I am also interested in this topic.
It must be very tantalizing for many companies to avoid a lot of the risks with GDPR altogether by not actually hosting sensitive data at all.
I am working on a couple ideas on this topic. Possibly for an article. So if anyone is interested in sharing some thoughts in this direction I would be very interested to discussing it.