Oluwafemi Olukoya

DOI: https://doi.org/10.1016/j.cose.2022.102697

2022-06-01

Abstract:The processing of personal data has become a prominent concern for stakeholders when selecting software or service providers to serve their needs. Different laws and legislation have been introduced to standardize and strengthen data protection policies across different countries to protect such data. Therefore, businesses and organizations responsible for managing personal data are obligated to implement the privacy and security requirements established by these laws and legislation. Different methods and tools have been provided for eliciting requirements for legally compliant software based on the relevant data protection laws and legislation. However, little has been done in assessing these methodologies on regulations outside the EU and the US. This paper aims to assess these methodologies on other information security laws and regulations beyond the General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA) by eliciting security requirements explicitly focusing on the Nigerian data protection regulation. To investigate the applicability of these methodologies, we use the extracted privacy and security requirements with information communication protocols in verifying compliance in procedural practices of products and services in the financial technology sector. The analysis reports on the completeness, consistency, and utility of the frameworks. Finally, foundational research directions for interoperable standards for eliciting software requirements from legal texts are proposed.

computer science, information systems

Luiz Paulo Carvalho,Jonice Oliveira,Flávia Maria Santoro,Claudia Cappelli

DOI: https://doi.org/10.5753/isys.2021.1235

2021-08-20

Abstract:Data protection and data-driven solutions are two progressing areas permeating Brazilian society. This work presents an interdisciplinary theoretical approach related to Ethics, from the ethics in computing perspective; the LGPD, from the Law studies perspective; and the Social Network Analysis in Brazil, from the Informatics perspective. This research area utilizes personal data extensively for knowledge construction, with semantic contributions, analyzing the reality; or pragmatic, building artifacts. Challenges and inseparable issues are observed, exposed, and debated in this work. We present considerations combining the three topics, personal data in the research field of social networks in Brazil respecting the LGPD and ethics precepts.

Thiago Luís Sombra

DOI: https://doi.org/10.54648/gplr2020083

2020-06-01

Global Privacy Law Review

Abstract:The Brazilian Data Protection Law (LGPD) will enter into force in August 2020. Brazil was one of the few countries among the major global economies not to have a regulatory framework for personal data protection, which means, it was a minor player in the subject with sparse regulations such as the Civil Rights Framework for the Internet, Civil Code and the Consumer Protection Code. The cultural change to be imposed by LGPD can be noticed by the principles that give legal grounds to the law. With around ten general principles, including purpose, necessity, open access, transparency, security, liability and accountability, which are particularly emphasized, LGPD aims to rebalance the games of power, increase transparency, responsiveness and empower the subjects of personal data in their interactions in cyberspace. Data Protection, cybersecurity, data subjects, LGPD, GDPR, Brazil

Ze Shi Li,Colin Werner,Neil Ernst,Daniela Damian

DOI: https://doi.org/10.1016/j.infsof.2022.106868

IF: 3.9

2022-06-01

Information and Software Technology

Abstract:Context: Complying with privacy regulations has taken on new importance with the introduction of the EU’s General Data Protection Regulation (GDPR) and other privacy regulations. Privacy measures are becoming a paramount requirement demanding software organizations’ attention as recent privacy breaches such as the Capital One data breach affected millions of customers. Software organizations, however, struggle with achieving privacy compliance. In particular, there is a lack of research into the organizational practices and challenges involved in compliance, particularly for small and medium enterprises (SMEs), which represent a sizeable portion of organizations. Many SMEs use a continuous software engineering (CSE) approach, which introduces additional adoption and application challenges. For example, the fast pace of CSE makes it harder for SMEs that are already more resource constrained to prioritize non-functional requirements such as privacy. Objective: This paper aims to fill a gap in the under-researched area of continuous compliance with privacy requirements in practice, by investigating how a continuous practicing SME dealt with GDPR compliance. Method: Using design science, we conducted an in-depth ethnographically informed study over the span of 16 months and iteratively developed two artifacts to help address the organization’s challenges in addressing GDPR compliance. Results: We identified 3 main challenges that our collaborating organization experienced when trying to comply with the GDPR. To help mitigate the challenges, we developed two design science artifacts, which include a list of privacy requirements that operationalized the GDPR principles for automated verification, and an automated testing tool that helps to verify these privacy requirements. We validated these artifacts through close collaboration with our partner organization and applying our artifacts to the partner organization’s system. Conclusions: We conclude with a discussion of opportunities and obstacles in leveraging CSE to achieve continuous compliance with the GDPR. We also highlight the importance of building a shared understanding of privacy non-functional requirements and how risk management plays an important role in an organization’s GDPR compliance.

