Workday Receives EU Approval on Binding Corporate Rules

With the May 25 effective date of the European Union General Data Protection Regulation (GDPR) fast approaching, data protection is top of mind for Workday’s customers. Over the past few months, we’ve outlined our privacy-by-design program and provided an overview of our data transfer mechanisms.

We’re proud to announce that Workday has obtained approval from EU data protection authorities for global Binding Corporate Rules for Processors (BCRs) that focus on safeguarding customer data. The Irish Data Protection Commissioner conducted the review, with peer review by both the UK Information Commissioner’s Office (ICO) and the Dutch Data Protection Authority (DPA).

Simply put, BCRs are a detailed code of conduct that governs the processing and transfer of personal data within a multinational company. As part of the approval process, the data protection authorities conducted a thorough review of our data privacy program, including our internal training programs, policies and procedures, and technical and organizational controls. This approval demonstrates that Workday has implemented a consistent set of robust privacy practices for processing personal data across our global Workday affiliates.

As demonstrated by our BCRs certification, Workday remains committed to continually enhancing the scope of our compliance programs, including expanding the scope of our audit reports and the breadth of our obtained certifications to demonstrate alignment with industry standards. Workday’s independent third-party audit reports and certifications provide a deep level of transparency and assure our customers, and our customers’ auditors, that our privacy practices are industry-leading.

Customers will be able to rely on our BCRs for the processing of their European personal data by Workday in the delivery of our software-as-a-service. Among other things, BCRs enable the lawful transfer of personal data from the European Economic Area (EEA) to other countries, and under GDPR, they are recognized as a data transfer mechanism for transfers of personal data outside the EEA. Workday will also continue to offer our customers Standard Contractual Clauses and maintain our Privacy Shield and APEC Cross-Border Privacy Rules certifications to enable global data transfers.

In addition to acting as a data transfer mechanism, BCR supports Workday’s broader compliance with the GDPR, including the principles of accountability, lawfulness of processing, general processing requirements, and security of processing.

BCRs are one example of Workday’s commitment to maintaining compliance with comprehensive privacy and security certifications. Highlights of some of our other recent compliance enhancements include:

• Expanding the SOC2 report to include compliance with the NIST Cybersecurity Framework.
• Obtaining a third-party independent auditor’s opinion confirming Workday’s conformity to the applicable requirements of the HIPAA Security, Breach Notification, and Privacy Rules.
• Achieving certification against ISO 27017, which supplements ISO 27002 with additional security guidelines for cloud services.
• Achieving authorization as a service provider for the UK public sector under G-Cloud 9.

At Workday, we understand our customers take a trust-but-verify approach regarding Workday’s processes and controls to protect their data. Workday’s BCRs, along with our new and existing certifications, provide further proof of the strong privacy and security protections we provide for customer data, giving companies the confidence to rely on Workday to help them achieve GDPR compliance.