms. This is not intended to create a dictionary in the purest style of the RAEThe intention is to spread the meaning of some concepts that bring us closer to these disciplines or subjects in a simpler and easier way, so that it can be easier for all of us to understand what they mean and thus make our lives more enjoyable. immersion in them.

It's always difficult to start a post or a short article, and this one was no different. That's why we'll begin with terms we all have in mind when we talk about Compliance and Data Protection. This will surely give us the confidence to continue reading future posts, as we'll self-assess our knowledge of these concepts.

Glossary of Terms: COMPLIANCE

Compliance

To begin with, as it could not be otherwise, we will begin by defining the term “Compliance”. When we refer to Compliance We're not just talking about compliance; we're also referring to the set of procedures, policies, and protocols of an organization that ensure it complies with the laws that apply to its activity. In other words, it's the regulatory compliance that guarantees legal certainty when conducting business. But be careful, not only with the regulations that apply to it, but also with internal regulations, also known as self-regulation.

Self-regulation

And since we're at it and taking advantage of the inertia, let's define what "Self-regulation”. If we have seen that an organization is subject not only to positive law, but also to internal regulations, we can then say that this would be the regulation voluntarily self-imposed by the organization to reinforce its values, principles, and good practices, thus resulting in the guarantee and security of compliance with the regulations applicable to its activity.

Given these two definitions, one conclusion we can draw is that both regulations, the “legal"and" voluntary" provide feedback and strengthen the organization in the face of potential adversities it may face. Of course, both are mandatory, as the saying goes.

Governing Body

The third definition that we may encounter in this introductory context may be that of “Governing body", for example. This body is the highest authority in any organization; it sets the company's leadership style and strategy, and it does so through various initiatives.

One of them is ensuring that the Compliance Program meets the requirements, meaning those established by law and other regulations applicable to the activity or business. The fact of having to ensure It gives it the greatest responsibility for any non-compliance that may occur. Therefore, an organization that has the fullest and complete commitment of its governing body to a culture of doing things right is guaranteed success, although this does not mean that undesirable situations or situations that go against expected expectations may arise.

Data Protection: The Data

Now, let's change the third And let's get into the Protection of Personal Data, of course closely linked to Compliance, which goes without saying at this point, following the strong emergence of Compliance recently. And it's best to start with what may be more obvious but no less important. And I'm referring to what a "Fact", no more, no less.

Compliance

If we take into account the current moment, the importance of data is absolute, even being considered as “the oil of our daysAnd those who considered them that way were right, of course not, apart from Artificial Intelligence. But we'll talk about that later.

Article 4 of the General Data Protection Regulation defines personal data as "any information relating to an identified or identifiable natural person." Such information does not need to be in writing; it can also take the form of an audio recording, or a photograph, for example.

Identifiable Person

And having said that, what does “identifiable person”? Let us use this question to determine the fifth definition of this article.

Well then, identifiable person A person who can be identified through what is known as an identifier, that is, an aspect or factor that has a close and specific relationship to the specific person, such as a name, an identification number, an email address, or a physical characteristic.

Tone at the top

Let's dive into the Anglicism “Tone at the top”, so frequently used when we want to place responsibility in an organization.

Well, this simply means that the commitment to ethical management, truly supported by a compliance program, resides "in the head," "up top." To put it more clearly, in the people who lead and are in positions of command.

Indeed, if there is no commitment above, there is no “tone" (literal translation of "tone") nothing will be achieved, since everything emanates from there, and from there on down. Simple!

Exemplariness

Starting from this, we can move towards another concept that would be useful, and I think very much so, to soak up this commitment and at the different levels of a company: the “ExemplarinessThis concept is no longer a mere declaration of intent, or a written commitment, and nothing more. On the contrary, it requires a lot of practice and daily exercise to maintain it, because it's no good being exemplary one day and then not being so again for a month, for example. You either are or you aren't.

