GDPR Compliance in Enterprise HCM: What Your Tenant Must Have
GDPR is the most operationally specific privacy regulation in the world for HR data. Four articles always hit enterprise HCM tenants — and almost every tenant has at least one violation in production. Here is how Articles 5, 17, 25, and 32 map to Workday, SuccessFactors, and Oracle HCM configuration.
Art. 5 — Data minimisation
An unconstrained security group on a compensation domain returns data for every worker, not just the team. Violation by default. Audit: every group with no org-level constraint on a PII domain is a finding.
Art. 17 — Right to erasure
If your termination workflow leaves the worker record active in supervisory orgs, in calculated field references, or in BP routing assignments, you are still processing their personal data. The deactivation must propagate.
Art. 25 — Privacy by design
Security must be the default state of new configuration, not an opt-in. New security groups should start constrained, new ISUs should default to 'Do Not Allow UI Sessions,' new business processes should default to role-based routing.
Art. 32 — Security of processing
Integration credentials in personal accounts, no MFA on ISUs, missing 'Do Not Allow UI Sessions' — all in scope. Each is an Art. 32 finding.
Cross-platform mapping
In SuccessFactors the equivalent surface is RBP rules, MDF object security, and the IAS trust chain. In Oracle HCM it is data role assignment, security console role inheritance, and HCM Extract scope. The principles transfer; the navigation differs.
Continue reading
Find out what's broken in your tenant
Free first scan. Read-only access. Results in under 2 hours.
Start Your Free Scan