Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

Workday focuses on GDPR employee data protections

Get Free GDPR Assessment
Published November 29, 2021
Author

Omer Imran Malik

Data Privacy Legal Manager, Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

This post is also available in: Brazilian Portuguese

Protecting employee’s data is now a must for every organization across the globe. As cyber threats grow exponentially over the years, governments enact data protection and privacy laws, empowering consumers, users, and employees alike to have better control over the accessibility and processing of their personal and sensitive personal data.

Companies that fail to protect the data of their employees have to bear not only financial but also reputational losses- be it a loss that results from data breaches or non-compliance.

Take, for example, the Foodinho €2.6 million fine, imposed by the Italian data protection authority (DPA). Foodinho, a European grocery delivery service, was fined for not having security measures to protect its employees’ rights against biased automated decision making, which goes against GDPR’s “lawfulness, fairness, and transparency” and “automated processing” regulations.

As Workday customers, it is imperative for companies to review their data collection and processing activities as per the requirements of the GDPR. Companies must ensure the data protection and privacy of individuals they deal with, including but not limited to interviewed (shortlisted) candidates, interns, permanent employees, remote employees, former employees, and contractors, to name a few (to simplify in the rest of the document we will refer to all these groups as “employees”.

Employee’s Data Protection Under GDPR

The European Union’s data protection law, GDPR, applies to organizations that:

  • Collect and process the personal data of natural persons while operating in the EU
  • Or, serve goods and services to EU residents while operating from outside the EU

The GDPR prescribes requirements concerning the protection of natural persons. Under the GDPR, the definition of a data subject covers both consumers as well as employees, giving them equal rights and protection in relation to their personal data. Therefore, it is obligatory for organizations working in the EU region to comply with the GDPR while processing their employees’ data, no matter whether the employees are inside or outside the EU. If the organization is outside the EU, but the employees are inside the Eu, they must also comply.

Let’s look into some of the key provisions of the GDPR that an employer must consider:

Article 5 of GDPR - Principles Related to Processing of Personal Data

Article 5 of the GDPR requires employers to handle employees’ personal data in accordance with the following data protection principles:

  • The personal data of employees should be processed lawfully, fairly and in a transparent manner.
  • Personal data must be collected and processed for only specific and valid purposes.
  • Data collected should be limited to only the data required and excess data should not be collected.
  • Personal data is required to be kept accurate and updated.
  • Data should no longer be processed once it is no longer required
  • Optimal security measures must be implemented to ensure its integrity and confidentiality.
  • Organizations are responsible for the protection of their employees’ personal data

Article 6 of GDPR - Lawfulness of Processing

As per Article 6 of the GDPR, employers must have a legal basis to process an employee’s personal data. These six legal basis are as follows:

(1) Performance of a contract
In an employment context, “performance of a contract” can be relied upon as a lawful basis for data processing where the processing is necessary to fulfill the employment contract. For example, to pay the employee, the employer must process the employee’s name and bank details.

(2) Compliance with a legal obligation
In an employment context, “compliance with a legal obligation” can be relied upon as a lawful basis for processing where a particular law, such as employment law, imposes legal obligations that necessitates the processing of personal data.

(3) Protection of vital interests
This is an appropriate legal basis where the processing is necessary in order to protect the vital interests of the employee or of another natural person. This will include processing data for humanitarian purposes.

(4) Performance of a task carried out in the public interest

This legal basis primarily applies to official authorities or governmental entities. Private employers can rely on this legal basis if it exercises official authority or carries out a task in the public interest.

(5) Legitimate interests of the data controller

In an employment context, the “legitimate interests” can be relied upon as a lawful basis for processing when the processing is necessary for the purposes of legitimate interests of the employer. In such a situation, the purpose of data processing must be legitimate, the chosen method or specific technology must be necessary or proportionate and implemented in the least intrusive manner possible along with the ability to enable the employer to demonstrate that appropriate measures have been put in place to ensure a balance with the fundamental rights and freedoms of employees. For example, when an employer carries out a structural systems change to migrate employees’ data from an old payroll system to a new one.

(6) Consent

For most data processing at work, the lawful basis cannot and should not be an employee’s consent. This is because of the imbalance of power between an employer and employee that forces an employee to consent and hence, such consent is not freely given or valid. However, an employee’s consent can be used in data processing situations where there are no adverse consequences on the employment relationship for the refusal of such consent. For example, retaining employees’ data for future job roles or voluntary employee benefit programs.

