Securiti PrivacyOps Named a Leader in The Forrester WaveTMDownload Now
Published on November 29, 2021 AUTHOR - PRIVACY RESEARCH TEAM
Protecting employee’s data is now a must for every organization across the globe. As cyber threats grow exponentially over the years, governments enact data protection and privacy laws, empowering consumers, users, and employees alike to have better control over the accessibility and processing of their personal and sensitive personal data.
Companies that fail to protect the data of their employees have to bear not only financial but also reputational losses- be it a loss that results from data breaches or non-compliance.
Take, for example, the Foodinho €2.6 million fine, imposed by the Italian data protection authority (DPA). Foodinho, a European grocery delivery service, was fined for not having security measures to protect its employees’ rights against biased automated decision making, which goes against GDPR’s “lawfulness, fairness, and transparency” and “automated processing” regulations.
As Workday customers, it is imperative for companies to review their data collection and processing activities as per the requirements of the GDPR. Companies must ensure the data protection and privacy of individuals they deal with, including but not limited to interviewed (shortlisted) candidates, interns, permanent employees, remote employees, former employees, and contractors, to name a few (to simplify in the rest of the document we will refer to all these groups as “employees”.
The European Union’s data protection law, GDPR, applies to organizations that:
The GDPR prescribes requirements concerning the protection of natural persons. Under the GDPR, the definition of a data subject covers both consumers as well as employees, giving them equal rights and protection in relation to their personal data. Therefore, it is obligatory for organizations working in the EU region to comply with the GDPR while processing their employees’ data, no matter whether the employees are inside or outside the EU. If the organization is outside the EU, but the employees are inside the Eu, they must also comply.
Let’s look into some of the key provisions of the GDPR that an employer must consider:
Article 5 of the GDPR requires employers to handle employees’ personal data in accordance with the following data protection principles:
As per Article 6 of the GDPR, employers must have a legal basis to process an employee’s personal data. These six legal basis are as follows:
(1) Performance of a contract
In an employment context, “performance of a contract” can be relied upon as a lawful basis for data processing where the processing is necessary to fulfill the employment contract. For example, to pay the employee, the employer must process the employee’s name and bank details.
(2) Compliance with a legal obligation
In an employment context, “compliance with a legal obligation” can be relied upon as a lawful basis for processing where a particular law, such as employment law, imposes legal obligations that necessitates the processing of personal data.
(3) Protection of vital interests
This is an appropriate legal basis where the processing is necessary in order to protect the vital interests of the employee or of another natural person. This will include processing data for humanitarian purposes.
(4) Performance of a task carried out in the public interest
This legal basis primarily applies to official authorities or governmental entities. Private employers can rely on this legal basis if it exercises official authority or carries out a task in the public interest.
(5) Legitimate interests of the data controller
In an employment context, the “legitimate interests” can be relied upon as a lawful basis for processing when the processing is necessary for the purposes of legitimate interests of the employer. In such a situation, the purpose of data processing must be legitimate, the chosen method or specific technology must be necessary or proportionate and implemented in the least intrusive manner possible along with the ability to enable the employer to demonstrate that appropriate measures have been put in place to ensure a balance with the fundamental rights and freedoms of employees. For example, when an employer carries out a structural systems change to migrate employees’ data from an old payroll system to a new one.
For most data processing at work, the lawful basis cannot and should not be an employee’s consent. This is because of the imbalance of power between an employer and employee that forces an employee to consent and hence, such consent is not freely given or valid. However, an employee’s consent can be used in data processing situations where there are no adverse consequences on the employment relationship for the refusal of such consent. For example, retaining employees’ data for future job roles or voluntary employee benefit programs.
Perhaps one of the most celebrated principles of the GDPR is the pre-defined set of rights that it bestows upon consumers and employees alike. Under the GDPR, employees have the right to:
All afore-mentioned rights are applicable under certain conditions and have limitations. To learn more about other legal obligations related to employee data protection, read our detailed blog: What GDPR Means For Employee Data
Workday, the renowned human capital management (HCM) vendor helps its customers meet GDPR requirements. “Workday has had a global data protection program built-in from day one,“ says Barbara Cosgrove, vice president, chief privacy officer at Workday.
Workday has built three specific features that help customers ensure that they are aligned with their employees’ data protection rules and principles. For example,
In Workday, employers can control the privacy of the personal or sensitive personal data of their employees by setting up security configurations. These configurations further allow employers to implement “conditional role-based” access controls.
Usually, organizations configure security access control that prevents peers from accessing the personal data of each other. However, they often leave managers out of this “strict access control” that ultimately gives them access to certain data that they don’t need to know. This could become an issue when it comes to GDPR compliance as the regulations clearly allow access to personal or sensitive data to data processors only on a need-to-know basis.
By setting up conditional role-based access controls, employers can define who is the organization can access employees’ sensitive personal data.
Under Article 9 of the GDPR, “processing of special categories of personal data”, such as “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life,” is generally prohibited unless it falls under specific conditions. For example, a data controller can process the data if they have the explicit consent of the natural person: consumer or employee. Or, a data controller might also process the data to meet legal requirements.
Workday tackles this data access issue faced by employers with its smart data purging feature. Workday offers a capability to purge the data of former and existing employees’ personal data with ease, such as their sexual orientation, religion, ethnicity, etc.
Workday data purging capability further satisfies the Article 17 requirement of the GDPR, which is the right to erasure or the right to be forgotten.
Article 30 of the GDPR requires organizations to keep and maintain an update to date record of processing activities (ROPA) that includes all vital information, such as
Article 30 further mandates organizations to make the records readily available to any supervisory authority for auditing and such purposes. Workday enables employers to deliver an audit report as part of their compliance with the record-keeping requirements under GDPR. The record includes all the details that give data controllers and any supervisory authority insights into all the processing activities as per GDPR requirements.
GDPR compliance may not seem to be much of a problem for small businesses with a limited number of employees as Workday resolves many of the GDPR challenges via its privacy features, as discussed previously. However, organizations in large or frequently-changing environments, having to deal with thousands of employees across the globe, cannot enjoy the same level of convenience with regulatory requirements as small businesses.
Securiti helps clients using Workday enterprise management cloud to automate their data governance, privacy, and compliance requirements with an AI-driven privacy management suite. Securiti integrates the Workday environment with other on-premises and cloud-based services via hundreds of native connectors for autonomous data discovery, mapping and control.
Request a free demo to understand how to leverage Securiti PrivacyOps for Workday GDPR compliance.