Reading http://techblog.bozho.net/gdpr-practical-guide-developers/
>Don’t assume 3rd parties are compliant – you are responsible if there’s a data breach in one of the 3rd parties (e.g. “processors”) to which you send personal data.
hmm how do we federate now?