Robust Privacy Program
Workday founded our privacy program on strict policies and procedures regarding access to and the use, disclosure, and transfer of customer data. The core of our privacy program is that Workday employees do not access, use, disclose, or transfer customer data unless it is in accordance with a contractual agreement or at the direction of the customer.
As data protection issues and global laws continue to evolve and become increasingly complex, Workday understands the importance of a privacy program that is embedded into our company's culture and services. Our philosophy of Privacy by Design is a testament to this and provides our customers with the assurance they need for the privacy and protection of their data.
The Workday Privacy, Ethics, and Compliance team, led by our Chief Privacy Officer, manages the privacy program and monitors its effectiveness. The team is responsible for:
- Formulating, maintaining, and updating our internal privacy policies, procedures, and tools to protect the privacy of personal data handled by employees and partners on behalf of Workday
- Monitoring compliance with our customer-facing privacy policies, which are audited annually by a third party
- Ensuring that privacy commitments made to our customers, partners, and employees are met
- Maintaining our certifications and regulatory-compliance obligations
- Training Workday staff on our privacy program, monitoring changing data privacy laws across the globe, and making necessary updates and modifications to our privacy program
Privacy and data protection require year-round vigilance, and we’re strongly committed to protecting the personal data of our customers and employees. Read more about how we embrace the key principles of privacy here.
Privacy by Design
We’ve embedded a holistic privacy program into our services, from initial design through release. This program, built on our philosophy of Privacy by Design, guides how we develop products and operate our services.
We provide transparency into the geographical regions where our customers’ data is stored and processed.
Global Data Privacy
Workday and our customers must comply with various global privacy laws and regulations. Common privacy principles throughout jurisdictions include notice, choice, access, use, disclosure, and security. Our application is designed to allow you to achieve differentiated configurations so you can meet your country’s specific laws. Workday also achieves compliance with international privacy regulations by maintaining a comprehensive, written information-security program that contains technical and organizational safeguards designed to prevent unauthorized access to and use or disclosure of customer data. Workday remains committed to global privacy standards, as shown by our dedication to programs such as the Privacy Shield, implementation of Binding Corporate Rules (BCR), and Asia-Pacific Economic Cross-Border Privacy Rules.
EU Data Privacy
The EU data privacy landscape has changed significantly due to the General Data Protection Regulation (GDPR), which took effect on May 25, 2018. The GDPR has harmonized the patchwork of data protection laws in Europe. Workday is confident that we can continue to process our customers’ personal data in alignment with the GDPR, and we are monitoring guidance that EU supervisory authorities issue on the subject. If any changes are required, we will move quickly to address them.
Workday evaluated GDPR requirements and evaluated our numerous privacy and security practices to ensure compliance with the GDPR from day one. These included:
- Training employees on security and privacy practices
- Conducting Privacy Impact Assessments
- Providing data transfer mechanisms to legalize transfers of personal data outside of the European Economic Area, including the Workday BCRs
- Maintaining records of processing activities
- Providing configurable privacy and compliance features to our customers
Privacy by Design and Privacy by Default are concepts deeply enshrined in the Workday Service. Workday recognizes that GDPR is a very important business priority for our global customers. As such, Workday continues to monitor guidance that EU supervisory authorities issue on GDPR to ensure that our compliance program remains up-to-date.
Workday understands that not only is it important for our own organization to be compliant with GDPR as a data processor, but also for our customers to be able to use the Workday Service to help with their internal compliance requirements. This is why Workday offers tools to help meet their Customers’ GDPR obligations. The Workday Service enables customers to process personal data within their own private tenant. You can learn more about how we enable our customers to meet their GDPR obligations here.
In 2016, Workday signed up for the Privacy Shield on the first day the U.S. Department of Commerce launched the Privacy Shield certification process, demonstrating our strong, ongoing commitment to privacy and protecting our customers’ data. The Privacy Shield is a data transfer framework to allow personal data transfers between the EU and the U.S., as well as between Switzerland and the U.S. Four key principles are emphasized in the Privacy Shield:
- Clear safeguards and transparency obligations on U.S. government access
- Strong obligations on companies handling data
- Effective protection of individual rights, including redress options for EU citizens
- An annual joint review by the European Commission and the U.S. Department of Commerce
While companies can self-certify to the Privacy Shield, Workday uses TRUSTe as our third-party verification method. In addition, Workday continues to have third parties review our data privacy program regularly to ensure that our customers enjoy the highest possible levels of data protection and privacy. Read more about our certification to the Privacy Shield here.
Binding Corporate Rules (BCR)
In addition to self-certifying to Privacy Shield, Workday received approval for its Processor BCR from the European data protection authorities. The Irish Data Protection Authority was the lead authority for Workday, given its EU headquarters in Dublin. The data protection authorities in the UK and the Netherlands were acting as co-lead authorities. Workday’s BCR commitments to data subjects of our customers are available here.
APEC CBPR and PRP
Workday has certified to both the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) and Privacy Rules for Processors (APEC PRP). The APEC certifications are a voluntary set of privacy standards developed for data controllers and processors, respectively, to facilitate data transfers among APEC economies. These certifications demonstrate compliance with high standards of privacy compliance throughout the Asia-Pacific region.
Workday was one of the first companies to be certified to the APEC CBPR in March 2014, and the first to be certified for APEC PRP in September 2018. We have received a third-party attestation from TrustArc, which is the APEC Accountability Agent for the United States.
By maintaining compliance with the APEC CBPR and PRP, as well as complying with privacy requirements in the European Economic Area, Workday is able to demonstrate adherence to robust global privacy frameworks.