Products
By Use Cases By Roles
Data Command Center
View
Learn more

AI Security & Governance

Discover, assess, and safeguard AI usage

Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle

Learn more

Compliance Management

Automate Compliance with Global AI and Data Frameworks using Common Controls and Tests
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

AI Security & Governance

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

AI Security & Governance

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View

AI Security & Governance

View

Compliance Management

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Databricks

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

CPRA
California Privacy Rights Act

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA Compliance Solution

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Workday focuses on GDPR employee data protections

Published November 29, 2021

Companies that fail to protect the data of their employees have to bear not only financial but also reputational losses- be it a loss that results from data breaches or non-compliance.

Take, for example, the Foodinho €2.6 million fine, imposed by the Italian data protection authority (DPA). Foodinho, a European grocery delivery service, was fined for not having security measures to protect its employees’ rights against biased automated decision making, which goes against GDPR’s “lawfulness, fairness, and transparency” and “automated processing” regulations.

As Workday customers, it is imperative for companies to review their data collection and processing activities as per the requirements of the GDPR. Companies must ensure the data protection and privacy of individuals they deal with, including but not limited to interviewed (shortlisted) candidates, interns, permanent employees, remote employees, former employees, and contractors, to name a few (to simplify in the rest of the document we will refer to all these groups as “employees”.

The European Union’s data protection law, GDPR, applies to organizations that:

Collect and process the personal data of natural persons while operating in the EU
Or, serve goods and services to EU residents while operating from outside the EU

The GDPR prescribes requirements concerning the protection of natural persons. Under the GDPR, the definition of a data subject covers both consumers as well as employees, giving them equal rights and protection in relation to their personal data. Therefore, it is obligatory for organizations working in the EU region to comply with the GDPR while processing their employees’ data, no matter whether the employees are inside or outside the EU. If the organization is outside the EU, but the employees are inside the Eu, they must also comply.

Let’s look into some of the key provisions of the GDPR that an employer must consider:

Article 5 of the GDPR requires employers to handle employees’ personal data in accordance with the following data protection principles:

The personal data of employees should be processed lawfully, fairly and in a transparent manner.
Personal data must be collected and processed for only specific and valid purposes.
Data collected should be limited to only the data required and excess data should not be collected.
Personal data is required to be kept accurate and updated.
Data should no longer be processed once it is no longer required
Optimal security measures must be implemented to ensure its integrity and confidentiality.
Organizations are responsible for the protection of their employees’ personal data

As per Article 6 of the GDPR, employers must have a legal basis to process an employee’s personal data. These six legal basis are as follows:

(1) Performance of a contract
In an employment context, “performance of a contract” can be relied upon as a lawful basis for data processing where the processing is necessary to fulfill the employment contract. For example, to pay the employee, the employer must process the employee’s name and bank details.

(2) Compliance with a legal obligation
In an employment context, “compliance with a legal obligation” can be relied upon as a lawful basis for processing where a particular law, such as employment law, imposes legal obligations that necessitates the processing of personal data.

(3) Protection of vital interests
This is an appropriate legal basis where the processing is necessary in order to protect the vital interests of the employee or of another natural person. This will include processing data for humanitarian purposes.

(4) Performance of a task carried out in the public interest
This legal basis primarily applies to official authorities or governmental entities. Private employers can rely on this legal basis if it exercises official authority or carries out a task in the public interest.

(5) Legitimate interests of the data controller
In an employment context, the “legitimate interests” can be relied upon as a lawful basis for processing when the processing is necessary for the purposes of legitimate interests of the employer. In such a situation, the purpose of data processing must be legitimate, the chosen method or specific technology must be necessary or proportionate and implemented in the least intrusive manner possible along with the ability to enable the employer to demonstrate that appropriate measures have been put in place to ensure a balance with the fundamental rights and freedoms of employees. For example, when an employer carries out a structural systems change to migrate employees’ data from an old payroll system to a new one.

(6) Consent
For most data processing at work, the lawful basis cannot and should not be an employee’s consent. This is because of the imbalance of power between an employer and employee that forces an employee to consent and hence, such consent is not freely given or valid. However, an employee’s consent can be used in data processing situations where there are no adverse consequences on the employment relationship for the refusal of such consent. For example, retaining employees’ data for future job roles or voluntary employee benefit programs.

Perhaps one of the most celebrated principles of the GDPR is the pre-defined set of rights that it bestows upon consumers and employees alike. Under the GDPR, employees have the right to:

Know when personal data is collected from them
Rectify and update any incorrect information that the data controller or employer has collected or uses for processing
Get the personal data erased if the data is no longer required for processing for the purpose it is intended or if the employee has withdrawn the consent where the processing was based on employee’s consent, (only typically after employment has finished)
Restrict the data controller from processing personal data if it is unlawfully processed.
Ask the data controller to transfer their personal data to another data controller in a structured, commonly used and machine-readable format.
Invoke their right to object to the processing of their personal data, such as for direct marketing purposes.
Not be subjected to decisions resulting from automated decision-making processes.

All afore-mentioned rights are applicable under certain conditions and have limitations. To learn more about other legal obligations related to employee data protection, read our detailed blog: What GDPR Means For Employee Data

Workday, the renowned human capital management (HCM) vendor helps its customers meet GDPR requirements. “Workday has had a global data protection program built-in from day one,“ says Barbara Cosgrove, vice president, chief privacy officer at Workday.

