From a GDPR perspective, it all depends on what types of information specifically on EU citizens you have in the system. If none of your Workfront-using employees are EU citizens and you aren't storing any information on customers/clients in the EU, then you really don't have much to be concerned about. If you do have users that are EU citizens, think about the kind of information you store on their account. If you have them upload pictures of themselves, many GDPR experts interpret that as sensitive data which can have additional implications in case of a breach. But in general, if all you have is their name and corporate e-mail address, then even in the case of a breach there aren't a lot of GDPR specific concerns. One area to think about, most people Deactivate WF users instead of deleting them altogether. If you never delete and those old accounts are for EU citizens, then there are some questions as to whether it is reasonable for you to keep that information (even if it's just their name). You should consult your organizations electronic records destruction policy and make sure you adhere to it. Lastly, if you are using it for marketing campaign purposes and you are uploading mailing lists for the campaigns to the Documents tab, if anyone in those lists are EU citizens and WF has a breach, you would have to inform them. To me, it is a risky proposition to keep that kind of data in WF for that very reason. All that is to say, if you have information on EU citizens in WF, it should be in your Data Register maintained by the Data Protection Officer. Jason Maust McGuireWoods LLP