Article 12-23 of GDPR - Rights of the Data Subjects

Perhaps one of the most celebrated principles of the GDPR is the pre-defined set of rights that it bestows upon consumers and employees alike. Under the GDPR, employees have the right to:

  • Know when personal data is collected from them
  • Rectify and update any incorrect information that the data controller or employer has collected or uses for processing
  • Get the personal data erased if the data is no longer required for processing for the purpose it is intended or if the employee has withdrawn the consent where the processing was based on employee’s consent, (only typically after employment has finished)
  • Restrict the data controller from processing personal data if it is unlawfully processed.
  • Ask the data controller to transfer their personal data to another data controller in a structured, commonly used and machine-readable format.
  • Invoke their right to object to the processing of their personal data, such as for direct marketing purposes.
  • Not be subjected to decisions resulting from automated decision-making processes.

All afore-mentioned rights are applicable under certain conditions and have limitations. To learn more about other legal obligations related to employee data protection, read our detailed blog: What GDPR Means For Employee Data

How Workday Complies with GDPR

Workday, the renowned human capital management (HCM) vendor helps its customers meet GDPR requirements. “Workday has had a global data protection program built-in from day one,“ says Barbara Cosgrove, vice president, chief privacy officer at Workday.

Workday has built three specific features that help customers ensure that they are aligned with their employees’ data protection rules and principles. For example,

Limited Data Accessibility

In Workday, employers can control the privacy of the personal or sensitive personal data of their employees by setting up security configurations. These configurations further allow employers to implement “conditional role-based” access controls.

Usually, organizations configure security access control that prevents peers from accessing the personal data of each other. However, they often leave managers out of this “strict access control” that ultimately gives them access to certain data that they don’t need to know. This could become an issue when it comes to GDPR compliance as the regulations clearly allow access to personal or sensitive data to data processors only on a need-to-know basis.

By setting up conditional role-based access controls, employers can define who is the organization can access employees’ sensitive personal data.

Seamless Data Purging

Under Article 9 of the GDPR, “processing of special categories of personal data”, such as “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life,” is  generally prohibited unless it falls under specific conditions. For example, a data controller can process the data if they have the explicit consent of the natural person: consumer or employee. Or, a data controller might also process the data to meet legal requirements.

Workday tackles this data access issue faced by employers with its smart data purging feature. Workday offers the capability to purge the data of former and existing employees’ personal data with ease, such as their sexual orientation, religion, ethnicity, etc.

Workday data purging capability further satisfies the Article 17 requirement of the GDPR, which is the right to erasure or the right to be forgotten.

Efficient GDPR Auditing

Article 30 of the GDPR requires organizations to keep and maintain an update to date record of processing activities (ROPA) that includes all vital information, such as

  • Categories of personal and sensitive personal data kept by the employer for data processing
  • Categories of data recipients and data subjects
  • Employees’ consent record
  • Data controller’s name and contact details
  • Purpose of data processing
  • Data retention periods
  • Technical and organizational security standards

Article 30 further mandates organizations to make the records readily available to any supervisory authority for auditing and such purposes. Workday enables employers to deliver an audit report as part of their compliance with the record-keeping requirements under GDPR. The record includes all the details that give data controllers and any supervisory authority insights into all the processing activities as per GDPR requirements.

Issues Data Controllers Face When Managing Employee Data at Scale

GDPR compliance may not seem to be much of a problem for small businesses with a limited number of employees as Workday resolves many of the GDPR challenges via its privacy features, as discussed previously. However, organizations in large or frequently-changing environments, having to deal with thousands of employees across the globe, cannot enjoy the same level of convenience with regulatory requirements as small businesses.

  • Recruiters in an organization have to work with a volume of data that comes from interviewees, potential candidates, former employees, remote employees, contractors, and existing personnel. The problem is compounded when the data is collectedin an unstructured format across the organization, such as in spreadsheet formats, emails, PDF and Word documents, and can be saved on-premises infrastructure, cloud or in multiple cloud services. The resulting data sprawl blurs visibility into data.
  • The primary focus of clients is more inclined towards using the solution for simplifying the HR processes than ensuring the security and privacy of their employees' data. Consequently, this leads to many problems, such as security misconfigurations, inappropriate security measures, and excessive privileged access, to name a few.
  • HR personnel often require sensitive personal data of candidates like their medical or criminal records for running background checks. Data controllers need to have proper security controls in place to protect the data, get notified in case of any breach or compliance violation, or keep records of processing activities for auditing purposes. This is a tall order for data controllers who already have their hands full of equally important responsibilities.