Workday has built three specific features that help customers ensure that they are aligned with their employees’ data protection rules and principles. For example,

Limited Data Accessibility

In Workday, employers can control the privacy of the personal or sensitive personal data of their employees by setting up security configurations. These configurations further allow employers to implement “conditional role-based” access controls.

Usually, organizations configure security access control that prevents peers from accessing the personal data of each other. However, they often leave managers out of this “strict access control” that ultimately gives them access to certain data that they don’t need to know. This could become an issue when it comes to GDPR compliance as the regulations clearly allow access to personal or sensitive data to data processors only on a need-to-know basis.

By setting up conditional role-based access controls, employers can define who is the organization can access employees’ sensitive personal data.

Seamless Data Purging

Under Article 9 of the GDPR, “processing of special categories of personal data”, such as “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life,” is generally prohibited unless it falls under specific conditions. For example, a data controller can process the data if they have the explicit consent of the natural person: consumer or employee. Or, a data controller might also process the data to meet legal requirements.

Workday tackles this data access issue faced by employers with its smart data purging feature. Workday offers the capability to purge the data of former and existing employees’ personal data with ease, such as their sexual orientation, religion, ethnicity, etc.

Workday data purging capability further satisfies the Article 17 requirement of the GDPR, which is the right to erasure or the right to be forgotten.

Article 30 of the GDPR requires organizations to keep and maintain an update to date record of processing activities (ROPA) that includes all vital information, such as

Categories of personal and sensitive personal data kept by the employer for data processing
Categories of data recipients and data subjects
Employees’ consent record
Data controller’s name and contact details
Purpose of data processing
Data retention periods
Technical and organizational security standards

Article 30 further mandates organizations to make the records readily available to any supervisory authority for auditing and such purposes. Workday enables employers to deliver an audit report as part of their compliance with the record-keeping requirements under GDPR. The record includes all the details that give data controllers and any supervisory authority insights into all the processing activities as per GDPR requirements.

Issues Data Controllers Face When Managing Employee Data at Scale

GDPR compliance may not seem to be much of a problem for small businesses with a limited number of employees as Workday resolves many of the GDPR challenges via its privacy features, as discussed previously. However, organizations in large or frequently-changing environments, having to deal with thousands of employees across the globe, cannot enjoy the same level of convenience with regulatory requirements as small businesses.

Recruiters in an organization have to work with a volume of data that comes from interviewees, potential candidates, former employees, remote employees, contractors, and existing personnel. The problem is compounded when the data is collectedin an unstructured format across the organization, such as in spreadsheet formats, emails, PDF and Word documents, and can be saved on-premises infrastructure, cloud or in multiple cloud services. The resulting data sprawl blurs visibility into data.
The primary focus of clients is more inclined towards using the solution for simplifying the HR processes than ensuring the security and privacy of their employees' data. Consequently, this leads to many problems, such as security misconfigurations, inappropriate security measures, and excessive privileged access, to name a few.
HR personnel often require sensitive personal data of candidates like their medical or criminal records for running background checks. Data controllers need to have proper security controls in place to protect the data, get notified in case of any breach or compliance violation, or keep records of processing activities for auditing purposes. This is a tall order for data controllers who already have their hands full of equally important responsibilities.

Securiti helps clients using the Workday enterprise management cloud to automate their data governance, privacy, and compliance requirements with an AI-driven privacy management suite. Securiti integrates the Workday environment with other on-premises and cloud-based services via hundreds of native connectors for autonomous data discovery, mapping, and control.

Establish Autonomous Data Intelligence: Scan through Workday data in structured and unstructured formats, tag personal data under relevant categories and elements, link it to the owner of the data, assign risk score based on the sensitivity of the data, and track high-risk data activities.
Govern Access to Sensitive Data: Discover and identify sensitive personal data to apply masking for excessive privilege exposure.
Remediate Security Misconfigurations: Automate security misconfigurations, set security policies, and remediate misconfigurations.
Ensure better Consent Management: Capture employee and candidate consent across various touchpoints using consent forms. And use data intelligence to link data to the owner and honor DSR requests in a timely manner.

Request a free demo to understand how to leverage Securiti PrivacyOps for Workday GDPR compliance.

Limited Data Accessibility

Seamless Data Purging

Issues Data Controllers Face When Managing Employee Data at Scale

Newsletter

Company

Resources

Terms

Get in touch

Workday focuses on GDPR employee data protections

Employee’s Data Protection Under GDPR

Article 5 of GDPR - Principles Related to Processing of Personal Data

Article 6 of GDPR - Lawfulness of Processing

Article 12-23 of GDPR - Rights of the Data Subjects

How Workday Complies with GDPR

Limited Data Accessibility

Seamless Data Purging

Efficient GDPR Auditing

Issues Data Controllers Face When Managing Employee Data at Scale

Securiti Makes Workday GDPR Compliance Seamless

Join Our Newsletter

Share

More Stories that May Interest You

Email Marketing Requirements under GDPR and e-Privacy Directive

What is Proof of Consent under GDPR?

Data Discovery for GDPR: Ensuring Personal Data Compliance

Newsletter

Company

Resources

Terms

Get in touch

Follow