General Data Protection Regulation (GDPR)

glossary

October 6, 2025

General Data Protection Regulation (GDPR)

GDPR stands for General Data Protection Regulation, a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).

The GDPR aims to give control back to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
It applies to all companies processing the personal data of individuals residing in the EU, regardless of the company's location.
The regulation requires organisations to implement appropriate technical and organisational measures to ensure the security of personal data.

About nCino Identity Solutions

With expansive datasets and deep subject matter expertise, nCino Identity Solutions offers comprehensive capabilities in consumer and corporate compliance. As the leader in identity verification, nCino Identity Solutions enables further enhancements to our suite of applications and APIs, creating a unique end-to-end solution for companies seeking to embed insights through acquisition, onboarding, and ongoing monitoring.

The GDPR was implemented on May 25, 2018, replacing the 1995 Data Protection Directive. The regulation is designed to protect the privacy and personal data of individuals residing in the EU by enforcing strict rules on how their data can be collected, processed, and stored by organisations. The GDPR applies to all companies processing the personal data of individuals residing in the EU, regardless of where the company is located.

The key principles of the GDPR include:

Personal data must be processed lawfully, fairly, and transparently.
Data collection must be limited to what is necessary for the purposes for which it is being processed.
The data subject has the right to access, rectify, and erase their personal data, among other rights.
Organisations must implement appropriate technical and organisational measures to ensure the security of personal data.
Organisations must notify authorities of any data breaches within 72 hours of discovery.

To comply with the GDPR, organisations often appoint a data protection officer (DPO) to oversee GDPR compliance, implement appropriate technical and organisational measures to ensure data security, and document all data processing activities. Failure to comply with the regulation can result in fines of up to 4% of an organisation's global annual revenue or €20 million, whichever is greater.

GRC software can support GDPR compliance by providing tools to manage and monitor data protection processes, automate data privacy assessments, and ensure that personal data is only accessed by authorised personnel. These tools can help organisations maintain compliance with the GDPR's requirements and avoid costly fines.

The GDPR is crucial to financial institutions as it sets a higher standard for data protection and privacy. Financial institutions collect and process vast amounts of personal data, such as customer financial information, and are therefore at a higher risk of data breaches and cyber attacks. The GDPR requires that financial institutions take measures to protect personal data and notify individuals and regulators of any data breaches. Failure to comply with GDPR can result in significant financial penalties, damage to reputation, and loss of customer trust. Compliance with GDPR demonstrates that financial institutions take data privacy and security seriously and are committed to protecting customer data. In addition, compliance can provide a competitive advantage as customers are becoming increasingly aware of the importance of data privacy and may be more likely to choose institutions that take data protection seriously.