computer science, information systems, software engineering

Lucas Franke,Huayu Liang,Sahar Farzanehpour,Aaron Brantly,James C. Davis,Chris Brown

2024-06-21

Abstract:Background: Governments worldwide are considering data privacy regulations. These laws, e.g. the European Union's General Data Protection Regulation (GDPR), require software developers to meet privacy-related requirements when interacting with users' data. Prior research describes the impact of such laws on software development, but only for commercial software. Open-source software is commonly integrated into regulated software, and thus must be engineered or adapted for compliance. We do not know how such laws impact open-source software development. Aims: To understand how data privacy laws affect open-source software development. We studied the European Union's GDPR, the most prominent such law. We investigated how GDPR compliance activities influence OSS developer activity (RQ1), how OSS developers perceive fulfilling GDPR requirements (RQ2), the most challenging GDPR requirements to implement (RQ3), and how OSS developers assess GDPR compliance (RQ4). Method: We distributed an online survey to explore perceptions of GDPR implementations from open-source developers (N=56). We further conducted a repository mining study to analyze development metrics on pull requests (N=31462) submitted to open-source GitHub repositories. Results: GDPR policies complicate open-source development processes and introduce challenges for developers, primarily regarding the management of users' data, implementation costs and time, and assessments of compliance. Moreover, we observed negative perceptions of GDPR from open-source developers and significant increases in development activity, in particular metrics related to coding and reviewing activity, on GitHub pull requests related to GDPR compliance. Conclusions: Our findings motivate policy-related resources and automated tools to support data privacy regulation implementation and compliance efforts in open-source software.

Software Engineering

Diego André Cerqueira,Rafael Maiani de Mello,Guilherme Horta Travassos

DOI: https://doi.org/10.48550/arXiv.2308.14874

2023-08-28

Software Engineering

Abstract:Recent laws to ensure the security and protection of personal data establish new software requirements. Consequently, new technologies are needed to guarantee software quality under the perception of privacy and protection of personal data. Therefore, we created a checklist-based inspection technique (LGPDCheck) to support the identification of defects in software artifacts based on the principles established by the Brazilian General Data Protection Law (LGPD). Objective/Aim: To evaluate the effectiveness and efficiency of LGPDCheck for verifying privacy and data protection (PDP) in software artifacts compared to ad-hoc techniques. Method: To assess LGPDCheck and ad-hoc techniques experimentally through a quasi-experiment (two factors, five treatments). The data will be collected from IoT-based health software systems built by software engineering students from the Federal University of Rio de Janeiro. The data analyses will compare results from ad-hoc and LGPDCheck inspections, the participant's effectiveness and efficiency in each trial, defects' variance and standard deviation, and time spent with the reviews. The data will be screened for outliers, and normality and homoscedasticity will be verified using the Shapiro-Wilk and Levene tests. Nonparametric or parametric tests, such as the Wilcoxon or Student's t-tests, will be applied as appropriate.

Jonatas S. de Souza,Jair M. Abe,Luiz A. de Lima,Nilson A. de Souza

DOI: https://doi.org/10.48550/arXiv.2009.14313

2020-09-29

Cryptography and Security

Abstract:Rapid technological change and globalization have created new challenges when it comes to the protection and processing of personal data. In 2018, Brazil presented a new law that has the proposal to inform how personal data should be collected and treated, to guarantee the security and integrity of the data holder. The purpose of this paper is to emphasize the principles of the General Law on Personal Data Protection, informing real cases of leakage of personal data and thus obtaining an understanding of the importance of gains that meet the interests of Internet users on the subject and its benefits to the entire Brazilian society.

