Workday has announced in a blog by Barbara Cosgrove Vice President, Chief Privacy Officer, Workday that it has attained the new Asia-Pacific Privacy Certification. The certification was carried out by TrustArc and includes an assessment process to ensure the company and its software meets the nine privacy principles of the APEC Privacy Framework.
APEC consists of 21 Pacific Rim countries and the privacy framework was adopted by them in 2004. In 2011 APEC implemented the APEC Cross Border Rules System to build trust in the online marketplace and help with the flow of information and confidence across borders. It has four rules: self-assessment, compliance review, recognition/acceptance, and dispute resolution and enforcement. The US is the first formal participant and the FTC (Federal Trade Commission) is the first enforcement authority.
Cosgrove claims that Workday is the first company that has achieved the TRUSTe APEX Processor mark. However, TrustArc themselves list several others including Box Inc., Hexaware Technologies Inc., MD Connect Inc and Yodlee Inc.
It is perhaps surprising that Oracle has not achieved the certification, as it was involved in creating the framework. Joseph Alhadeff, Chief Privacy Officer at Oracle Corporation commenting in 2013 said: “Oracle has participated in the process of developing the APEC Privacy Framework as well as the subsequent work on Cross Border Privacy Rules (CBPRs) and now on interoperability. We consider TRUSTe’s recognition as the first certified accountability agent to be an important milestone in making the implementation of CBPRs a reality.”
There is no reference to Oracle as receiving the TRUSTe mark for either CBPR or PRP certification, Workday has both.
Privacy key for Workday
Workday continues to demonstrate a leadership on Privacy. As a Finance and HR ERP vendor this is growing in importance in an evolving legal landscape. Workday recently renewed its EU-U.S. Privacy Shield Framework certification. It also built its product on a basis of privacy by design. Cosgrove revealed the seven pillars of that philosophy in an earlier blog. It has constantly talked about GDPR. This announcement is the latest indication that it understands and has its house in order relating to privacy concerns.
Cosgrove concluded by saying: “At Workday, we take this and our other certifications seriously, and are pleased to offer further proof of the strong privacy and security protections we provide for customer data.”
Enterprise Times: What does it mean
For many companies to achieve certification for voluntary frameworks, is often seen as budget that can be spent elsewhere. In the growing climate of privacy legislation with teeth, this could be seen as naïve. Certification does not mean that Workday is completely immune to a hack or data breach. It does show that it is doing everything it can to ensure that it will not happen. Independent assessments may seem a needless expense to some. However, for companies operating in certain industries, regions and countries it is a strong vindication of their attititude and capability to ensure privacy .
Workday does not yet have certification for GDPR, but there are currently no accredited certification bodies according to the ICO. The ICO documentation states: “The ICO has no plans to accredit certification bodies or carry out certification at this time, although the GDPR does allow this.
“Currently there are no approved certification schemes or accredited certification bodies for issuing GDPR certificates.”
This may change. If it does, expect Workday to be one of the first ones in the queue to become certified.
For now, the new APEC PRP mark will help Workday as it looks to expand and grow across Asia. Especially for multinational companies, looking for Cloud based HR and Finance systems to support their operations in the region.