maxkabakov - Fotolia
As Workday's chief privacy officer, it's one of Barbara Cosgrove's responsibilities to drive the HCM vendor's strategy to help customers and itself comply with the GDPR employee data regulations.
There's a lot to comply with under the General Data Protection Regulation set to go into effect May 25, 2018.
For nearly two years, Cosgrove, a trained lawyer with many years of experience in HR compliance, has led a cross-functional project team that has reviewed Workday processes and policies with an eye toward aligning them with the GDPR employee data guidance and other rules.
Purging employee data
HR data is one of the most important areas affected by the GDPR personal data privacy, access and portability rules, and the ability to quickly purge employees' data at their request is a cornerstone of the GDPR.
In Workday 29, the company added features specifically for GDPR to enable organizations to purge active and former worker and applicant data, such as national and government identification numbers, sexual orientation and gender identity, ethnicity, religion and disability.
Privacy Shield readiness
For Workday, GDPR readiness is a somewhat simplified process because of the company's pre-existing participation in the Department of Commerce's Privacy Shield program, in which U.S. companies commit to GDPR-like levels of data protection when moving personal data from Europe to the U.S.
Workday certified to Privacy Shield for HR data in 2016. Some of Workday's HR tech competitors, including Ceridian, Ultimate Software and Kronos, also are Privacy Shield-certified for HR data.
"It was a priority for us to quickly be certified," Cosgrove said. "Certifying to the Privacy Shield was absolutely a good way to begin our path to GDPR compliance."
Right to be forgotten
In addition to the purging capability, which complies with the GDPR's key "right to be forgotten" provision, Workday has also built into its human capital management (HCM) system a suite of configurable access features that managers can use to manage data privacy within organizations.
That standardized framework for role-based access control complies with the GDPR employee data access rules that limit access to employee data to managers with specific needs for viewing the information.
Another important feature of the way Workday has built GDPR compliance into its system is with audit logging to be able to respond to audits to review data security, access and monitoring.
"Workday has tools that can help customers, as well as ourselves, achieve compliance for being the system of record for HR data," Cosgrove said.
Cosgrove said she sees Workday's pre-existing approach to data privacy, which she has outlined in a series of blog posts during the run-up to the GDPR start date, as a jumping-off point rather than an endpoint.
Privacy by design
For example, like the GDPR itself, Workday said it has incorporated "privacy by design" and "privacy by default" as basic software design principles.
Those concepts -- stipulating that privacy and data access restrictions be built into software and not be added on or optional -- are legally mandated by the GDPR. According to Workday, it has already followed the GDPR foundational principles as a best practice and now is simply dovetailing them within the GDPR legal framework.
"We were really able to leverage our privacy by design program, which really helped us prepare for the GDPR," she said. "We went through a concerted effort to launch that project and then be able to communicate with our customers about how Workday was going to be able to support them with GDPR compliance."
Data processor GDPR compliance
Under the GDPR, Workday (and other HCM vendors) is considered a "data processor," while its customers are "data controllers."
So, to help ensure adherence to GDPR employee data provisions in its own efforts, Workday built into its most recent third-party audit reports to customers new controls and a matrix to show how the processes are GDPR-compliant.
"We did this to show them that we are doing what we're expected to do to appropriately process their data," Cosgrove said.
Beyond its GDPR-specific functions and existing data privacy practices, Workday maintains that its "power of one" branding -- its conviction that its unified cloud-only technology is a more elegant, efficient architecture than that of other HCM vendors -- is a major advantage in addressing GDPR mandates.
Cosgrove noted that the overall impact of the GDPR is to harmonize the European Union's disparate personal data privacy laws.
"Having a single security model for all of our data transactions, processing and applications absolutely supports us when changes to different compliance regulations come," she said. "We're able to roll those out more easily to our customers."