Compliance; Data protection; GDPR; Requirements; Systematic mapping; Engineering perspective; General data protection regulations; Protection requirements; Regulatory datum; Requirement; Requirement engineering; Software development life-cycle; Systematic mapping studies; Software; Information Systems
Résumé :
[en] Data protection compliance is critical from a requirements engineering (RE) perspective, both from a software development lifecycle (SDLC) perspective and regulatory compliance. Not including these requirements from the early phases of the SDLC can prove costly and challenging afterward. The general data protection regulation (GDPR) from the European Union (EU) sets a list of requirements that organizations working within its scope should satisfy. However, these requirements are complex to work with, as legal prose tends to be vague and imprecise, and not all requirements have received the same attention from researchers. This study aims to identify the research published in RE for helping compliance with regulatory data protection requirements. We gathered and analyzed 90 articles from 2016 to 2022 through a systematic mapping study. We analyzed key trends in the sample, such as year of publication, publication venue, type of research, interdisciplinarity in the author’s background, GDPR focus of compliance element, and type of proposal. Our main findings show ongoing interest, mostly published in conferences, in achieving overall compliance with the GDPR and consent as the most popular topics. Other topics, such as cookies or children’s data, did not receive significant attention. Research over the whole RE process has been done. 20 (22%) of the papers have authors affiliated with non-computer science; however, most research seems not interdisciplinary. We finally discuss gaps in the literature, possible future areas of research, and the importance of interdisciplinary research for regulatory data protection requirements in RE.
Centre de recherche :
NCER-FT - FinTech National Centre of Excellence in Research
Disciplines :
Sciences informatiques
Auteur, co-auteur :
NEGRI RIBALTA, Claudia Sofia ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > IRiSC
LOMBARD-PLATET, Marius ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > APSIA
Salinesi, Camille; Centre de Recherche en Informatique, Université Paris 1 Panthéon-Sorbonne, Paris, France
Co-auteurs externes :
yes
Langue du document :
Anglais
Titre :
Understanding the GDPR from a requirements engineering perspective—a systematic mapping study on regulatory data protection requirements
Date de publication/diffusion :
2024
Titre du périodique :
Requirements Engineering
ISSN :
0947-3602
eISSN :
1432-010X
Maison d'édition :
Springer Science and Business Media Deutschland GmbH
This project has received funding from the Luxembourg National Research Fund (FNR), grant NCER22/IS/16570468/NCER-FT. The authors have no other interests to disclose.
European Union: Regulation (EU) 2016/678 of the European Parliament and of the Council—General Data Protection Regulation
Data Protection Commission: Data Protection Commission announces conclusion of two inquiries into Meta Ireland | 04/01/2023 | Data Protection Commission. https://dataprotection.ie/en/news-media/data-protection-commission-announces-conclusion-two-inquiries-meta-ireland. Accessed 27 Jan 2023
Schmidt A, Esser L (2022) Numbers and figures | GDPR Enforcement Tracker Report 2022. https://cms.law/en/fra/publication/gdpr-enforcement-tracker-report/numbers-and-figures. Accessed 27 Jan 2023
Breaux TD, Antón AI (2007) A systematic method for acquiring regulatory requirements: a frame-based approach. RHAS-6), Delhi, India
He Q, Antón AI et al (2003) A framework for modeling privacy requirements in role engineering. In: Proceedings of REFSQ, vol 3, pp 137–146
T. Breaux A. Antón Analyzing regulatory rules for privacy and security requirements IEEE Trans Softw Eng 2008 34 1 5 20 10.1109/TSE.2007.70746
Breaux T, Norton T (2022) Legal accountability as software quality: a U.S. data processing perspective. In: 2022 IEEE 30th international requirements engineering conference (RE). IEEE
Pohl K, Rupp C (2015) Requirements engineering fundamentals: a study guide for the certified professional for requirements engineering exam—foundation level—IREB compliant. Rocky Nook computing. Rocky Nook, Santa Barbara, CA 93103, USA. https://books.google.fr/books?id=bM1YrgEACAAJ
Glinz M (2007) On non-functional requirements. In: 15th IEEE international requirements engineering conference (RE 2007). IEEE, pp 21–26