But half-measures create uncertainty, and in the business world, a half-baked example is not a good example. Setting an example as a leader, regardless of the hierarchical hierarchy, is one of the greatest strengths in the business world, whether for achieving goals or managing teams. Even the latter, through good example, can be done in a delegated, shared, and responsible manner, almost unnoticed. That is, silently. Let's not forget that it's not the same thing as auctoritas that the potestas.

Compliance Function

If we said that Compliance was to comply, including the set of procedures, policies, protocols of an organization that ensure that it complies with the laws that apply to its activity, the "Compliance Function It is that "part" of the organization that ensures that this is fulfilled, which is what is truly new these days from a global perspective, not a sectoral one as was the case before the various reforms to the Penal Code that took place since 2010.

What previously existed in those sectors excessively regulated, has now spread to any organization and any sector. Hence both "alluvium"information on the matter. This function deploys a series of actions, all aimed at properly implementing the Compliance program in an organization: advising, training, raising awareness, auditing, monitoring, reviewing, etc.

Anonymization and Pseudonymization

The "Anonymization It is the action by which personal data is completely separated (some say unlinked) from the identifying data of a person or individual, making it impossible to identify them through the newly generated anonymized data. This is what the AEPD has called "the breaking of the chain of identification of people”.

An example of such data could be population surveys in percentages, without being able to identify the people who participated. In the case of a whistleblower channel, for example, would it be necessary to anonymize the data to extract statistical information? We would have to consider the status of the cases involved, whether they are open or closed, among other things. But this is beyond the scope of this glossary, although I offer you a good topic for reflection.

However, the “Pseudonymization It separates all identifying data, but those generated as pseudonymous maintain additional information (data) that helps to identify people again; that is, it is a reversible process. In this case, the best-known example is the replacement of names by a code, as a pseudonymBy knowing who that assigned code corresponds to, we would know the identity.

As we can see, the world of compliance and data protection is very rich in concepts and terms, which it's a good idea to at least understand, even if we end up referring to texts to refresh their meaning when we need to use them. But it won't be the same, as we'll already be familiar with the context and will be able to apply them more accurately than incorrectly.

We hope this simple glossary is useful—at least it aims to be—and its quick and easy reading will surely help make it so.

Inherent risk and residual risk

What would the Compliance function be if we didn't talk about risks? Well, it certainly wouldn't be a function, since its main purpose is <the function>> is to identify risks and establish control measures for their rejection, acceptance, mitigation, or transfer. That said, let's talk about the “inherent risk" and "residual risk”, or also known as gross risk and net risk.

Using both expressions we can easily define what each of them consists of. Thus we have that, inherent risk It is the gross risk that every organization has by the mere fact of being a company or entity; sector to which it belongs, activity it carries out, people with whom it interacts, sales channels used, whether it operates in one territory or several, whether it maintains relations or activities with the AAPP in any of its extensions (national, autonomous or local)... that is, it is the risk to which an entity is exposed without taking into account the means or defense mechanisms it could have to combat it. In this way, the real exposure of a company to the possible risks and dangers that threaten it per se is better known. Knowing this risk implies a huge and generous effort, since it requires evading the methodology adopted by the organization for risk management by having to "ignore"all the good that such an organization does to achieve the management of those.

On the contrary, the residual risk This would be the net risk resulting from applying the company's existing controls to the inherent risks, thereby obtaining the final risk that the organization would have to face. However, this residual risk may not be accepted by the organization (what is known as "risk appetite"), which will lead it to implement or define new controls or measures to reduce it even further, until achieving a tolerable risk that can be controlled and/or managed, that is, assumed. Of course, there will be factors or aspects to take into account when deciding to implement new controls, since it may entail operational or economic harm to the company by not being able to undertake any investment due to lack of resources. This will require considering whether the risk appetite should be greater than desired or, if the risk is not desired for fear of the fatal consequences that could arise, abandon the idea of assuming the risk and choose to reject it.

