The bogeyman of the hoarders of personal data, GDPR, also reared its head. Black Duck noted that responsibility for compliance lies not only with auditing one's own code and processes, but also ensuring that any open source in use is also compliant.
So best to just use closed source software and then any non-compliance issues aren't your problem?
Or is it actually more a case that even with closed source software you are responsible for ensuring it's compliant, even though you have no access to the code? Given everything I have heard about GDPR I would be shocked if using closed source software absolved an organisation from liability, as that is going to be far too easy to abuse. (All our software is sold to us in binary form by Subsidiary Software Inc, so we can't be liable. Oh, their EULA disclaims all liability so they can't be liable either.)
This whole question get's even more scary with things like CPU hardware compromises: Who is liable if the Intel Management Engine get's compromised and used to find and exfiltrate protected data?