Companies that fail to protect the data of their employees have to bear not only financial but also reputational losses- be it a loss that results from data breaches or non-compliance.
Take, for example, the Foodinho €2.6 million fine, imposed by the Italian data protection authority (DPA). Foodinho, a European grocery delivery service, was fined for not having security measures to protect its employees’ rights against biased automated decision making, which goes against GDPR’s “lawfulness, fairness, and transparency” and “automated processing” regulations.
As Workday customers, it is imperative for companies to review their data collection and processing activities as per the requirements of the GDPR. Companies must ensure the data protection and privacy of individuals they deal with, including but not limited to interviewed (shortlisted) candidates, interns, permanent employees, remote employees, former employees, and contractors, to name a few (to simplify in the rest of the document we will refer to all these groups as “employees”.
Employee’s Data Protection Under GDPR
The European Union’s data protection law, GDPR, applies to organizations that:
- Collect and process the personal data of natural persons while operating in the EU
- Or, serve goods and services to EU residents while operating from outside the EU
The GDPR prescribes requirements concerning the protection of natural persons. Under the GDPR, the definition of a data subject covers both consumers as well as employees, giving them equal rights and protection in relation to their personal data. Therefore, it is obligatory for organizations working in the EU region to comply with the GDPR while processing their employees’ data, no matter whether the employees are inside or outside the EU. If the organization is outside the EU, but the employees are inside the Eu, they must also comply.
Let’s look into some of the key provisions of the GDPR that an employer must consider:
Article 5 of GDPR - Principles Related to Processing of Personal Data
Article 5 of the GDPR requires employers to handle employees’ personal data in accordance with the following data protection principles:
- The personal data of employees should be processed lawfully, fairly and in a transparent manner.
- Personal data must be collected and processed for only specific and valid purposes.
- Data collected should be limited to only the data required and excess data should not be collected.
- Personal data is required to be kept accurate and updated.
- Data should no longer be processed once it is no longer required
- Optimal security measures must be implemented to ensure its integrity and confidentiality.
- Organizations are responsible for the protection of their employees’ personal data
Article 6 of GDPR - Lawfulness of Processing
As per Article 6 of the GDPR, employers must have a legal basis to process an employee’s personal data. These six legal basis are as follows:
(1) Performance of a contract
In an employment context, “performance of a contract” can be relied upon as a lawful basis for data processing where the processing is necessary to fulfill the employment contract. For example, to pay the employee, the employer must process the employee’s name and bank details.
(2) Compliance with a legal obligation
In an employment context, “compliance with a legal obligation” can be relied upon as a lawful basis for processing where a particular law, such as employment law, imposes legal obligations that necessitates the processing of personal data.
(3) Protection of vital interests
This is an appropriate legal basis where the processing is necessary in order to protect the vital interests of the employee or of another natural person. This will include processing data for humanitarian purposes.
(4) Performance of a task carried out in the public interest
This legal basis primarily applies to official authorities or governmental entities. Private employers can rely on this legal basis if it exercises official authority or carries out a task in the public interest.
(5) Legitimate interests of the data controller
In an employment context, the “legitimate interests” can be relied upon as a lawful basis for processing when the processing is necessary for the purposes of legitimate interests of the employer. In such a situation, the purpose of data processing must be legitimate, the chosen method or specific technology must be necessary or proportionate and implemented in the least intrusive manner possible along with the ability to enable the employer to demonstrate that appropriate measures have been put in place to ensure a balance with the fundamental rights and freedoms of employees. For example, when an employer carries out a structural systems change to migrate employees’ data from an old payroll system to a new one.
(6) Consent
For most data processing at work, the lawful basis cannot and should not be an employee’s consent. This is because of the imbalance of power between an employer and employee that forces an employee to consent and hence, such consent is not freely given or valid. However, an employee’s consent can be used in data processing situations where there are no adverse consequences on the employment relationship for the refusal of such consent. For example, retaining employees’ data for future job roles or voluntary employee benefit programs.
Article 12-23 of GDPR - Rights of the Data Subjects
Perhaps one of the most celebrated principles of the GDPR is the pre-defined set of rights that it bestows upon consumers and employees alike. Under the GDPR, employees have the right to:
- Know when personal data is collected from them
- Rectify and update any incorrect information that the data controller or employer has collected or uses for processing
- Get the personal data erased if the data is no longer required for processing for the purpose it is intended or if the employee has withdrawn the consent where the processing was based on employee’s consent, (only typically after employment has finished)
- Restrict the data controller from processing personal data if it is unlawfully processed.
- Ask the data controller to transfer their personal data to another data controller in a structured, commonly used and machine-readable format.
- Invoke their right to object to the processing of their personal data, such as for direct marketing purposes.
- Not be subjected to decisions resulting from automated decision-making processes.
