The EU General Data Protection Regulation (GDPR) comes into force on May 25th 2018.

In the Difitek technology architecture, Difitek holds data on behalf of its customers, including “personal data” about their End Users, which is information relating to an identified or identifiable natural person (the “data subject”), including for example the person’s given name, family name, gender, birth date, address, passport number, driving licence number, and tax ID.

In the EU’s terminology a “data controller” is a decision-maker with respect to data. This means that the data controller decides when to create, read, update or destroy data. A “data processor” processes data on behalf of a data controller but does not make any decisions with respect to it.

Whereas the previous EU Directive only imposed direct obligations on data controllers, the GDPR affects both data controllers and data processors, including those organizations based outside the EU such as Difitek, whose processing activities relate to the offering of goods or services to, or monitoring the behaviour of, EU data subjects (within the EU). Accordingly, Difitek will meet its direct obligations under EU law as well as facilitating its customers to do the same.

Core GDPR Principles

In accordance with GDPR, personal data must be:

  • Processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”)
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the “purpose limitation principle”)
  • Adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”)
  • Accurate and where necessary kept up to date (the “accuracy principle”)
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the “storage limitation principle”)
  • Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the “integrity and confidentiality principle”)
  • The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability principle”).

Reporting on Data Processing Activities

Difitek receives instructions in the form of authenticated API requests and executes them on the customer’s database. The type of instruction depends on the type of API request made: a POST function is a request to create data; a GET function is a request to read data; a PATCH function is a request to update data; and a DELETE function is a request to destroy data.

When an instruction is successfully executed the Difitek API returns a “success” response, which is represented by the ‘200’ HTTP code. The only way to interact with a Difitek database is through the API, therefore, enumerating every successful API request gives a complete and exhaustive record of every occasion on which Difitek has performed a data processing activity. The API can also return “exceptions” if the request was badly formed or “errors” if the API fails to execute a valid request: in both of these cases no data processing occurs.

Admin Users through the Difitek Back Office application will be able to retrieve a complete audit log, month by month, which acts as a written record of all data processing activities carried out their behalf as a data controller, through the GDPR Compliance menu option.

In addition, Difitek ensures that the provisions on cross-border transfers are met by continuing to host EU customers’ data inside the EU and never having the ability to transfer that data outside of the EU.

In the unlikely event of a personal data breach, Difitek will notify the affected customer as soon as possible and in line with the standard terms and conditions of its service.

Destroying Personal Identifiable Information on User Request

In order to facilitate its customers’ own obligations with respect to their End Users, Difitek, Inc. has also released new API and Back Office features which allow customers to inform Difitek that an End User has requested that their personal data be destroyed.

Customers may want to add a new form to their front-end applications that allows End Users to get in touch with them and make this request.

Following receipt of such a request, Admin Users can log into their Difitek Back Office, and under the GDPR Compliance section, press the ‘Request to Delete User’ button. They will be taken to a page on which they can select the User who made the request.

Selecting the User and pressing ‘Submit’ will immediately log the request and notify the relevant Difitek account manager. The account manager will follow up and confirm in writing that the request is valid, after which the deletion request will be moved to ‘Pending’ status and Difitek engineers will execute the request. The End User’s personal data will be destroyed from the live database and all Difitek database backups. Difitek’s team will also help customers to identify whether any other third-party services have been used (in accordance with their instructions) with an End User’s data, for example online payments services or KYC/AML services, so that customers can ensure that the affected personal data is also removed from those databases where appropriate.

Destroying an End User’s personal data also logs out the User from any front-end application and permanently blocks them from the customer’s service. If the same End User should want to re-join the service, they would need to sign up again with a new account.

Removing an End User’s “personal data” does not delete the record that a User existed in the Difitek database, because the record itself is linked to a User’s historical investment activity, which is maintained to ensure compliance with other securities regulations where relevant. Accordingly, the End User’s ‘id’ will still appear in the list of Users in the Admin Back Office, but no other information will be visible, and it will not be permitted to update the End User’s historical record through the Back Office or the API.

For more information about GDPR or how to ensure ongoing compliance by using the Difitek API, please get in touch with your Difitek account manager.