Securiti Makes Workday GDPR Compliance Seamless

Securiti helps clients using the Workday enterprise management cloud to automate their data governance, privacy, and compliance requirements with an AI-driven privacy management suite. Securiti integrates the Workday environment with other on-premises and cloud-based services via hundreds of native connectors for autonomous data discovery, mapping, and control.

  • Establish Autonomous Data Intelligence: Scan through Workday data in structured and unstructured formats, tag personal data under relevant categories and elements, link it to the owner of the data, assign risk score based on the sensitivity of the data, and track high-risk data activities.
  • Govern Access to Sensitive Data: Discover and identify sensitive personal data to apply masking for excessive privilege exposure.
  • Remediate Security Misconfigurations: Automate security misconfigurations, set security policies, and remediate misconfigurations.
  • Ensure better Consent Management: Capture employee and candidate consent across various touchpoints using consent forms. And use data intelligence to link data to the owner and honor DSR requests in a timely manner.

Request a free demo to understand how to leverage Securiti PrivacyOps for Workday GDPR compliance.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share


More Stories that May Interest You

Videos

View More

Mitigating OWASP Top 10 for LLM Applications 2025

Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...

View More

DSPM vs. CSPM – What’s the Difference?

While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...

View More

Top 6 DSPM Use Cases

With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...

View More

Colorado Privacy Act (CPA)

What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...

View More

Securiti for Copilot in SaaS

Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...

View More

Top 10 Considerations for Safely Using Unstructured Data with GenAI

A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....

View More

Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes

As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...

View More

Navigating CPRA: Key Insights for Businesses

What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...

View More

Navigating the Shift: Transitioning to PCI DSS v4.0

What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...

View More

Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)

AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 13:38

Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines

Sanofi Thumbnail
Watch Now View
Spotlight 10:35

There’s Been a Material Shift in the Data Center of Gravity

Watch Now View
Spotlight 14:21

AI Governance Is Much More than Technology Risk Mitigation

AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3

You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge

Watch Now View
Spotlight 47:42

Cybersecurity – Where Leaders are Buying, Building, and Partnering

Rehan Jalil
Watch Now View
Spotlight 27:29

Building Safe AI with Databricks and Gencore

Rehan Jalil
Watch Now View
Spotlight 46:02

Building Safe Enterprise AI: A Practical Roadmap

Watch Now View
Spotlight 13:32

Ensuring Solid Governance Is Like Squeezing Jello

Watch Now View
Spotlight 40:46

Securing Embedded AI: Accelerate SaaS AI Copilot Adoption Safely

Watch Now View
Spotlight 10:05

Unstructured Data: Analytics Goldmine or a Governance Minefield?

Viral Kamdar
Watch Now View

Latest

Securiti Powers Sovereign AI in the EU with NVIDIA View More

Securiti Powers Sovereign AI in the EU with NVIDIA

The EU has taken the lead globally in ensuring that the power of AI systems is harnessed for the overall wellbeing of human citizens...

The Risks of Legacy DLP: Why Cloud Security Needs DSPM View More

The Risks of Legacy DLP: Why Cloud Security Needs DSPM

82% of 2024 data breaches involved cloud data, raising concerns about the effectiveness of legacy data loss prevention (DLP) solutions in today's cloud-centric data...

Data Classification: A Core Component of DSPM View More

Data Classification: A Core Component of DSPM

Data classification is a core component of DSPM, enabling teams to categorize data based on sensitivity and allocate resources accordingly to prioritize security, governance,...

9 Key Components of a Strong Data Security Strategy View More

9 Key Components of a Strong Data Security Strategy

Securiti’s latest blog breaks down the 9 key components of a robust data security strategy and explains how it helps protect your business, ensure...

Beyond DLP: Guide to Modern Data Protection with DSPM View More

Beyond DLP: Guide to Modern Data Protection with DSPM

Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.

Mastering Cookie Consent: Global Compliance & Customer Trust View More

Mastering Cookie Consent: Global Compliance & Customer Trust

Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.

From AI Risk to AI Readiness: Why Enterprises Need DSPM Now View More

From AI Risk to AI Readiness: Why Enterprises Need DSPM Now

Discover why shifting focus from AI risk to AI readiness is critical for enterprises. Learn how Data Security Posture Management (DSPM) empowers organizations to...

The European Health Data Space Regulation View More

The European Health Data Space Regulation: A Legislative Timeline and Implementation Roadmap

Download the infographic on the European Health Data Space Regulation, which features a clear timeline and roadmap highlighting key legislative milestones, implementation phases, and...

Gencore AI and Amazon Bedrock View More

Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock

Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...

DSPM Vendor Due Diligence View More

DSPM Vendor Due Diligence

DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...

What's
New