All afore-mentioned rights are applicable under certain conditions and have limitations. To learn more about other legal obligations related to employee data protection, read our detailed blog: What GDPR Means For Employee Data
How Workday Complies with GDPR
Workday, the renowned human capital management (HCM) vendor helps its customers meet GDPR requirements. “Workday has had a global data protection program built-in from day one,“ says Barbara Cosgrove, vice president, chief privacy officer at Workday.
Workday has built three specific features that help customers ensure that they are aligned with their employees’ data protection rules and principles. For example,
Limited Data Accessibility
In Workday, employers can control the privacy of the personal or sensitive personal data of their employees by setting up security configurations. These configurations further allow employers to implement “conditional role-based” access controls.
Usually, organizations configure security access control that prevents peers from accessing the personal data of each other. However, they often leave managers out of this “strict access control” that ultimately gives them access to certain data that they don’t need to know. This could become an issue when it comes to GDPR compliance as the regulations clearly allow access to personal or sensitive data to data processors only on a need-to-know basis.
By setting up conditional role-based access controls, employers can define who is the organization can access employees’ sensitive personal data.
Seamless Data Purging
Under Article 9 of the GDPR, “processing of special categories of personal data”, such as “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life,” is generally prohibited unless it falls under specific conditions. For example, a data controller can process the data if they have the explicit consent of the natural person: consumer or employee. Or, a data controller might also process the data to meet legal requirements.
Workday tackles this data access issue faced by employers with its smart data purging feature. Workday offers the capability to purge the data of former and existing employees’ personal data with ease, such as their sexual orientation, religion, ethnicity, etc.
Workday data purging capability further satisfies the Article 17 requirement of the GDPR, which is the right to erasure or the right to be forgotten.
Efficient GDPR Auditing
Article 30 of the GDPR requires organizations to keep and maintain an update to date record of processing activities (ROPA) that includes all vital information, such as
- Categories of personal and sensitive personal data kept by the employer for data processing
- Categories of data recipients and data subjects
- Employees’ consent record
- Data controller’s name and contact details
- Purpose of data processing
- Data retention periods
- Technical and organizational security standards
Article 30 further mandates organizations to make the records readily available to any supervisory authority for auditing and such purposes. Workday enables employers to deliver an audit report as part of their compliance with the record-keeping requirements under GDPR. The record includes all the details that give data controllers and any supervisory authority insights into all the processing activities as per GDPR requirements.
Issues Data Controllers Face When Managing Employee Data at Scale
GDPR compliance may not seem to be much of a problem for small businesses with a limited number of employees as Workday resolves many of the GDPR challenges via its privacy features, as discussed previously. However, organizations in large or frequently-changing environments, having to deal with thousands of employees across the globe, cannot enjoy the same level of convenience with regulatory requirements as small businesses.
- Recruiters in an organization have to work with a volume of data that comes from interviewees, potential candidates, former employees, remote employees, contractors, and existing personnel. The problem is compounded when the data is collectedin an unstructured format across the organization, such as in spreadsheet formats, emails, PDF and Word documents, and can be saved on-premises infrastructure, cloud or in multiple cloud services. The resulting data sprawl blurs visibility into data.
- The primary focus of clients is more inclined towards using the solution for simplifying the HR processes than ensuring the security and privacy of their employees' data. Consequently, this leads to many problems, such as security misconfigurations, inappropriate security measures, and excessive privileged access, to name a few.
- HR personnel often require sensitive personal data of candidates like their medical or criminal records for running background checks. Data controllers need to have proper security controls in place to protect the data, get notified in case of any breach or compliance violation, or keep records of processing activities for auditing purposes. This is a tall order for data controllers who already have their hands full of equally important responsibilities.
Securiti Makes Workday GDPR Compliance Seamless
Securiti helps clients using the Workday enterprise management cloud to automate their data governance, privacy, and compliance requirements with an AI-driven privacy management suite. Securiti integrates the Workday environment with other on-premises and cloud-based services via hundreds of native connectors for autonomous data discovery, mapping, and control.
- Establish Autonomous Data Intelligence: Scan through Workday data in structured and unstructured formats, tag personal data under relevant categories and elements, link it to the owner of the data, assign risk score based on the sensitivity of the data, and track high-risk data activities.
- Govern Access to Sensitive Data: Discover and identify sensitive personal data to apply masking for excessive privilege exposure.
- Remediate Security Misconfigurations: Automate security misconfigurations, set security policies, and remediate misconfigurations.
- Ensure better Consent Management: Capture employee and candidate consent across various touchpoints using consent forms. And use data intelligence to link data to the owner and honor DSR requests in a timely manner.
Request a free demo to understand how to leverage Securiti PrivacyOps for Workday GDPR compliance.
