Global Data Privacy
Privacy continues to be front and centre on the global stage, with the advent of the General Data Protection Regulation, the continued momentum for US privacy legislation, and new laws throughout Asia and Latin America. At Workday, we welcome this renewed attention, as privacy protections have been a fundamental component of our services from our very beginning. We also understand that privacy is a shared responsibility between us and our customers.
Workday and our customers must be prepared to comply with complex global privacy laws and regulations. Workday stays ahead of international privacy regulations by maintaining a comprehensive global data protection programme that contains comprehensive technical, administrative and organisational safeguards. Our customers can rest assured that we are committed to global privacy standards, as shown by our implementation of Binding Corporate Rules for Processors (BCRs), and being the first company to certify to the Asia-Pacific Economic Cooperation Privacy Rules for Processors.
EU Data Privacy
To highlight how Workday prepares for changing regulations, on May 25, 2018, the General Data Protection Regulation (GDPR) significantly changed the European data privacy landscape by harmonising the patchwork of data protection laws in Europe. After GDPR went into effect, we remained confident in our ability to process our customers’ personal data in alignment with the GDPR. As an example, not much changed for Workday customers with respect to any applicable cross-border data transfer flows of personal data to Workday for processing. We already had robust data protection terms but proactively updated them to meet GDPR requirements.
Some highlights of how our robust privacy and security practices support GDPR compliance include:
- Recurring role-based employee training on security and privacy practices
- Well-developed processes to capture Privacy Impact Assessments
- Offering data transfer mechanisms to legalise transfers of personal data outside of the European Economic Area, including the Workday BCRs
- Maintaining records of processing activities
- Providing configurable privacy and compliance features to our customers
- Mapping of GDPR requirements to our SOC2 controls
In addition, Privacy by Design and Privacy by Default are concepts deeply embedded in Workday. We continue to monitor guidance that EU supervisory authorities issue to ensure that our compliance programme remains up-to-date.
Workday understands that not only is it important for our own organisation to be compliant with GDPR as a data processor, but also for our customers to be able to use Workday to help with their internal compliance requirements. This is why Workday designs our applications with configurability in mind to help you meet your GDPR obligations.
Cross-border Data Transfers
While there have been many challenges to cross-border data flows over the years, Workday has remained confident that we can support our customers. We built a programme early on that offers our customers various data transfer mechanisms. Our agreement includes the European Commission’s Standard Contractual Clauses (SCC), which enable the transfer of personal data from the European Economic Area to the United States. In addition, Workday offers customers Processor Binding Corporate Rules (BCRs) as an additional transfer mechanism. Workday’s BCR are available here.
We partner with our global customers as they conduct Transfer Impact Assessments prior to transferring European personal data to third party countries. We proactively share information, such as FAQs and white papers, to help them navigate these assessments. In addition, Workday commits to providing transparency to our customers in the event we receive a valid legal process from law enforcement or other government agencies for access to electronic information customers submit into Workday’s software-as-a-service applications.
We invest in certifying to leading industry standards and frameworks so our customers can easily verify our privacy practices. We’re often the first to do so.
Workday signed up for the Privacy Shield on the first day the US Department of Commerce launched the Privacy Shield certification process, demonstrating our strong, ongoing commitment to privacy and protecting our customers’ data. Even though the Privacy Shield is no longer a valid data transfer framework, Workday continues to certify to the Department of Commerce that we adhere to the Privacy Shield Principles. While companies can self-certify to the Privacy Shield, Workday uses TRUSTe as our third-party verification agent to further demonstrate our compliance. Read more about our TRUSTe verification status to Privacy Shield.
Workday was the first cloud service provider to declare adherence to the EU Cloud Code of Conduct (CCoC), which consists of a set of requirements that enable cloud service providers (CSPs) to demonstrate their capability to comply with GDPR. Annual reviews take place by the independent monitoring body. Verify Workday’s adherence to the CCoC.
Workday has certified to the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) and Privacy Rules for Processors (APEC PRP). The APEC certifications are a voluntary set of privacy standards developed for data controllers and processors, respectively, to facilitate data transfers among APEC economies. These certifications demonstrate compliance with high standards of privacy compliance throughout the Asia-Pacific region.
Workday was one of the first companies to be certified to the APEC CBPR in March 2014 and the first to be certified for APEC PRP in September 2018. We have received a third-party certification from TRUSTe, which is the APEC Accountability Agent for the United States.