Pattaraporn Sangaroonsilp,Hoa Khanh Dam,Morakot Choetkiertikul,Chaiyong Ragkhitwetsagul,Aditya Ghose

DOI: https://doi.org/10.48550/arXiv.2101.01298

2023-02-06

Abstract:Context: Digital and physical trails of user activities are collected over the use of software applications and systems. As software becomes ubiquitous, protecting user privacy has become challenging. With the increase of user privacy awareness and advent of privacy regulations and policies, there is an emerging need to implement software systems that enhance the protection of personal data processing. However, existing data protection and privacy regulations provide key principles in high-level, making it difficult for software engineers to design and implement privacy-aware systems. Objective: In this paper, we develop a taxonomy that provides a comprehensive set of privacy requirements based on four well-established personal data protection regulations and privacy frameworks, the General Data Protection Regulation (GDPR), ISO/IEC 29100, Thailand Personal Data Protection Act (Thailand PDPA) and Asia-Pacific Economic Cooperation (APEC) privacy framework. Methods: These requirements are extracted, refined and classified (using the goal-based requirements analysis method) into a level that can be used to map with issue reports. We have also performed a study on how two large open-source software projects (Google Chrome and Moodle) address the privacy requirements in our taxonomy through mining their issue reports. Results: The paper discusses how the collected issues were classified, and presents the findings and insights generated from our study. Conclusion: Mining and classifying privacy requirements in issue reports can help organisations be aware of their state of compliance by identifying privacy requirements that have not been addressed in their software projects. The taxonomy can also trace back to regulations, standards and frameworks that the software projects have not complied with based on the identified privacy requirements.

Software Engineering

Fabiana França,Cláudia Mont'Alvão

DOI: https://doi.org/10.29147/datjournal.v9i2.806

2024-09-09

DAT Journal

Abstract:The Internet revolution and the ICTs application emerged in the data era in which the services are guided by the personal information which is collected from people. Including governmental services in e-government systems. It may represent a risk to people's freedom, democracy, and especially to privacy protection. Organizations must be prepared to implement technologies, requirements, and laws that secure citizens’ data protection, considering their contexts and needs. This paper presents the result of a study that aims to identify themes and opportunities related to privacy protection in e-government in the scope of user-centered and human-centered design. For that, qualitative research was conducted through a literature review of the ScienceDirect database from 2019 to 2023. As a result, some common themes such as data security, data protection, risks, transparency, and trust were identified, as issues to be discussed and that could serve as new foundations for future research.

Oleksandra Klymenko,Oleksandr Kosenkov,Stephen Meisenbacher,Parisa Elahidoost,Daniel Mendez,Florian Matthes

DOI: https://doi.org/10.1145/3544902.3546234

2022-08-18

Abstract:Modern privacy regulations, such as the General Data Protection Regulation (GDPR), address privacy in software systems in a technologically agnostic way by mentioning general "technical measures" for data privacy compliance rather than dictating how these should be implemented. An understanding of the concept of technical measures and how exactly these can be handled in practice, however, is not trivial due to its interdisciplinary nature and the necessary technical-legal interactions. We aim to investigate how the concept of technical measures for data privacy compliance is understood in practice as well as the technical-legal interaction intrinsic to the process of implementing those technical measures. We follow a research design that is 1) exploratory in nature, 2) qualitative, and 3) interview-based, with 16 selected privacy professionals in the technical and legal domains. Our results suggest that there is no clear mutual understanding and commonly accepted approach to handling technical measures. Both technical and legal roles are involved in the implementation of such measures. While they still often operate in separate spheres, a predominant opinion amongst the interviewees is to promote more interdisciplinary collaboration. Our empirical findings confirm the need for better interaction between legal and engineering teams when implementing technical measures for data privacy. We posit that interdisciplinary collaboration is paramount to a more complete understanding of technical measures, which currently lacks a mutually accepted notion. Yet, as strongly suggested by our results, there is still a lack of systematic approaches to such interaction. Therefore, the results strengthen our confidence in the need for further investigations into the technical-legal dynamic of data privacy compliance.

