I'm the creator of our country's largest WordPress / WooCommerce Facebook help group and would like to ask you and maybe the community? About a thing around GDPR and how it is really hard / next to impossible to actually follow it by the nature that makes WordPress what it is today.

This is actually a BIG Question :D

Okay so... Our day started like any other Saturday. Everyone was all chilly and happy then out of the blue we got another question from our members "Is it okay to send FTP details for a plugin developer to troubleshoot the issue we are having with WooCommerce. We have already provided WordPress Admin credentials".

This is pretty normal practice in the WordPress world, right? Plugin developers helping out on issues and if they can't replicate an issue, they need the access so they can check if it is a plugin issue or a server issue and fix things?

Alright so here comes the issue after we think about GDPR. If this developer happens to be outside the EU, then you would need to anonymize customer data and make an NDA agreement with that exact dev or company that is behind the plugin so they can come around and fix things.

Normally there wouldn't be an issue if the actual problem can be solved without needing the actual data. But if there are example: VAT problems that need to be checked the actual data is pretty important.

This, in turn, creates the need for staging websites

Anonymization of the actual data is of source an option. There doesn't seem to be a plugin though so a regular WordPress website owner can't use that at all. There needs to be a developer behind that actually knows what needs to be deleted.

When you create a staging website in the most common webhosting companies around, they generally use cPanel, etc. IF you create a staging website with the provided tools that the webhost, has it creates a copy of that installation. Could a regular person use that and provide access for the fixing developer that way?

No, he/she can't. Since most of the platforms do not provide FTP access to a specific folder in a cPanel installation. If you give them access you are giving them access for the whole server that even has the main installation.

So, there is still a possibility of a breach since a developer that knows how the WordPress ecosystem works can access the main website's data even with only FTP access. The passwords for the actual data are stored plain right visible in the files of the main website. You would just need to figure out the point to actually access them. Or a dirty developer could just create a script to download the information.

Separate exact servers would be needed (To make it GDPR right)

Since many of the webhosts don't provide the ability to create the installation on another server this would pretty much force the people to get a completely different server in which installation resides from where you could anonymize or plain right delete all the customer information.

This of course doubles the cost of webhosting since another server with all the media etc. is the same size as the normal one. (Of course a dev could actually exclude some information that he/she doesn't need but again. This is completely outside of a regular person's knowledge).

After the update everything is fine and dandy?

Okay let's think for a second that the developer has done the fixes in the staging environment and you would need to get the website working again. One just can't simply bring the staging environment to production since all of the customer data would be gone.

The person would need to either:
1. Get the updated plugin / theme file that he / she can then upload to the main website.
2. Have the knowledge of actually replacing the certain files that has been changed.

In some cases where the actual website is completely down a person can't access the website to do the option 1. So, the knowledge of option 2 would still be needed in some cases.

Why I'm worried?

Basically, the WordPress ecosystem is awesome I love it. The community is helping out everyone but following the rules of the GDPR a lot of things have changed. Well changed.. And changed.. The behaviors of the helpers / plugin and theme creators hasn't changed at all and still folks do provide credentials like they used to.

But in terms of GDPR these are grey lines and, in some cases, down right wrong. How could we as a community help out regular website owners to comply with the GDPR?

We developers can't actually go ahead and teach every single small business owner that is in charge of the GDPR in the company how to do things? What does FTP mean and what access you give for a person that has FTP credentials?

Or simply that if you shared your WordPress credentials you already gave out all-in access (Hence... The first question where the person had already shared the access for the WordPress admin that already violates the GDPR and makes the downloading of the data super easy. But the person in question didn't know this since the person didn't understand the nature of what he is giving access to).

We can't actually enforce the nature of how webhosts actually work in terms of creating staging sites that actually work in a way that it's GDPR safe. What can we do so that a regular person understands how to get help?

As GDPR assumes that there is an actual developer / person who is in charge of the data. This is most certainly wrong since even knowing about FTP things is not something that actually is talked about in schools etc. How can we help these people the best? Any thoughts about how to change the habits in a way that makes complying with the GDPR a normal thing?