Compliance Requirements in Large-Scale Software Development: An Industrial Case Study

TL;DR

This paper presents an industrial case study at Ericsson, providing empirical insights into the practical challenges faced in ensuring regulatory compliance in large-scale software development, especially concerning GDPR and other standards.

Contribution

It offers new empirical evidence on compliance challenges faced by industry practitioners, filling a gap in the existing research on regulatory compliance in software engineering.

Findings

Identifies key practical challenges in compliance checking and analysis.

Highlights the gap between theoretical models and industrial practice.

Provides insights into compliance management in a large telecommunications company.

Abstract

Regulatory compliance is a well-studied area, including research on how to model, check, analyse, enact, and verify compliance of software. However, while the theoretical body of knowledge is vast, empirical evidence on challenges with regulatory compliance, as faced by industrial practitioners particularly in the Software Engineering domain, is still lacking. In this paper, we report on an industrial case study which aims at providing insights into common practices and challenges with checking and analysing regulatory compliance, and we discuss our insights in direct relation to the state of reported evidence. Our study is performed at Ericsson AB, a large telecommunications company, which must comply to both locally and internationally governing regulatory entities and standards such as GDPR. The main contributions of this work are empirical evidence on challenges experienced by Ericsson that complement the existing body of knowledge on regulatory compliance.