Software Engineering

Atheer Aljeraisy,Masoud Barati,Omer Rana,Charith Perera

DOI: https://doi.org/10.48550/arXiv.2210.03520

2022-10-06

Cryptography and Security

Abstract:Internet of Things (IoT) applications have the potential to derive sensitive information about individuals. Therefore, developers must exercise due diligence to make sure that data are managed according to the privacy regulations and data protection laws. However, doing so can be a difficult and challenging task. Recent research has revealed that developers typically face difficulties when complying with regulations. One key reason is that, at times, regulations are vague, and could be challenging to extract and enact such legal requirements. In our research paper, we have conducted a systematic analysis of the data protection laws that are used across different continents, namely: (i) General Data Protection Regulations (GDPR), (ii) the Personal Information Protection and Electronic Documents Act (PIPEDA), (iii) the California Consumer Privacy Act (CCPA), (iv) Australian Privacy Principles (APPs), and (v) New Zealand's Privacy Act 1993. In this technical report, we presented the detailed results of the conducted framework analysis method to attain a comprehensive view of different data protection laws and highlighted the disparities, in order to assist developers in adhering to the regulations across different regions, along with creating a Combined Privacy Law Framework (CPLF). After that, we gave an overview of various Privacy by Design (PbD) schemes developed previously by different researchers. Then, the key principles and individuals' rights of the CPLF were mapped with the privacy principles, strategies, guidelines, and patterns of the Privacy by Design (PbD) schemes in order to investigate the gaps in existing schemes.

Ze Shi Li,Colin Werner,Neil Ernst,Daniela Damian

DOI: https://doi.org/10.48550/arXiv.2002.06830

2020-02-17

Abstract:The enactment of the General Data Protection Regulation (GDPR) in 2018 forced any organization that collects and/or processes EU-based personal data to comply with stringent privacy regulations. Software organizations have struggled to achieve GDPR compliance both before and after the GDPR deadline. While some studies have relied on surveys or interviews to find general implications of the GDPR, there is a lack of in-depth studies that investigate compliance practices and compliance challenges of software organizations. In particular, there is no information on small and medium enterprises (SMEs), which represent the majority of organizations in the EU, nor on organizations that practice continuous integration. Using design science methodology, we conducted an in-depth study over the span of 20 months regarding GDPR compliance practices and challenges in collaboration with a small, startup organization. We first identified our collaborator's business problems and then iteratively developed two artifacts to address those problems: a set of operationalized GDPR principles, and an automated GDPR tool that tests those GDPR-derived privacy requirements. This design science approach resulted in four implications for research and for practice. For example, our research reveals that GDPR regulations can be partially operationalized and tested through automated means, which improves compliance practices, but more research is needed to create more efficient and effective means to disseminate and manage GDPR knowledge among software developers.

Software Engineering

Orlando Amaral Cejas,Nicolas Sannier,Sallam Abualhaija,Marcello Ceci,Domenico Bianculli

2024-11-28

Abstract:The General Data Protection Regulation (GDPR) is the benchmark in the European Union (EU) for privacy and data protection standards. Substantial research has been conducted in the requirements engineering (RE) literature investigating the elicitation, representation, and verification of privacy requirements in GDPR. Software systems including mobile apps must comply with the GDPR. With the growing pervasiveness of mobile apps and their increasing demand for personal data, privacy concerns have acquired further interest within the software engineering (SE) community at large. Despite the extensive literature on GDPR-relevant privacy concerns in mobile apps, there is no secondary study that describes, analyzes, and categorizes the current focus. Research gaps and persistent challenges are thus left unnoticed. In this article, we aim to systematically review existing primary studies highlighting various GDPR concepts and how these concepts are addressed in mobile apps research. The objective is to reconcile the existing work on GDPR in the RE literature with the research on GDPR-related privacy concepts in mobile apps in the SE literature. Our findings show that the current research landscape reflects a rather shallow understanding of GDPR requirements. Some GDPR concepts such as data subject rights (i.e., the rights of individuals over their personal data) are fundamental to GDPR, yet under-explored in the literature. In this article, we highlight future directions to be pursued by the SE community for supporting the development of GDPR-compliant mobile apps.

