Global Privacy Standards
Workday remains committed to global privacy standards, as shown by our dedication to programs such as GDPR, Privacy Shield, and Asia-Pacific Economic Cross-Border Privacy Rules.
GDPR
The General Data Protection Regulation (GDPR), a European Union (EU) regulation, repeals and replaces Data Protection Directive 95/46/EC, as well as Member States implementing legislation. This regulation will take effect in all 28 EU Member States on May 25, 2018, and will simplify and harmonize current data protection laws in all EU Member States. The GDPR applies to companies in the EU as well as all companies that process or store the personal data of EU citizens, regardless of their location.
Workday has comprehensively evaluated GDPR requirements and implemented numerous privacy and security practices to ensure compliance with the GDPR from day one. These include:
- Training employees on security and privacy practices
- Conducting Privacy Impact Assessments
- Providing adequate data transfer methods to our customers
- Maintaining records of processing activities
- Providing configurable privacy and compliance features to our customers
Privacy by Design and Privacy by Default are concepts deeply enshrined in the Workday Service. Workday recognizes that the GDPR is a very important business priority for our global customers. As such, Workday continues to monitor guidance that EU supervisory authorities issue on the GDPR to ensure that our compliance program remains up-to-date.
Workday understands that not only is it important for our own organization to be compliant with the GDPR as a data processor, but also for our customers to be able to use the Workday Service to help with their internal compliance requirements. This is why Workday offers the tools to meet their GDPR obligations. The Workday Service enables customers to process personal data within their own private tenant. You can learn more about how we enable our customers to meet their GDPR obligations here.
Privacy Shield
In 2016, Workday signed up for the Privacy Shield on the first day the U.S. Department of Commerce launched the Privacy Shield certification process, demonstrating our strong, ongoing commitment to privacy and protecting our customers’ data. The Privacy Shield is a data transfer framework to allow personal data transfers between the EU and the U.S., as well as between Switzerland and the U.S. Four key principles are emphasized in the Privacy Shield:
- Clear safeguards and transparency obligations on U.S. government access
- Strong obligations on companies handling data
- Effective protection of individual rights, including redress options for EU citizens
- An annual joint review by the European Commission and the U.S. Department of Commerce
While companies can self-certify to the Privacy Shield, Workday uses TRUSTe as our third-party verification method. In addition, Workday continues to have third parties review our data privacy program regularly to ensure that our customers enjoy the highest possible levels of data protection and privacy. Read more about our certification to the Privacy Shield here.
APEC CBPR
Workday is also compliant with the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR). The APEC CBPR is a voluntary set of privacy standards developed to facilitate data transfers among APEC economies and demonstrates compliance with high standards of privacy compliance throughout the Asia-Pacific region.
Workday was one of the first companies to join the APEC CBPR system and has received a third-party attestation from TRUSTe, who is the APEC CBPR Accountability Agent for the United States. Our current APEC CBPR certification applies to our role as a data collector. By maintaining compliance with the APEC CBPR and privacy requirements in the EEA, Workday is able to globally demonstrate an adherence to robust privacy frameworks.