These two risks are what any organization uses to apply the corresponding risk matrix, from which the well-known Company Risk Map emerges, offering an exact picture of the degree of risk to which an organization is exposed in its management, and which it must address in order to control it and thus be able to result in a profitable, safe and sustainable company.

DPO glossary

Responsible and in charge

Now let's move on to the other area that is part of this simple glossary, which is Personal Data Protection. This time we bring the terms related to "Responsible" and "In charge"on the processing of personal data. When you first hear about data protection, you immediately hear these two concepts; data controller and data processorWhy is that? Simple. They are the key people in this area, along with the Data Protection Officer.

The responsibility of each of these two figures is established in the applicable regulations, and although they may have many similarities, they are actually more different than they seem. While the Data Controller is the person or the authority with sole responsibility for such activity, the Data Processor is also a natural or legal person or authority that accesses and processes personal data, for which the Controller is responsible. In short, they are differentiated based on the functions each holds.

The Controller's task is to decide how to process the personal data they will collect: based on the reason they are requesting it, the purpose for which it is being requested, what data is necessary, how long it will be retained, what controls must be adopted, etc. In other words, they are the data controllers. The Processor, on the other hand, is the one who processes the data based on the instructions provided by the Controller. In other words, they execute the Controller's orders and instructions for processing the data.

The Controller is always responsible for the personal data processed. Therefore, the relationship between both entities must be outlined in their respective contracts, which establish the obligations for each of them, so that the role of each party in the processing of personal data is clearly regulated.

If you want to know more about Regulatory Compliance and Data Protection, Visit the EIP International Business School blog, the only business school on the market that guarantees employment.

 

Subscribe to our newsletter to stay up to date with all the news

EIP International Business School informs you that the data in this form will be processed by Mainjobs Internacional Educativa y Tecnológica, SAU as the party responsible for this website. The purpose of collecting and processing personal data is to manage your subscription to the newsletter as well as to send commercial information about the services of the data controller. The legitimacy is the explicit consent of the interested party. Data will not be transferred to third parties, except under legal obligation. You may exercise your rights of access, rectification, limitation and deletion of data at compliance@grupomainjobs.com, as well as the right to lodge a complaint with the supervisory authority. You can consult additional and detailed information on Data Protection in the Privacy Policy that you will find on our website.
Blog Master Dpo

Leave a comment

EIP International Business School informs you that the data in this form will be processed by Mainjobs Internacional Educativa y Tecnológica, SAU as the party responsible for this website. The purpose of collecting and processing personal data is to manage your subscription to the newsletter as well as to send commercial information about the services of the data controller. The legitimacy is the explicit consent of the interested party. Data will not be transferred to third parties, except under legal obligation. You may exercise your rights of access, rectification, limitation and deletion of data at compliance@grupomainjobs.com, as well as the right to lodge a complaint with the supervisory authority. You can consult additional and detailed information on Data Protection in the Privacy Policy that you will find on our website.

Members of 

Latin American Council Schools Admission Logo
Business School Logo
Euphe 1
Euphe 2

Recognitions

Qs Rating Horizontal 0
Qs Rating Horizontal 4
Qs Rating Horizontal 1
Qs Rating Horizontal 2
Qs Rating Horizontal 3
Qualificam Logo Footer

Educational partners

Harvard Negative (1)
Microsoft Academy (1)
Aws Academy Logo Footer
Cisco Networking Academy White
Ausape Logo
Logo Compliant Professional Association White
Buildingsmart Rgb Spain Chapter Member V2
Pmp Logo Footer
Global Suite Logo White
Minsoit Sap Svg
Pvsyst Logo
Logo Capman Footer
Toeic Logo White
Python Institute Logo White
Its Logo White
Ccsp Badge
Cdpp
Cpcc
oscp-certified
Legal warning Use of Cookies Privacy Policy Quality politics Complaint channel Registration Conditions join us

EIP Teatinos University Campus - Málaga - Spain

© EIP | International Business School 2010-2025

Trademark registered with the OEPM. No. 3,735,191