I just wanted to check how to deal with user data containing other users' data - if a plugin is to export that data for GDPR compliance.
Using the Privacy API, fields can be selected to be exported, but I'm slightly confused on how to deal with this scenario.
Real-world example - the Advanced Notifications plugin logs the notification's details which include the creator and (if applicable) deleter. Additionally, in a different table, it logs the users that have seen notifications (and which notifications). So, let's assume a teacher created a notification, the site manager later deleted it, and several students have been recorded to have seen it. What information are to be exported if an export of the data is requested by the:
- Site Manager; and
A simplified version of the tables for the plugin is as follows:
(Attached screenshot below describes each field in more detail)
I hope this makes sense - let me know if any further clarification is required.
Thanks in advance!
PS. Bonus Question - what happens if one of those users request 'to be forgotten'?