How Software Industry Specifies Requirements Compliant with Data Protection Laws: a survey-based study
Pages 242 - 252
Abstract
[Context] There are few studies focused on discovering the state of practice related to how Information Technology (IT) industry achieves legal compliance in software requirements activities. A previous work reported an interview-based study with seven practitioners from seven IT companies tackling with legal compliance in software requirements specification (SRS). As a result, a initial theory emerged from the interviews and explains a set of factors influencing the work practices used by public and private companies to achieve requirements specification compliance with data protection laws. [Objective] This study reviews and improves the initial theory with information obtained from 39 practitioners regarding how they produce requirements specifications compliant with data protection laws. [Method] We designed a survey protocol that contains an questionnaire composed of a set of propositions inferred from the previous interview-based study and the related literature. [Results] Findings reveal that legal requirements are specified textually and the techniques that help achieve legal compliance are basic knowledge about law for software engineers, training in ambiguity identification techniques, assigning a person for tracing laws and legal regulations, identifying relevant laws and legal regulations to be analysed by lawyers and defining a glossary for all domain-specific concepts and acronyms. [Conclusion] The factors and actions that emerged in this study can be used by researchers and practitioners to leverage the methods and tools they develop or use to specify system requirements that must comply with data protection laws.
References
[1]
O. Akhigbe, D. Amyot, and G. Richards. 2019. A systematic literature mapping of goal and non-goal modelling methods for legal and regulatory compliance. Requirements Engineering 24, 4 (2019), 459–481.
[2]
O. Amaral, S. Abualhaija, and L. Briand. 2023. ML-Based Compliance Verification of Data Processing Agreements against GDPR. In 2023 IEEE 31st International Requirements Engineering Conference (RE). 53–64.
[3]
O. Amaral, S. Abualhaija, D. Torre, M. Sabetzadeh, and L. Briand. 2021. AI-Enabled Automation for Completeness Checking of Privacy Policies. IEEE Transactions on Software Engineering 47, 12 (2021), 2813–2833.
[4]
V. Ayala-Rivera and L. Pasquale. 2018. The Grace Period Has Ended: An Approach to Operationalize GDPR Requirements. In 26th IEEE Intl. Requirements Engineering Conference (RE). 136–146.
[5]
D. M. Berry and E. Kamsties. 2004. Ambiguity in Requirements Specification. In Perspectives on Software Requirements, J. C. S. do Prado Leite and J. H. Doorn (Eds.). Springer US, 7–44.
[6]
J. Bhatia, T. D. Breaux, J. R. Reidenberg, and T. B. Norton. 2016. A Theory of Vagueness and Privacy Risk Perception. In 24th IEEE Intl. Requirements Engineering Conference (RE). 26–35.
[7]
P. Billgren and L. W. Ekman. 2020. Do Not Cut Corners When Eliciting Privacy Requirements: Experiences from Industry. Technical Report. Blekinge Institute of Technology.
[8]
Blind. 2024. Supplementary Material. https://figshare.com/s/737b277cc3f422a5a5ca
[9]
F. Blix, S. A. Elshekeil, and S. Laoyookhong. 2017. Data protection by design in systems development: From legal requirements to technical solutions. In 12th Intl. Conference for Internet Technology and Secured Transactions (ICITST). 98–103.
[10]
G. Boella, L. Humphreys, R. Muthuri, P. Rossi, and L. W. N. van der Torre. 2014. A critical analysis of legal requirements engineering from the perspective of legal practice. In 7th Intl. Workshop on Requirements Engineering and Law (RELAW). 14–21.
[11]
BRASIL. 2018. LGPD - Lei Geral de Proteção de Dados Pessoais. http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htm
[12]
E. D. Canedo, A. T. S. Calazans, I. N. Bandeira, P. H. T. Costa, and E. T. S. Masson. 2022. Guidelines Adopted by Agile Teams in Privacy Requirements Elicitation after the Brazilian General Data Protection Law (LGPD) Implementation. Requirements Engineering 27, 4 (Dec. 2022), 545–567.
[13]
E. D. Canedo, A. T. S. Calazans, E. T. S. Masson, P. H. T. Costa, and F. Lima. 2020. Perceptions of ICT Practitioners Regarding Software Privacy. Entropy 22, 4 (2020), 429.
