From Architecture to Functionality: How We Address GDPR with Workday
GDPR's right to erasure requires companies to thoroughly delete user data under the premise of being "lawful, auditable, and traceable." But do you truly understand what requirements this places on your HR system? This isn't a functional issue, but rather a system capability challenge. How have we addressed this challenge in Workday? What must be considered at the architectural level? Which functionalities can be efficiently implemented? Read this article to understand our approach and thinking.
GDPR "Right to Erasure" — The Biggest Challenge for HR Systems
Article 17 of GDPR (European Union General Data Protection Regulation) grants data subjects the "right to erasure," also known as the "right to be forgotten": when employees leave, candidates withdraw applications, or data processing purposes no longer exist, companies must thoroughly delete relevant personal data "without undue delay," including sending deletion requests to data recipients where data has been made public.
For HR systems, this right is not simply "clicking the delete button," but places stringent requirements on system architecture, data flow tracking, audit capabilities, and cross-system consistency, particularly in:
Scattered data locations, difficult to identify with one click HR data is often distributed across multiple modules such as recruitment, employment, transfers, departures, performance, reports, and may include logs, copies, etc. The deletion task far exceeds a single record.
Widespread data copies, deletion requires "internal and external synchronization" In actual operations, personnel data is often synchronized to reporting platforms, data warehouses, backup environments, and other paths through system integration; it may also be shared with third-party platforms (such as recruitment websites, headhunter systems) due to business cooperation or recruitment processes. GDPR requires controllers not only to clean all copies within their own systems, but also to take reasonable technical measures to notify recipients for joint deletion when data has been made public or shared. This makes "complete deletion" extremely challenging, testing not only inter-system data tracking capabilities but also involving legal obligations for external notification.
Lack of consistency and audit support GDPR requires controllers to maintain corresponding operational records (when, why, by whom deletion was initiated) for regulatory inquiries. How to prove to regulatory authorities that data has been "completely cleaned"? Who deleted it? When was it deleted? All require traceable records.
In summary, whether HR systems can thoroughly delete data, provide audit trails, and clean external copies is not just a functional point, but a comprehensive challenge across multiple dimensions including system architecture, workflows, permission management, and interface design.
GDPR violations can result in fines of up to €20 million or 4% of global annual turnover (whichever is higher). As of 2025, cumulative GDPR fines have exceeded €5.8 billion. Cases of fines specifically for failing to fulfill "access + deletion requests" have already appeared, such as a Polish educational institution fined €100,000 for refusing deletion requests; French Carrefour fined €3.05 million for failing to respond promptly to access/deletion requests.
Workday Architecture Highlights: Supporting True Implementation of "Right to Erasure"
Workday is built on a metadata-driven architectural foundation, with all UI, transaction logic, and reporting layers developed based on a unified business object model. Every piece of personal data in the system is centrally hosted in structured objects, ensuring data is identifiable, traceable, and deletable.
This architecture plays a decisive role in GDPR "right to erasure" implementation, mainly reflected in three dimensions:
✅ 1. Structured business objects with centralized data to avoid omissions Workday's data modeling core is "Business Objects," including Worker, Candidate, Position, etc. These objects are highly structured with lifecycle management capabilities, with all related data attached to the object for unified reading, modification, and deletion. For example, the two most core objects in HR business: all employee and candidate data—from identity information, contracts, benefits, historical changes to approval records—are centrally hosted under Worker and Candidate objects. The system tracks all sub-items through reference mechanisms. Once a deletion request is initiated, all associated information can be automatically identified and cleared by the system, avoiding residual data forming "compliance blind spots."
✅ 2. Unified metadata model with automatic synchronization across system paths Whether viewing in UI pages, exporting in reports, or integrating through APIs, the system calls the same underlying data model. A field update (such as bank account) takes effect across all layer calls, meaning when a record is deleted, UI in various modules, related reports, interface outputs, etc., can all respond synchronously, eliminating "fake deletion" where "frontend can't see but backend still exists."