Breaux TD, Anton AI, Vail MW (2006) Towards regulatory compliance: Extracting rights and obligations to align requirements with regulations. North Carolina State University. Department of Computer Science, Technical report
Hadar I, Hasson T, Ayalon O, Toch E, Birnhack M, Sherman S, Balissa A (2018) Privacy by designers: Software developers’ privacy mindset. In: Proceedings of the 40th international conference on software engineering, Gothenburg, Sweden. ICSE ’18, p. 396. Association for Computing Machinery, New York, NY, USA. https://doi.org/10.1145/3180155.3182531
Senarath A, Arachchilage NAG (2018)Why developers cannot embed privacy into software systems? an empirical investigation. In: Proceedings of the 22nd international conference on evaluation and assessment in software engineering 2018. EASE’18, pp. 211–216. Association for Computing Machinery, New York, NY, USA. https://doi.org/10.1145/3210459.3210484
M. Birnhack E. Toch I. Hadar Privacy mindset, technological mindset Jurimetrics 2014 55 55
H. Mouratidis C. Kalloniatis S. Islam A. Hudic L. Zechner Model based process to support security and privacy requirements engineering Int J Secure Softw Eng 2012 3 1 22 10.4018/jsse.2012070101
Solove DJ (2006) A taxonomy of privacy. University of Pennsylvania law review, pp 477–564
Westin AF, Solove DJ (2015) Privacy and Freedom. Ig Publishing, New York, NY 10163. https://books.google.fr/books?id=1RXqoAEACAAJ
Kalloniatis C, Kavakli E, Gritzalis S (2009) Methods for designing privacy aware information systems: a review. In: 2009 13th Panhellenic conference on informatics. IEEE, pp 185–194
Pattakou A, Mavroeidi AG, Diamantopoulou V, Kalloniatis C, Gritzalis S (2018) Towards the design of usable privacy by design methodologies, pp 1–8. https://doi.org/10.1109/ESPRE.2018.00007
M.E. Morales-Trujillo G.A. García-Mireles E.O. Matla-Cruz M. Piattini A systematic mapping study on privacy by design in software engineering CLEI Electron J 2019 22 1 4-1 10.19153/cleiej.22.1.4
Netto D, Peixoto MM, Silva C (2019) Privacy and security in requirements engineering: Results from a systematic literature mapping. In: WER
E.D. Canedo I.N. Bandeira A.T.S. Calazans P.H.T. Costa E.C.R. Cançado R. Bonifácio Privacy requirements elicitation: a systematic literature review and perception analysis of it practitioners Requir Eng 2023 28 2 177 194 10.1007/s00766-022-00382-8
M. Deng K. Wuyts R. Scandariato B. Preneel W. Joosen A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements Requir Eng 2011 16 1 3 32 10.1007/s00766-010-0115-7
Wuyts K, Joosen W (2015) LINDDUN privacy threat modeling: a tutorial. Department of Computer Science, KU Leuven, Leuven, Belgium (2015-07-01)
Wuyts K, Sion L, Joosen W (2020) LINDDUN GO: A lightweight approach to privacy threat modeling. In: IEEE European symposium on security and privacy workshops, EuroS &P workshops 2020, Genoa, Italy, September 7–11, 2020. IEEE, test, pp 302–309. https://doi.org/10.1109/EuroSPW51379.2020.00047
C. Kalloniatis E. Kavakli S. Gritzalis Addressing privacy requirements in system design: the pris method Requir Eng 2008 13 3 241 255 10.1007/s00766-008-0067-3
Kavakli E, Kalloniatis C, Loucopoulos P, Gritzalis S (2006) Incorporating privacy requirements into the system design process: the pris conceptual framework. Internet research
S. Spiekermann L.F. Cranor Engineering privacy IEEE Trans Software Eng 2009 35 1 67 82 10.1109/TSE.2008.88
O. Akhigbe D. Amyot G. Richards A systematic literature mapping of goal and non-goal modelling methods for legal and regulatory compliance Requir Eng 2019 24 459 481 10.1007/s00766-018-0294-1
G. Almeida Teixeira M. Silva R. Pereira The critical success factors of GDPR implementation: a systematic literature review Digit Policy Regul Gov 2019 21 4 402 418
A.-J. Aberkane G. Poels S.V. Broucke Exploring automated GDPR-compliance in requirements engineering: A systematic mapping study IEEE Access 2021 9 66542 66559 10.1109/ACCESS.2021.3076921
Palmirani M, Martoni M, Rossi A, Bartolini C, Robaldo L (2018) Pronto: privacy ontology for legal reasoning. In: International conference on electronic government and the information systems perspective. Springer, pp 139–152
L. Robaldo C. Bartolini M. Palmirani A. Rossi M. Martoni G. Lenzini Formalizing GDPR provisions in reified i/o logic: the dapreco knowledge base J Logic Lang Inform 2020 29 4 401 449 4163452 10.1007/s10849-019-09309-z
