When talking with business leaders, one of the most frequent questions I hear is, “How can we keep up with regulatory changes around data privacy?” More recently, this question has stemmed from discussions about the European Union’s upcoming General Data Protection Regulation (GDPR).
I think the most important thing to remember is that while it will be a hectic run-up to the May 25 deadline, GDPR is a positive development for everyone. In addition to providing people with greater protections around their data, organizations will have to change how they store, handle, and share data. That’s going to require them to be more efficient with how they manage information, which in turn will create a host of opportunities to be more strategic and data-driven, according to experts such as Jeremy Baker, affiliate professor at ESCP Business School.
It’s imperative that our customers, and those considering Workday, know that the responsibility to comply with data privacy obligations is not one they bear alone.
After GDPR goes into effect, not much changes for Workday customers with respect to any applicable cross-border data transfer flows of personal data to Workday for processing. Workday has had a global data protection program built-in from day one. Similarly, Workday was one of the first companies to have a Privacy Shield certification—and we remain committed to maintaining it.
It’s also imperative that our customers, and those considering Workday, know that the responsibility to comply with data privacy obligations is not one they bear alone. We have individual agreements around privacy with our customers, and under GDPR, Workday also has direct responsibilities outlined by the regulation.
We also know we must continue to evolve with new features that meet organizations’ ever-changing data protection challenges. I wanted to highlight three specific features that directly address GDPR requirements:
In response to German and Nordic customers needing to satisfy requests from works councils—company-specific labor groups—in those countries, Workday has developed a configurable feature that can restrict managers’ access to certain data only to those who fundamentally need it for their role.
We call this feature “Conditional Role-Based Security Groups,” which is based on the privacy requirement around “need to know.” The concept is that a manager in an organization does not need to know the details of an employee’s compensation a certain number of layers down in that organization.
It works like this: Customers can create a new conditional role-based security group that will evaluate whether the worker being viewed is a member of a specified location/location hierarchy. If the employee is a part of that restricted security group, the data placed in the Conditional Role-Based Security Group will be hidden for managers above a certain level.
But, so that this feature does not impact report integrity, we’ve provided the ability to create aggregate reports which will include workers whose data is hidden.
We added privacy purging with Workday 26, and have continued to enhance and deepen the functionality of this feature. The main purpose of privacy purging is to help customers meet their privacy requirements and satisfy the right to be forgotten—soon to become enshrined by GDPR.
We have extended privacy purging so that customers using Workday Recruiting can now purge out candidate and prospect information quickly and efficiently. To meet the needs of GDPR, in Workday 29 we added in the ability for organizations to purge active worker data, such as national and government IDs, sexual orientation, gender identity, gender pronoun, race, ethnicity, religion, and disability, should an employee request the removal of this information.
Having the ability to audit user activity and potentially suspicious activity is of paramount importance. That’s why we ensured that the view audit feature was made available in Workday a full year before the GDPR deadline.
There are three main requirements for this feature. The first is to give administrators and their auditors fast access to user activity within the Workday system. Next was the monitoring piece, ensuring businesses could be alerted to potential threats across their entire Workday platform and in real-time. Finally, from a privacy perspective, having the ability to see who viewed exactly what data and when is the cornerstone of good GDPR practice.
Nothing happens in Workday without the system capturing it and making the audit trail easily accessible to those who need it via a standard report. Businesses can use a REST API to move information into a data inventory system or to leverage all of this information and utilize it in their downstream systems.
As May 25 approaches, businesses should use this opportunity to think not only about how they reach GDPR compliance, but how their current technologies and processes could be transformed through more efficient data handling and processing. GDPR will not be the last global privacy directive, and by taking the right technology steps, organizations can prepare themselves for change.