The EU General Data Protection Regulation (GDPR) is Europe's new privacy regulation that aims to provide for harmonization of data privacy laws across Europe and to protect and empower all EU citizens data privacy. The GDPR affects all organisations that process personal data of anyone in the European Union (EU) and in non-EU members of the European Economic Area (EEA), resident or not. This holds no matter where the user is, or where the processing takes place, even if the processing organisation is located outside the EU/EEA. It must be implemented in national law by all member states within European Union and by agreement in all non-EU-member states of the European Economic Area effective date 25 May 2018. GDPR regulates the core business of identity federations, e.g. release of personal information from an Identity Provider to a Service Provider. Therefore, it is important for all parties within a federated environment to understand the impact of the new regulation. All IdPs, SPs and federation operators within EU/EEA are directly in the scope of GDPR. The increased territorial scope of the new regulation also makes all Service Providers that accept end users from within EU/EEA affected by GDPR even if they operate outside EU/EEA. The group of authors evaluated the impact that GDPR regulation has on trust and identity eduroam and eduGAIN services. This lightning talk will present the typical personal data flows in eduroam and eduGAIN services and the advisory for different stakeholders on how to address the GDPR requirements.