✅ 3. Object service layer management with controllable and auditable deletion operations All object creation, modification, and deletion are executed through Workday's Object Management Services, with the system automatically recording operation logs (audit trail)—including operator, time, and field change details. Additionally, deletion behavior can be configured with permissions and processes (such as whether approval is needed or defining who can delete), comprehensively covering GDPR's technical requirements for "right to erasure" from permission prevention to operation auditing.
Functional Support: Making "Right to Erasure" a System Capability
In the previous section, we introduced how Workday's architectural layer supports "unified identification and centralized operation" for data deletion. Beyond basic capabilities like object models and audit trails, Workday also provides multi-dimensional, configurable "right to erasure" implementation paths at the product functionality level, not limited to data clearing but also including permission restrictions and data flow monitoring.
The following are several key functional categories closely related to the right to erasure:
✅ 1. Multi-object data purging capabilities Workday supports differentiated, configurable "data purging" for different populations, with deletion being permanent and irreversible, meeting GDPR's strict deletion requirements. The system supports purging of departed employees, candidates, and sensitive data of current employees, with customizable scope through configuration.
✅ 2. Conditional access control: Making "unauthorized viewers" automatically "unable to see" GDPR focuses not only on whether data is "deleted" but emphasizes whether data is "used within legal scope." Workday's Conditional Access security model is another layer of "data exit mechanism." Through Workday Security Model configuration, it can achieve:
Need-to-Know visibility: For example, HRBP can only see employee performance for their responsible BU;
Field-level control: Such as hiding race fields, religion fields, limiting access to necessary roles only;
Aggregated data display: Users only see aggregated results, not detailed records (meeting reporting needs without exposing privacy).
✅ 3. Integration reporting support: Identifying whether data has been synchronized externally One challenge of GDPR's right to erasure is that data exists not only in the local system but may also be synchronized to other platforms or external systems. Workday provides Integration Reporting Data Source (RDS) functionality for integration processes, helping identify:
Which fields participate in integration;
Which data is output as Integration Output;
Quickly determining during audits "whether these fields have been synchronized to other systems";
Customer Value: From Compliance Cost to Competitive Advantage
GDPR's "right to erasure" may seem like a regulatory compliance burden, but it's actually a key opportunity for enterprises to build trust, optimize governance, and improve efficiency in the digital age.
Leveraging Workday's native support in data architecture and system functionality, enterprises can transform originally complex, tedious, manual-intervention-dependent "data deletion" processes into configurable, auditable, deliverable system capabilities within the platform.
This not only makes GDPR compliance lighter but more importantly brings the following four aspects of customer value:
In actual project implementation, we observe that systems with such capabilities can form closed loops in:
Internal system collaboration (HR, IT, legal role cooperation);
Cross-platform integration (cleaning synchronized copies and interface outputs);
Deletion path tracing (user initiation, system execution, log auditing);
truly achieving "internal system governance" without requiring "patch-style data deletion" manual operations, avoiding long-tail risks from fragmented governance.
More importantly, this "technical architecture-level compliance capability" is becoming the foundation of enterprise digital governance—whether you can comply is being used by customers, candidates, and partners as an indicator of whether you are "trustworthy."
Under GDPR's framework, the "right to erasure" is not only user empowerment but a deep examination of enterprise system capabilities. Through this article, we explored how Workday helps enterprises achieve a complete closed loop from "identifying data" to "restricting access" to "complete deletion" at both architectural and functional levels.
For us, compliance is not a one-time checklist but an architectural mindset, system capability, and team consensus.
📩 The InteDao team has continuously promoted GDPR and other compliance implementations in multiple large enterprise projects, accumulating deep experience from technical solution design to business process adaptation.
If you have questions about the concepts mentioned in today's article or specific implementation processes, or if you're considering how to make HR systems support:
Other GDPR data rights (such as access rights, right to be informed, etc.)
GDPR's most complex application: the recruitment field;
SOX, CCPA, China Personal Information Protection Law and other compliance requirements;
Or planning to build a global data governance framework adapted to multi-country regulations,
Please contact us!
Interested in or have questions about the perspectives and content in this article? As practitioners deeply rooted in the HRIS field, we are committed to helping more enterprises and individuals efficiently complete HRIS projects. If you're looking for more professional and customized solutions, please contact us via LinkedIn. Let's explore together how to make HRIS truly empower your business!