Gharib M, Mylopoulos J, Giorgini P (2020) Copri—a core ontology for privacy requirements engineering. In: International conference on research challenges in information science. Springer, pp 472–489
Loukil F, Ghedira-Guegan C, Boukadi K, Benharkat AN (2018) Liopy: A legal compliant ontology to preserve privacy for the internet of things. In: 2018 IEEE 42nd annual computer software and applications conference (COMPSAC), vol 2. IEEE, pp 701–706
Pandit HJ, Lewis D (2017) Modelling provenance for GDPR compliance using linked open data vocabularies. In: PrivOn@ ISWC, pp 39–40
Pandit HJ, Fatema K, O’Sullivan D, Lewis D (2018) Gdprtext—GDPR as a linked data resource. In: Gangemi A, Navigli R, Vidal M-E, Hitzler P, Troncy R, Hollink L, Tordai A, Alam M (eds) The semantic web. Springer, Cham, pp 481–495
Pandit HJ, Debruyne C, O’Sullivan D, Lewis D (2019) Gconsent-a consent ontology based on the GDPR. In: European semantic web conference. Springer, pp 270–282
Economic Co-Operation O (1980) Development: OECD guidelines on the protection of privacy and transborder flows of personal data. Technical report. https://www.oecd.org/digital/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm#memorandum
Petersen K, Feldt R, Mujtaba S, Mattsson M (2008) Systematic mapping studies in software engineering. In: 12th international conference on evaluation and assessment in software engineering (EASE), vol 12, pp 1–10
K. Petersen S. Vakkalanka L. Kuzniarz Guidelines for conducting systematic mapping studies in software engineering: an update Inf Softw Technol 2015 64 1 18 10.1016/j.infsof.2015.03.007
Kitchenham B, Charters S (2007) Guidelines for performing systematic literature reviews in software engineering, vol 2
C. Wohlin P. Runeson P.A.D.M.S. Neto E. Engström I. Carmo Machado E.S. De Almeida On the reliability of mapping studies in software engineering J Syst Softw 2013 86 10 2594 2610 10.1016/j.jss.2013.04.076
R. Wieringa N. Maiden N. Mead C. Rolland Requirements engineering paper classification and evaluation criteria: a proposal and a discussion Requir Eng 2006 11 1 102 107 10.1007/s00766-005-0021-6
B. Kitchenham What’s up with software metrics? A preliminary mapping study J Syst Softw 2010 83 37 51 10.1016/j.jss.2009.06.041
H. Nissenbaum Privacy as contextual integrity Wash. L. Rev. 2004 79 119
R.J. Wieringa Design science methodology for information systems and software engineering 2014 Cham Springer 10.1007/978-3-662-43839-8
R. Wieringa Empirical research methods for technology validation: scaling up to practice J Syst Softw 2014 95 19 31 10.1016/j.jss.2013.11.1097
I. Sommerville Software engineering 2015 10 Amsterdam Pearson
Voigt P, Bussche A (2017) The EU general data protection regulation (GDPR): a practical Guide. https://doi.org/10.1007/978-3-319-57959-7
Ustaran E (2019) European data protection: law and practice. An IAPP Publication, International Association of Privacy Professionals, Portsmouth, NH, USA
Cavoukian A (2009) Privacy by design
Information Commissioner’s Office: Guide to the General Data Protection Reuglation (GDPR). Technical report, Information Commissioner’s Office (January 2021). https://ico.org.uk/media/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr-1-1.pdf
S. Kuehnel A. Zasada C. Woo J. Lu Z. Li T.W. Ling G. Li M.L. Lee An approach toward the economic assessment of business process compliance Advances in conceptual modeling 2018 Cham Springer 228 238 10.1007/978-3-030-01391-2_28
Dalpiaz F, Paja E, Giorgini P (2016) Security requirements engineering: designing secure socio-technical systems. Massachusetts, Cambridge
H. Mouratidis P. Giorgini Secure tropos: a security-oriented extension of the tropos methodology Int J Software Eng Knowl Eng 2007 17 02 285 309 10.1142/S0218194007003240
D. Amyot S. Ghanavati J. Horkoff G. Mussbacher L. Peyton E. Yu Evaluating goal models within the goal-oriented requirement language Int J Intell Syst 2010 25 8 841 877 10.1002/int.20433
G. Booch The unified modeling language user guide 2005 Chennai Pearson Education India
European Data Protection Board: Guidelines 4/2019 on article 25 data protection by design and by default version 2.0. Technical report, European Data Protection Board (October 2020). Guidelines adopted
Community W, Process BG (2022) Data Privacy Vocabulary (DPV). https://www.w3.org/community/reports/dpvcg/CG-FINAL-dpv-20221205/
Souag A, Salinesi C, Mazo R, Comyn-Wattiau I (2015) A security ontology for security requirements elicitation. In: ESSoS. Springer, pp 157–177
M. Finck Blockchains and data protection in the European union Eur Data Prot Law Rev 2018 4 17 35 10.21552/edpl/2018/1/6
