Modelling GDPR-based Privacy Requirements with Software Engineering Diagrams: A Systematic Literature Review

TL;DR

This systematic review examines how Software Engineering diagrams are used to model GDPR privacy requirements, highlighting gaps and future directions for better compliance integration.

Contribution

It provides a comprehensive analysis of existing research on GDPR privacy requirements modelling with diagrams, identifying key gaps and proposing future research directions.

Findings

Need for inter-diagram integration

Lack of full lifecycle traceability mechanisms

Insufficient tool support and automated compliance checking

Abstract

The application of the General Data Protection Regulation (GDPR) has significantly affected privacy requirements elicitation, modelling, and verification in Software Engineering (SE). One of the affected areas is requirements visualisation through modelling diagrams, which plays a crucial role in ensuring privacy compliance, as functional system requirements should be integrated with GDPR-based privacy requirements. We present a systematic literature review on how SE diagrams have been employed to capture and integrate GDPR-based privacy requirements into software system design. The study aims to identify the existing research landscape, existing gaps, and directions for future work. Following a rigorous search protocol and addressing two research questions, 18 primary studies published between 2017 and 2025 were selected, analysed, and categorised based on (i) the diagram types used, and (ii) the GDPR principles or rights addressed. The findings highlight the need for inter-diagram integration, full lifecycle traceability mechanisms, tool support, and automated compliance checking.