[14]
W. W. Daniel. 1978. Applied Nonparametric Statistics. Houghton Mifflin.
[15]
D. A. Dillman, J. D. Smyth, and L. M. Christian. 2014. Internet, Phone, Mail, and Mixed-Mode Surveys: The Tailored Design Method. John Wiley & Sons.
[16]
European-Union. 2018. GDPR - General Data Protection Regulation. https://eugdpr.org/
[17]
D. M. Fernández and M.-T. Christiansson. 2017. Naming the pain in requirements engineering: Contemporary problems, causes, and effects in practice. Empirical Software Engineering 22 (2017), 2298–2338.
[18]
S. É. R. Ferrão, G. R. S. Silva, E. D. Canedo, and F. F. Mendes. 2024. Towards a taxonomy of privacy requirements based on the LGPD and ISO/IEC 29100. Information and Software Technology 168 (2024), 107396.
[19]
S. A. Fricker, K. Schneider, F. Fotrousi, and C. Thuemmler. 2016. Workshop videos for requirements communication. Requirements Engineering 21, 4 (2016), 521–552.
[20]
S. Ghanavati, D. Amyot, and A. Rifaut. 2014. Legal Goal-Oriented Requirement Language (Legal GRL) for Modeling Regulations. In Proceedings of the 6th International Workshop on Modeling in Software Engineering (MiSE 2014) (Hyderabad, India). 1–6.
[21]
M. Gharib, J. Mylopoulos, and P. Giorgini. 2020. COPri-A Core Ontology for Privacy Requirements Engineering. In International Conference on Research Challenges in Information Science. 472–489.
[22]
S. Gürses and J. M. del Alamo. 2016. Privacy Engineering: Shaping an Emerging Field of Research and Practice. IEEE Security & Privacy 14, 2 (2016), 40–46.
[23]
C. Jain, P. Anish, and S. Ghaisas. 2023. Automated Identification of Security and Privacy Requirements from Software Engineering Contracts. In 2023 IEEE 31st International Requirements Engineering Conference Workshops (REW). 234–238.
[24]
B. Kitchenham and S. L. Pfleeger. 2003. Principles of survey research part 6: data analysis. SIGSOFT Softw. Eng. Notes 28, 2 (Mar. 2003), 24–27.
[25]
B. A. Kitchenham and S. L. Pfleeger. 2008. Personal opinion surveys. In Guide to Advanced Empirical Software Engineering. Springer, 63–92.
[26]
N. Kiyavitskaya, A. Krausová, and N. Zannone. 2008. Why Eliciting and Managing Legal Requirements Is Hard. In First International Workshop on Requirements Engineering and Law (RELAW). 26–30.
[27]
O. Kosenkov, M. Unterkalmsteiner, D. Mendez, and D. Fucci. 2021. Vision for an Artefact-based Approach to Regulatory Requirements Engineering. In Proceedings of the 15th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM). New York, NY, USA, 1–6.
[28]
A. K. Massey, E. Holtgrefe, and S. Ghanavati. 2017. Modeling Regulatory Ambiguities for Requirements Analysis. In Conceptual Modeling - 36th Intl. Conference (ER), Vol. 10650. Springer, 231–238.
[29]
A. K. Massey, R. Rutledge, A. I. Antón, and P. P. Swire. 2014. Identifying and classifying ambiguity for regulatory requirements. In 22nd IEEE Intl. Requirements Engineering Conference (RE). 83–92.
[30]
A. K. Massey, R. L. Rutledge, A. I. Antón, J. D. Hemmings, and P. P. Swire. 2015. A strategy for addressing ambiguity in regulatory requirements. Technical Report. Georgia Institute of Technology.
[31]
N. R. Mead, S. Miyazaki, and J. Zhan. 2011. Integrating privacy requirements considerations into a security requirements engineering method and tool. International Journal of Information Privacy, Security and Integrity 1, 1 (2011), 106–126.
[32]
J. S. Molléri, K. Petersen, and E. Mendes. 2020. An empirically evaluated checklist for surveys in software engineering. Information and Software Technology 119 (2020), 106240.
[33]
Dorgival Netto, Mariana Maia Peixoto, and Carla Silva. 2019. Privacy and Security in Requirements Engineering: Results from a Systematic Literature Mapping. In WER.
