Privacy by Design: Aligning GDPR and Software Engineering Specifications with a Requirements Engineering Approach

TL;DR

This paper presents a requirements engineering approach that aligns GDPR legal concepts with software specifications to enhance privacy by design, addressing practical challenges faced by practitioners in achieving compliance.

Contribution

It introduces a novel modeling approach that captures GDPR legal content within requirements specifications to support transparency, traceability, and legal knowledge integration.

Findings

The approach supports capturing legal knowledge in specifications.

It enhances traceability and transparency in privacy requirements.

Practitioners find the approach suitable for practical GDPR compliance.

Abstract

Context: Consistent requirements and system specifications are essential for the compliance of software systems towards the General Data Protection Regulation (GDPR). Both artefacts need to be grounded in the original text and conjointly assure the achievement of privacy by design (PbD). Objectives: There is little understanding of the perspectives of practitioners on specification objectives and goals to address PbD. Existing approaches do not account for the complex intersection between problem and solution space expressed in GDPR. In this study we explore the demand for conjoint requirements and system specification for PbD and suggest an approach to address this demand. Methods: We reviewed secondary and related primary studies and conducted interviews with practitioners to (1) investigate the state-of-practice and (2) understand the underlying specification objectives and goals (e.g., traceability). We developed and evaluated an approach for requirements and systems specification for PbD, and evaluated it against the specification objectives. Results: The relationship between problem and solution space, as expressed in GDPR, is instrumental in supporting PbD. We demonstrate how our approach, based on the modeling GDPR content with original legal concepts, contributes to specification objectives of capturing legal knowledge, supporting specification transparency, and traceability. Conclusion: GDPR demands need to be addressed throughout different levels of abstraction in the engineering lifecycle to achieve PbD. Legal knowledge specified in the GDPR text should be captured in specifications to address the demands of different stakeholders and ensure compliance. While our results confirm the suitability of our approach to address practical needs, we also revealed specific needs for the future effective operationalization of the approach.