Software Engineering

James Taylor,Jane Henriksen-Bulmer,Cagatay Yucel

DOI: https://doi.org/10.3390/electronics13122263

IF: 2.9

2024-06-10

Electronics

Abstract:Following a series of legislative changes around privacy over the past 25 years, this study highlights data protection regulations and the complexities of applying these frameworks. To address this, we created a privacy framework to guide organisations in what steps they need to undertake to achieve compliance with the UK GDPR, highlighting the existing privacy frameworks for best practice and the requirements from the Information Commissioners Office. We applied our framework to a UK charity sector; to account for the specific nuances that working in a charity brings, we worked closely with local charities to understand their requirements, and interviewed privacy experts to develop a framework that is readily accessible and provides genuine value. Feeding the results into our privacy framework, a decision tree artefact has been developed for compliance. The artefact has been tested against black-box tests, System Usability Tests and UX Honeycomb tests. Results show that Privacy Essentials! provides the foundation of a data protection management framework and offers organisations the catalyst to start, enhance, or even validate a solid and effective data privacy programme.

engineering, electrical & electronic,computer science, information systems,physics, applied

Rolly R. Tang, Jae Kyu Lee, Shan Liu

DOI: https://doi.org/10.52783/jes.1612

2024-04-04

Abstract:Will General Data Protection Regulation (GDPR) be adopted globally in business? The GDPR was approved in the European Union (EU) in April 2016 and officially put into effect in May 2018, thus the research in this field has an obvious upward trend. The development of GDPR is aimed at adapting to new trends, conducting scientific econometric analysis in the fields of privacy and GDPR, and analyzing and visualizing emerging trends. First, summarizing the privacy and GDPR studies publicly published between 1995 and 2023 through statistical analysis of terminology categories and high-yield journals. Then, understand the overall research status of privacy rights and GDPR from the perspectives of author, journal, literature co citation analysis, and collaborative networks. Finally, based on keyword analysis and literature co citation cluster analysis, a knowledge graph was constructed that includes knowledge domains, evolutionary trends, and future research directions. As a globally influential regulation, GDPR emphasizes the protection and lawful processing of personal data, which is of great significance for protecting personal data privacy and enhancing data security.

Sallam Abualhaija,Marcello Ceci,Lionel Briand

2024-02-17

Abstract:Modern software has been an integral part of everyday activities in many disciplines and application contexts. Introducing intelligent automation by leveraging artificial intelligence (AI) led to break-throughs in many fields. The effectiveness of AI can be attributed to several factors, among which is the increasing availability of data. Regulations such as the general data protection regulation (GDPR) in the European Union (EU) are introduced to ensure the protection of personal data. Software systems that collect, process, or share personal data are subject to compliance with such regulations. Developing compliant software depends heavily on addressing legal requirements stipulated in applicable regulations, a central activity in the requirements engineering (RE) phase of the software development process. RE is concerned with specifying and maintaining requirements of a system-to-be, including legal requirements. Legal agreements which describe the policies organizations implement for processing personal data can provide an additional source to regulations for eliciting legal requirements. In this chapter, we explore a variety of methods for analyzing legal requirements and exemplify them on GDPR. Specifically, we describe possible alternatives for creating machine-analyzable representations from regulations, survey the existing automated means for enabling compliance verification against regulations, and further reflect on the current challenges of legal requirements analysis.

