GDPR: Privacy by Design at Workday

The General Data Protection Regulation (GDPR), a harmonized approach to data privacy laws across Europe, is set to take effect next year. That’s why it’s important for our customers and partners to understand Workday’s approach to privacy by design.

Privacy by design focuses on embedding privacy protection measures throughout the development process of products, processes, or services that could use personal data. While privacy by design has long been considered a best practice, it will be mandatory under the GDPR. More specifically, the GDPR requires organizations to consider the legal rules that apply to the processing of European personal data at the initial stages of any development process.

Privacy by design guides how Workday builds products, develops software, and operates our services. Here’s how we incorporate the seven foundational pillars of privacy by design into our philosophy:

• Proactive and Preventative: Privacy by design emphasizes proactive measures over reactive by anticipating and preventing invasive privacy events before they happen. To this end, Workday’s privacy team partners with product managers at the start of and throughout the development of every product. This enables us to create more compliant products and avoids the need to redo work to ensure that personal data is properly processed. Additionally, we conduct security and privacy training early and often as part of ongoing employee education.

• By Default: Privacy by default is part of our standard requirements for new features and products. When faced with a design choice, we default to giving more control over privacy rather than less. In fact, Workday’s chief privacy officer reviews and approves all major releases before they become generally available. Customers then configure Workday applications to meet their internal access requirements.

• Embedded: Privacy by design is embedded into Workday’s architecture and business practices. We have also integrated privacy by design principles into our software development process to guide how we build products and operate our services.

• Positive Sum: This concept of privacy by design focuses on satisfying all legitimate business objectives while protecting privacy. For instance, we believe that companies don’t have to choose between software that keeps personal data safe and software that’s easy to use. Both are important, and incorporating privacy early on within our development process helps we ensure both the safety and satisfaction of customers.

• Lifecycle Protection: Strong security measures must be in place to protect all personal data throughout its entire lifecycle. Workday has built security throughout the lifecycle of data processed by our services, including how we operate the Workday system infrastructure and how we deploy and build configurable applications for our customers.

• Visibility and Transparency: Workday provides our customers visibility and transparency by conducting and making available independent third-party audits and certifications covering privacy, confidentiality, and security. We strive to make sure that our customers can easily understand the technical and organizational measures we have in place for protecting personal data and give them the ability to determine the best means of delivering any information to their employees about how we process data.

• Respect for User Privacy: Workday builds in controls for our customers that enable them to configure our services to comply with privacy requirements applicable to them. With Workday, customers can provide the necessary level of privacy protection for their users.

Privacy by design is closely tied to Workday’s core values—especially integrity, customer service, and innovation. We take pride in ensuring that these values are met, not only in how we provide the Workday service, but also in how we operate from a compliance perspective.

We strive to become an early adopter of newly emerging business practices and standards, while always ensuring privacy and safeguarding our customers’ personal information is at the core of what we do. By emphasizing innovation and enhanced privacy protections to our customers and the individuals within their organizations, we will be able to continue to put our customers first and help them meet their own GDPR compliance requirements.