Abstract:Context: Complying with privacy regulations has taken on new importance with the introduction of the EU’s General Data Protection Regulation (GDPR) and other privacy regulations. Privacy measures are becoming a paramount requirement demanding software organizations’ attention as recent privacy breaches such as the Capital One data breach affected millions of customers. Software organizations, however, struggle with achieving privacy compliance. In particular, there is a lack of research into the organizational practices and challenges involved in compliance, particularly for small and medium enterprises (SMEs), which represent a sizeable portion of organizations. Many SMEs use a continuous software engineering (CSE) approach, which introduces additional adoption and application challenges. For example, the fast pace of CSE makes it harder for SMEs that are already more resource constrained to prioritize non-functional requirements such as privacy. Objective: This paper aims to fill a gap in the under-researched area of continuous compliance with privacy requirements in practice, by investigating how a continuous practicing SME dealt with GDPR compliance. Method: Using design science, we conducted an in-depth ethnographically informed study over the span of 16 months and iteratively developed two artifacts to help address the organization’s challenges in addressing GDPR compliance. Results: We identified 3 main challenges that our collaborating organization experienced when trying to comply with the GDPR. To help mitigate the challenges, we developed two design science artifacts, which include a list of privacy requirements that operationalized the GDPR principles for automated verification, and an automated testing tool that helps to verify these privacy requirements. We validated these artifacts through close collaboration with our partner organization and applying our artifacts to the partner organization’s system. Conclusions: We conclude with a discussion of opportunities and obstacles in leveraging CSE to achieve continuous compliance with the GDPR. We also highlight the importance of building a shared understanding of privacy non-functional requirements and how risk management plays an important role in an organization’s GDPR compliance.

Towards privacy compliance: A design science study in a small organization

GDPR Compliance in the Context of Continuous Integration

An Exploratory Mixed-Methods Study on General Data Protection Regulation (GDPR) Compliance in Open-Source Software

Understanding the Implementation of Technical Measures in the Process of Data Privacy Compliance: A Qualitative Study

Are we there yet? Understanding the challenges faced in complying with the General Data Protection Regulation (GDPR)

Privacy Essentials

Design Challenges for GDPR RegTech

Privacy Aware Engineering: A Case Study

Evaluating Privacy Perceptions, Experience, and Behavior of Software Development Teams

Compliance Generation for Privacy Documents under GDPR: A Roadmap for Implementing Automation and Machine Learning

Model Driven Engineering for Data Protection and Privacy: Application and Experience with GDPR

Identifying Practical Challenges in the Implementation of Technical Measures for Data Privacy Compliance

Data Protection by Design Tool for Automated GDPR Compliance Verification Based on Semantically Modeled Informed Consent

GDPR compliance via software evolution: Weaving security controls in software design

Human-GDPR Interaction: Practical Experiences of Accessing Personal Data

A Mixed-method Study on Security and Privacy Practices in Danish Companies

Exploring the Relationships between Privacy by Design Schemes and Privacy Laws: A Comparative Analysis

Enhancing privacy awareness through a novel BPMN based methodology

Analyzing GDPR Compliance Through the Lens of Privacy Policy

Privacy Compliance Engineering Process

Secure Semi-Automated GDPR Compliance Service with Restrictive Fine-Grained Access Control