[34]
Dorgival Netto and Carla Silva. 2023. Ambiguity resolution and legal compliance of requirements: an exploratory study in the literature. In WER.
[35]
Dorgival Netto, Carla Silva, and João Araújo. 2019. Identifying how the brazilian software industry specifies legal requirements. In Proceedings of the XXXIII Brazilian Symposium on Software Engineering. 181–186.
[36]
P. N. Otto. 2009. Reasonableness meets requirements: Regulating security and privacy in software. Duke Law Journal 59 (2009), 309.
[37]
P. N. Otto and A. I. Antón. 2007. Addressing Legal Requirements in Requirements Engineering. In 15th IEEE Intl. Requirements Engineering Conference (RE). 5–14.
[38]
C. Palomares, C. Quer, and X. Franch. 2017. Requirements reuse and requirement patterns: a state of the practice survey. Empirical Software Engineering 22 (2017), 2719–2762.
[39]
M. Peixoto, C. Silva, J. Araújo, T. Gorschek, A. Vasconcelos, and J. Vilela. 2022. Evaluating a Privacy Requirements Specification Method by Using a Mixed-Method Approach: Results and Lessons Learned. Requir. Eng. 28, 2 (Sep. 2022), 229–255.
[40]
A. Rączkowska-Gzowska and A. Walkowiak-Gall. 2023. What Should a Good Software Requirements Specification Include? Results of a Survey.
[41]
S. Sirur, J. R. C. Nurse, and H. Webb. 2018. Are We There Yet?: Understanding the Challenges Faced in Complying with the General Data Protection Regulation (GDPR). In Proceedings of the 2nd International Workshop on Multimedia Privacy and Security (MPS@CCS 2018). ACM, 88–95.
[42]
P. Swire and A. Anton. 2014. Engineers and lawyers in privacy protection: Can we all just get along.
[43]
C. Tankard. 2016. What the GDPR means for businesses. Network Security 2016, 6 (2016), 5–8.
[44]
M. Usman, M. Felderer, M. Unterkalmsteiner, E. Klotins, D. Mendez, and E. Alégroth. 2020. Compliance Requirements in Large-Scale Software Development: An Industrial Case Study. In Product-Focused Software Process Improvement, M. Morisio, M. Torchiano, and A. Jedlitschka (Eds.). Springer International Publishing, Cham, 385–401.
[45]
C. Wohlin, P. Runeson, M. Höst, M. C. Ohlsson, B. Regnell, and A. Wesslén. 2012. Experimentation in Software Engineering. Springer.
Index Terms
- How Software Industry Specifies Requirements Compliant with Data Protection Laws: a survey-based study
Index terms have been assigned to the content through auto-classification.
Recommendations
Identifying How the Brazilian Software Industry Specifies Legal Requirements
SBES '19: Proceedings of the XXXIII Brazilian Symposium on Software Engineering[Background] Software requirements are usually specified in Natural Language, bringing challenges for Requirements Engineering (RE) as these specifications are inherently ambiguous. These challenges become bigger when dealing with software requirements ...
Evaluating existing security and privacy requirements for legal compliance
Special Issue on RE'09: Security Requirements Engineering; Guest Editors: Eric Dubois and Haralambos MouratidisGovernments enact laws and regulations to safeguard the security and privacy of their citizens. In response, requirements engineers must specify compliant system requirements to satisfy applicable legal security and privacy obligations. Specifying ...
A legal cross-references taxonomy for identifying conflicting software requirements
RE '11: Proceedings of the 2011 IEEE 19th International Requirements Engineering ConferenceCompanies must ensure their software complies with relevant laws and regulations to avoid the risk of costly penalties, lost reputation, and brand damage resulting from noncompliance. Laws and regulations contain internal cross-references to portions of ...
Comments
Information & Contributors
Information
Published In
November 2024
763 pages
ISBN:9798400717772
DOI:10.1145/3701625
Copyright © 2024 Copyright held by the owner/author(s). Publication rights licensed to ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 21 December 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- Fundação Coordenação de Aperfeiçoamento de Pessoal de Nível Superior (CAPES)
Conference
SBQS 2024
Acceptance Rates
Overall Acceptance Rate 35 of 99 submissions, 35%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 16Total Downloads
- Downloads (Last 12 months)16
- Downloads (Last 6 weeks)7
Reflects downloads up to 11 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in