Experimental Evaluation of a Checklist-Based Inspection Technique to Verify the Compliance of Software Systems with the Brazilian General Data Protection Law

TL;DR

This study evaluates the effectiveness of LGPDCheck, a checklist-based inspection technique, in verifying software compliance with Brazil's data protection law, comparing it to ad-hoc methods through controlled experiments.

Contribution

Introduces LGPDCheck, a novel checklist-based inspection method, and empirically assesses its performance against ad-hoc techniques for privacy compliance verification.

Findings

LGPDCheck improves defect detection accuracy.

LGPDCheck reduces review time compared to ad-hoc methods.

Participants showed higher effectiveness with LGPDCheck.

Abstract

Recent laws to ensure the security and protection of personal data establish new software requirements. Consequently, new technologies are needed to guarantee software quality under the perception of privacy and protection of personal data. Therefore, we created a checklist-based inspection technique (LGPDCheck) to support the identification of defects in software artifacts based on the principles established by the Brazilian General Data Protection Law (LGPD). Objective/Aim: To evaluate the effectiveness and efficiency of LGPDCheck for verifying privacy and data protection (PDP) in software artifacts compared to ad-hoc techniques. Method: To assess LGPDCheck and ad-hoc techniques experimentally through a quasi-experiment (two factors, five treatments). The data will be collected from IoT-based health software systems built by software engineering students from the Federal University of Rio de Janeiro. The data analyses will compare results from ad-hoc and LGPDCheck inspections, the participant's effectiveness and efficiency in each trial, defects' variance and standard deviation, and time spent with the reviews. The data will be screened for outliers, and normality and homoscedasticity will be verified using the Shapiro-Wilk and Levene tests. Nonparametric or parametric tests, such as the Wilcoxon or Student's t-tests, will be applied as appropriate.