The clock is ticking: A year from today, the EU’s General Data Protection Regulation (GDPR) will take effect. With that in mind, now is a good time to talk about how Workday offers tools that help customers meet their GDPR obligations.
But first, here’s a brief refresher: The GDPR is an EU regulation meant to harmonize the patchwork of data protection laws in Europe. The GDPR repeals and replaces not just the current EU data protection directive, but also the Byzantine system of privacy legislation that each EU member state enacted under that directive.
A Partnership of Responsibilities for GDPR
When it comes to GDPR compliance, Workday and our customers both have responsibilities: our customers as data controllers, and Workday as a data processor. To quote from the official GDPR FAQ page, “A controller is the entity that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.”
Below we provide some highlights about the protections Workday provides in its role as the data processor, and the tools we offer our customers to meet their responsibilities as data controllers. Workday has already taken steps to update the data processing terms we offer our customers to meet GDPR requirements. In addition, we have FAQs on our customer website, Workday Community, which we will continue to update as additional guidance comes out.
Workday as Data Processor
Security: Workday has built our data protection and security standards to regularly pass rigorous third-party compliance audits for security, confidentiality, availability, processing integrity, and privacy controls. Specifically, the Workday application framework allows customers to manage and control their users’ access to Workday applications, and offers a standardized framework for defining role-based access.
Cross-border data flows: The GDPR continues to allow the flow of personal data across country borders, and includes provisions ensuring existing data transfer mechanisms remain valid going forward. Workday’s customers have a choice of GDPR-compliant data transfer mechanisms for personal data transfers outside the European Economic Area to Workday. Customers may leverage Workday’s Privacy Shield Certification or sign standard contractual clauses.
Privacy impact assessments (PIAs): The GDPR requires PIAs for many types of data processing. Workday’s privacy team regularly and methodically conducts PIAs on features, technology, third party on-boarding, and operations related to our service. While we do not anticipate any significant changes to our already-thorough existing methods, our privacy team continues to monitor the GDPR to ensure our PIAs fulfill any new requirements.
Security breaches: The GDPR introduces new notification rules for any security breaches that lead to the loss, destruction, or unauthorized access of personal data. Workday has a formal internal incident response plan in place that aligns with these notification requirements.
Customer as Data Controller
In addition to Workday’s own compliance obligations under the GDPR as a processor of customers’ personal data, Workday also assists our customers in meeting their obligations under the GDPR in a variety of ways. Here are some highlights.
Data purging: To support customers’ compliance with the Right to be Forgotten, Workday offers a wide range of purging functionality. For example, a customer may have to purge certain sets of personal data from more than five years ago for former employees at a French location. With the Purge Person Data feature, customers can select the population of ex-employees whose data is to be removed.
Access rights: Workday offers a suite of configurable features to help customers comply with access rights under the GDPR. More specifically, the Workday application framework allows customers to manage and control their users’ access to Workday applications, and offers a standardized framework for defining role-based access.
Activity logging: To help customers protect personal data against security threats, Workday logs activity for each account. That includes successful logins and failed attempts as well as changes or additions to data by our customers and their end users. Security administrators can view the sign-on/failed sign-on reports, and individuals with an auditor role can run reports to view data changes any individual made in the system within a certain time period. This will also help customers demonstrate access monitoring and oversight, displaying a high level of compliance assurance.
Independent audits of Workday’s controls and processes: Customers can reference and rely on the procedures performed by our independent auditors as part of the SOC and ISO procedures to demonstrate GDPR compliance. In addition, customers can also share our SOC-3 Report, which is publicly available, and serves as a summary version of the SOC-2 Report. Additionally, customers can subscribe to Workday’s Customer Audit Program if they require additional insight into Workday’s controls.
We take compliance seriously, and look forward to partnering with our customers so that we can each meet our responsibilities under the GDPR. And, we’ll continue to publish FAQs and blogs leading up to GDPR. The bottom line is that with Workday, customers can have confidence that they will have features and functionality that allow them to comply with GDPR.