Romolo Tavani - Fotolia

Workday ringfences support in Europe after Safe Harbour ruled unsafe

US cloud HR and financial services provider reponds to Safe Harbour failure by ringfencing European data

HR and financial reporting supplier Workday is to offer businesses the ability to keep data ringfenced in Europe, following the collapse of the Safe Harbour agreement between the US and the UK.

Workday plans to launch a service in the next six months that will limit maintenance access to developers outside the US, while holding company information only in European datacentres.

The programme aims to ease the concerns of businesses in Germany, Austria and other countries with strict privacy laws, as well as businesses which deal with particularly sensitive personal data.

Safe Harbour, an agreement that permitted data to be transferred between the EU and the US, collapsed in October 2015 after the European Court ruled it was invalid, following a legal challenge by Max Schrems, an Austrian law student.

“The new EU support policy for customers in European datacentres means data is processed only in Europe, and they can choose to have data accessed only by European personnel,” said Charno Fernandez, European president of Workday, speaking at the Workday Rising conference in Dublin.

European companies nervous about using US datacentres

Concerns over the security of data stored in the US, which can be accessed by the US government under the Patriot Act, have led some companies to transfer their datacentres from the US to Europe.

Elekta, a high-tech healthcare company, headquartered in Sweden, told Computer Weekly that it transferred its human resources (HR) data from Workday’s datacentres in the US to Dublin three months ago, after its works council raised privacy concerns.

“That was one of the main conditions from the German works council – that the data should be hosted in Europe,” said Raymond L’homme, global HR business application manager at Elekta.

“With the Patriot Act, they did not really feel the data was secure in North America, because if government asked for it, it would just get access.”

Rockwool, a manufacturing company headquartered in Denmark, also disclosed that its executives were nervous about storing HR data on Workday’s US datacentres, following the Snowden revelations.

“Wikileaks was in the news, and the phone tapping of Angela Merkel. They were less concerned, knowing data was going to be stored in Dublin,” said Wouter Bak, director for Rockwool’s HR centre of excellence.

An extra level of data protection

Under the proposed plan, a team of more than 400 developers in Ireland, along with a team of developers in New Zealand, will provide round-the-clock support to European companies that do not want their data to be accessed by the US.

Workday said the idea had won backing from the company’s European advisory council, made up of 18 Workday customers.

Leighanne Levensaler, senior vice-president for products at Workday, said: “They have already been through this with their privacy, security and works councils, so they [agree] it’s going to be very appealing for prospective customers.”

Workday said the new measures were designed to reassure potential customers, and existing customers would still be protected through model data privacy contracts, which are unaffected by the failure of Safe Harbour.

“The majority of customers and prospects are completely fine with the policies we have in place today,” said Fernandez.

Russian data protection concerns

Separately, Workday said it was working with technology partners to comply with new data protection laws in Russia, which require copies of all data to be held within the country.

The company has no plans to build a datacentre in Russia, but is developing reporting tools that will allow company data to be shared internationally.

“We are working collaboratively with our customers, and their legal council and compliance officers, to ensure we do everything we can to support them,” said Levensaller.

Local developers key to EU support policy

Aneel Bhusri, founder and co-CEO of Workday, said the EU support policy was only possible because the company had a large team of developers in Dublin.

“If there are issues in Europe, we do not have to go back to the US to solve them,” he told Computer Weekly.

Workday said the design of its cloud service, which gives all its customers access to the same version of the Workday software, made it easier to limit data access to specific geographies or individuals.

“If you are stitching different applications, and you are coming from acquisitions and different data models and datacentres, that is not going to be easy,” he said.

Read more on Regulatory compliance and standard requirements