Requirements Engineering; Regulatory Compliance; GDPR; Privacy Requirements; Mobile Apps; Systematic Literature Review
Résumé :
[en] The General Data Protection Regulation (GDPR) is considered as the benchmark in the European Union (EU) for privacy and data protection standards. Since before its entry into force in 2018, substantial research has been conducted in the requirements engineering (RE) literature investigating the elicitation, representation and verification of privacy requirements in GDPR. Software systems deployed anywhere in the world must comply with GDPR as long as they handle personal data of EU residents. Mobile applications (apps) are no different in that regard. With the growing pervasiveness
of mobile apps and their increasing demand for personal data, privacy concerns have acquired further interest within the software engineering (SE) community at large. Despite the extensive literature on GDPR-relevant privacy concerns in mobile apps, there is no secondary study that describes, analyzes, and categorizes the current focus. Research gaps and persistent challenges are thus left unnoticed.
In this article, we aim to systematically review existing primary studies highlighting various GDPR concepts and how these concepts are addressed in mobile apps research. The objective is to reconcile the existing work on GDPR in the RE literature with the research on GDPR-related privacy concepts in mobile apps in the SE literature.
Our findings show that the current research landscape reflects a rather shallow understanding of GDPR requirements. The GDPR concepts investigated in the majority of the studies include: (i) the sharing of personal data with third-party libraries, mainly for the purpose of identifying data leaks; (ii) different mechanisms for acquiring explicit consent from users; and (iii) data collection involving various personal data categories that are often obtained directly from the users. While such GDPR concepts are indeed of significant importance, other topics such as data subject rights (i.e.,
the rights of individuals over their personal data) are fundamental to GDPR, yet under-explored in the literature. In this article, we highlight future directions to be pursued by the SE community for supporting the development of GDPR-compliant mobile apps.
Centre de recherche :
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > SVV - Software Verification and Validation NCER-FT - FinTech National Centre of Excellence in Research
