Staging environments are often built around real data, sometimes real but old data, but whichever, this is still personal data. The risk matrix includes inadvertent admin access of personal data to emailing of these data to testers for review to actual external hacks. The same security measures you take in production, such as robust authentication for administrators, should be used in the staging environment. The same data protection afforded to your real customers in production needs to be replicated in your test and staging environments. Secure coding practices should be a design remit before the developer even begins.”]