Software Engineering,Artificial Intelligence

Lu Zhang,Nabil Moukafih,Hamad Alamri,Gregory Epiphaniou,Carsten Maple

2024-07-09

Abstract:Since its implementation in May 2018, the General Data Protection Regulation (GDPR) has prompted businesses to revisit and revise their data handling practices to ensure compliance. The privacy policy, which serves as the primary means of informing users about their privacy rights and the data practices of companies, has been significantly updated by numerous businesses post-GDPR implementation. However, many privacy policies remain packed with technical jargon, lengthy explanations, and vague descriptions of data practices and user rights. This makes it a challenging task for users and regulatory authorities to manually verify the GDPR compliance of these privacy policies. In this study, we aim to address the challenge of compliance analysis between GDPR (Article 13) and privacy policies for 5G networks. We manually collected privacy policies from almost 70 different 5G MNOs, and we utilized an automated BERT-based model for classification. We show that an encouraging 51$\%$ of companies demonstrate a strong adherence to GDPR. In addition, we present the first study that provides current empirical evidence on the readability of privacy policies for 5G network. we adopted readability analysis toolset that incorporates various established readability metrics. The findings empirically show that the readability of the majority of current privacy policies remains a significant challenge. Hence, 5G providers need to invest considerable effort into revising these documents to enhance both their utility and the overall user experience.

Cryptography and Security,Artificial Intelligence

Yuri R. Ladeia,David M. Pereira

2024-09-18

Abstract:Background: The integration of the General Data Protection Regulation (GDPR) and the Medical Device Regulation (MDR) creates complexities in conducting Data Protection Impact Assessments (DPIAs) for medical devices. The adoption of non-binding standards like ISO and IEC can harmonize these processes by enhancing accountability and privacy by design. Methods: This study employs a multidisciplinary literature review, focusing on GDPR and MDR intersection in medical devices that process personal health data. It evaluates key standards, including ISO/IEC 29134 and IEC 62304, to propose a unified approach for DPIAs that aligns with legal and technical frameworks. Results: The analysis reveals the benefits of integrating ISO/IEC standards into DPIAs, which provide detailed guidance on implementing privacy by design, risk assessment, and mitigation strategies specific to medical devices. The proposed framework ensures that DPIAs are living documents, continuously updated to adapt to evolving data protection challenges. Conclusions: A unified approach combining European Union (EU) regulations and international standards offers a robust framework for conducting DPIAs in medical devices. This integration balances security, innovation, and privacy, enhancing compliance and fostering trust in medical technologies. The study advocates for leveraging both hard law and standards to systematically address privacy and safety in the design and operation of medical devices, thereby raising the maturity of the MedTech ecosystem.

Computers and Society

Isabel Maria Lopes,Teresa Guarda,Pedro Oliveira

DOI: https://doi.org/10.1007/s10916-020-1521-0

IF: 4.92

2020-01-10

Journal of Medical Systems

Abstract:The focus on personal data has merited the EU concerns and attention, resulting in the legislative change regarding privacy and the protection of personal data. The General Data Protection Regulation (GDPR) aims to reform existing measures on the protection of personal data of European Union citizens, with a strong impact on the rights and freedoms of individuals in establishing rules for the processing of personal data. The GDPR considers a special category of personal data, the health data, being these considered as sensitive data and subject to special conditions regarding treatment and access by third parties. This work presents the evolution of the applicability of the Regulation (EU) 2016/679 six months after its application in Portuguese health clinics. The results of the present study are discussed in the light of future literature and work are identified.

health care sciences & services,medical informatics

Mohamad Gharib,Paolo Giorgini,John Mylopoulos

DOI: https://doi.org/10.48550/arXiv.1611.10097

2016-11-30

Abstract:Privacy has been frequently identified as a main concern for system developers while dealing with/managing personal information. Despite this, most existing work on privacy requirements deals with them as a special case of security requirements. Therefore, key aspects of privacy are, usually, overlooked. In this context, wrong design decisions might be made due to insufficient understanding of privacy concerns. In this paper, we address this problem with a systematic literature review whose main purpose is to identify the main concepts/relations for capturing privacy requirements. In addition, the identified concepts/relations are further analyzed to propose a novel privacy ontology to be used by software engineers when dealing with privacy requirements.

Software Engineering