We have privacy API in Moodle, which covers data requests and deletion - good.
What we do not have covered, in terms of managing user's data is the situation where a plugin sends data externally.
If I host Moodle platform, I must inform my users how their data is being used. If I install a plugin, that sends user's data externally, I should really know about it. I should know:
* what data is being sent
* where is it sent (because of the GDPR it's important to know if it's sent within EU or outside)
Such an information is usually missing in plugin's description and the only way to find out about it, is to review the code of the plugin. Let's take an example - integration with an external service, which may be quite common: https://moodle.org/plugins/block_iprbookshop_ru . The block send the following information:
* user id
* first name
* last name
* email address
This is not necessarily a bad thing as this is a service that you want to use (since you installed this plugin) - just maybe we should somehow require that this kind of information is exposed in plugin description (what user's data is sent and where)?