Welcome to today’s webinar

How GDPR Should Change the Way You Test Workday

(we’ll get started shortly)

o

How GDPR Should Change the Way You Test Workday

)

Shelly WilsonProduct Marketing Manager

Today’s Topics

WhatisGDPR?

HowGDPRimpactsWorkdaytesting

Changesneededforcompliance• Securityconfiguration• Securitytesting• Testdata

Disclaimers

Wearenotlawexperts

Thisisnotlegaladvice

1,100 KAINOS EMPLOYEES

300+ WORKSMART EMPLOYEES

Damien TaylorChief Technology Officer, Kainos WorkSmart

• Why

GDPR in 90 Seconds

GDPR in 90 Seconds

• Why

• Who must comply

GDPR in 90 Seconds

• Why

• Who must comply

• Why

• Who must comply

• Who it protects

GDPR in 90 Seconds

• Why

• Who must comply

• Who it protects

• Increased accountability

• Increased rights

• Penalties of €20M or 4%

GDPR in 90 Seconds

GDPRARTICLE 24

Responsibility of the Controller"the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with

this Regulation."

ARTICLE 25Data Protection By Design & By Default

“… measures … which are designed to implement data-protection principles … and to integrate the necessary safeguards into the processing… ensuring that ensure that by default personal data are not made accessible without the individual’s intervention”

ARTICLE 32Security of Processing

“measures to ensure a level of security appropriate to the risk…in particular from accidental or unlawful … disclosure of, or access to personal data”

How GDPR Impacts HR Data

Workday Security Configuration: Management Chain

SeniorManager

Manager

Executive

Executive

Executive

Manager

Executive

Executive

Executive

Workday Security Configuration: N-Level/CRBSG

SeniorManager

Manager

Executive

Executive

Executive

Manager

Executive

Executive

Executive

Workday Security Configuration: N-Level/CRBSG

SeniorManager

Manager

Executive

Executive

Executive

Manager

Executive

Executive

Executive

Workday Security Configuration: N-Level/CRBSG

SeniorManager

Manager

Executive

Executive

Executive

Manager

Executive

Executive

Executive

GDPRARTICLE 24

Responsibility of the Controller"the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with

this Regulation."

ARTICLE 25Data Protection By Design & By Default

“… measures … which are designed to implement data-protection principles … and to integrate the necessary safeguards into the processing… ensuring that ensure that by default personal data are not made accessible without the individual’s intervention”

ARTICLE 32Security of Processing

“

How GDPR Impacts Workday Teams

“… a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

Testing Challenges

• Security testing uncommon

• Complexity always increases risk

• Tenant security evolves

• Change = risk of data exposure

Advantages of Security Testing

• Verification, confidence and assurance

• Catch problems quickly

• Demonstrates due diligence

SecurityTestStrategy

KeySecurityGroups KeyWorker

In the real world workers can have many responsibilities

Isolate & test security groups on an individual basis

Security Testing Strategy

• Document all tests well

• Follow a formal process for all security configuration changes

• Test weekly

• Test at scale• Smart customers execute 60K checks consistently• in under 1 hour• aligned with GDPR

How GDPR Affects Test ExecutionARTICLE 5

Purpose Limitation Principle" … collected for specified, explicit and legitimate purposes and not

further processed in a manner that is incompatible with those purposes…"

ARTICLE 5Integrity & Confidentiality Principle

“… processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or

unlawful processing …”

Test Data & GDPR

Production Tenant

SBXTenant

SBX PreviewTenant

ManualtesterstestonREALworkerdata

TestershaveMOREaccesstodataintesttenants

Test Data & GDRP: Compliance options

1. Replicate Production security on SBX and SBX.

2. Scramble data

3. Test using synthetic data

Note: Strongly recommend that you do not relax security configuration on SBX and SBX Preview

GDPROption 1: Replicate Production Security on SBXs

Pros• Controlled Access

• 100% of Testing

Cons• TestingcanonlybeperformedbyKeypeopleinkeyroles

• Limitedvaluefromtenante.g.cannotbeusedfortraining

GDPROption 2: Scramble Data on SBXs

Pros• 100% of testing

• GDPR does not apply to scrambled data

Cons• Difficult&timeconsuming

• Can’tscramblehistory

• Losedataintegrity

• Differentdataeachweek

• Regressiontestingisdifficult

Option 3: Synthetic Data

Data that is artificial but looks and behaves like real data for the purposes of testing and training

GDPROption 3: Synthetic Data (with Synthetic Org)

GDPROption 3: Synthetic Data (with Synthetic Org)Pros

• GDPR does not apply to synthetic data

• QA teams only need access to synthetic Org

• Can create rich scenarios and history

• Consistent data weekly

• Key staff members can focus on day job

• Suitable for training

• Can be automated

Cons• Time consuming (if doing manually)

• Some testing may not be possible using synthetic orgs

In Summary

Explore an N-Level security configurationStart security testing

Use synthetic workers for testing

NextWebinar

Workday&GDPR:ReducingRisk&DataExposureThruSmartTMAutomated

TestingMay22,2018

https://bit.ly/2rxjdwV

Surveyhttps://www.surveymonkey.co.uk/r/BDMW3JW

Workday,GDPR&You:ABenchmarkingSurvey

bitly

Thanks for coming.