Fundamentals of the GDPR Regulatory Framework in 2025

1. GDPR Principles and Key Definitions

GDPR is founded on core data protection principles, including: 

• Lawfulness, fairness, and transparency – personal data must be processed fairly and in a transparent manner. 
• Purpose limitation – data should only be collected for specific, legitimate purposes. 
• Data minimization and accuracy – only necessary data should be collected and kept up to date. 
• Storage limitation – data must be retained only as long as necessary. 
• Integrity and confidentiality – data must be protected against unauthorized access or loss. 

Key GDPR terms include: 

• Personal data – any information relating to an identifiable person. 
• Controller and processor – the controller determine the purpose and means of processing, while the processor acts on their behalf. 
• Data breach – any incident of unauthorized access, destruction, or loss of personal data.

Investment firms must understand these concepts and apply them within the context of their operational, marketing, and client servicing activities. 

2. Consent and Rights of Data Subjects

Consent under GDPR must be freely given, specific, informed, and unambiguous. Financial institutions must ensure that consent is clearly documented and easily withdrawn. 

Key rights of data subjects include: 

• Right of access – to know what personal data is being processed. 
• Right to rectification and erasure – to correct or delete inaccurate or unnecessary data. 
• Right to restrict processing and object – particularly relevant in marketing and profiling contexts. 
• Right to data portability – to transfer personal data to another service provider. 

Firms must have internal processes in place to respond to data subject requests promptly, and to notify individuals in the event of a data breach when necessary. 

3. The Role and Responsibilities of the Data Protection Officer (DPO) 

The appointment of a DPO is a regulatory requirement for financial institutions when their core activities involve large-scale or sensitive data processing. In the context of GDPR, the DPO is a cornerstone of compliance oversight, tasked with ensuring that personal data is handled lawfully, transparently, and securely. 

A DPO must be designated based on professional qualifications, particularly expertise in data protection law and practices. Whether internal or external, the DPO must operate independently, be free from conflicts of interest, and report directly to the highest management level. They must also be granted sufficient resources and access to all relevant processing activities. 

Key responsibilities of the DPO include informing and advising the firm on its GDPR obligations, monitoring compliance with internal policies, and contributing to awareness and training initiatives. The DPO also oversees Data Protection Impact Assessments (DPIA), particularly where new processing activities or technologies are introduced that may pose heightened risks to individuals’ rights. 

Additionally, the DPO acts as a liaison with supervisory authorities and serves as a contact point for data subjects. A risk-based approach underpins the DPO’s daily work, prioritising high-risk processing and ensuring the firm takes appropriate and proportionate measures to remain GDPR-compliant.

Please contact us at info@salvusfunds.com if you require support with your GDPR compliance or are interested in our CPD course offerings and tailored advisory services.

4. Privacy and Cookies Policies in Practice 

Transparency is a critical element of GDPR compliance. Financial institutions must publish clear and accessible privacy and cookies policies, which include: 

Privacy Policy elements: 

• Legal grounds and purposes of data processing 
• Categories of data collected (including from marketing activities) 
• Data retention periods (e.g., 5 years for CIF under regulatory obligations) 
• Rights of data subjects and DPO contact information 
• Description of security measures (e.g., encryption, access control) 

Cookies Policy components: 

• Explanation of what cookies are and their types (e.g., necessary, marketing, statistics) 
• Purpose of cookies used and how data is collected 
• Instructions on managing or disabling cookies through browser settings 

• Explicit user consent for non-essential cookies, with first-visit pop-up banners 

• These policies should be updated regularly and prominently displayed on the company’s website. 

5. How SALVUS can assist

Navigating GDPR compliance can be particularly challenging for investment and financial institutions operating in a heavily regulated environment. At SALVUS, we offer tailored support to help firms not only meet but exceed their data protection obligations, through a combination of advisory services, training, and strategic policy development. 

Our team conducts thorough GDPR gap analysis to assess current compliance levels and identify areas for improvement. These evaluations are designed to give firms a clear picture of their strengths and vulnerabilities, forming the basis for a targeted compliance strategy. We also assist in developing and reviewing core documentation such as privacy and cookies policies, and internal data protection procedures, ensuring alignment with both GDPR and sector-specific regulations like MiFID II. 

For firms that are required to appoint a Data Protection Officer, SALVUS offers guidance on structuring the DPO role, selecting qualified personnel, or outsourcing the function where appropriate. We ensure that the appointed DPO is equipped with the tools, governance access, and independence needed to perform effectively. 

Training is also a key element of our support. We provide staff awareness sessions and specialised CPD courses in collaboration with the Institute for Professional Excellence (IforPE), including our course titled “GDPR for Investment & Financial Institutions.” These learning programs focus on practical application and are tailored to the real-world challenges faced by compliance, legal, and operational teams. 

Whether your firm is in the early stages of GDPR implementation or preparing for a supervisory inspection, SALVUS stands ready to support your compliance journey with clarity, structure, and confidence. 

Final Thoughts 

Compliance with the General Data Protection Regulation is not merely a legal obligation, it is a fundamental part of maintaining trust, safeguarding client relationships, and protecting reputational integrity. Investment firms and financial institutions must stay vigilant, regularly reviewing their privacy practices, data handling procedures, and DPO structures. With the right expertise and proactive planning, firms can not only meet but exceed GDPR expectations. 

Please contact us at info@salvusfunds.com if you require support with your GDPR compliance or are interested in our CPD course offerings and tailored advisory services. 

#StayAhead 

If you’re interested in exploring related topics such as CIF regulated entities and Areas of EU Regulatory Compliance, visit our other SALVUS articles: 

• Establishing a CySEC Investment Firm in Cyprus in 2025 
• The 6 Areas of EU Regulatory Compliance 
• The Role of the Data Protection Officer (DPO)