How can privacy requirements be represented and which information can they contain?
What contents and representations do agile developers prefer for privacy requirements?
What impact on software development do agile developers expect from satisfying their preferences regarding privacy requirements?
Due to lack of knowledge or motivation, developers often face difficulties to implement privacy-compliant software. This is especially because legal requirements cannot be mapped directly to software code, developers lack the necessary privacy knowledge or don’t want to take legal responsibility for privacy-compliance. Especially in small companies, privacy is often implemented just once as an after-thought and not during writing software. This is, because any lack of knowledge has to be compensated with external experts or lawyers, who incur additional costs each time they are consulted. As the communication of legal requirements to developers is crucial for implementing them into software, this research investigates developer preferences for the documentation of privacy requirements under the GDPR.
Before asking developers about their preferences, we first reviewed the literature for existing variants of privacy requirements. This tertiary literature review includes non-and semi-academic sources to allow for requirement design proposals from the industry. Existing literature indicates that theoretical research does not align with practice – which we confirm based on our results later on. Thus, we conducted semi-structured expert interviews (n=21) with software developers mainly in Germany to augment the found requirement variants with the reports from practice. We also asked interviewees about their needs and preferences regarding privacy requirements. This gave us an initial understanding of the developer preferences themselves as well as which factors influence them – especially regarding problems in the daily work with privacy.
Based on the insights from the expert interviews, we designed and conducted a survey (n=103) to empirically measure developers’ preferences and which factors influence them. We used the results to create seven recommendations for writing optimal privacy requirements. As a result, we saw that developers prefer checklists due to their brevity, conciseness and progress tracking capability. While low-level technical requirements are preferred for privacy constraints, guidelines and best practices should augment privacy requirements when such technical concreteness is not possible.
We also asked developers about how they expect optimal privacy requirements to impact their daily work, so that we can prioritize certain recommendations. Optimal privacy requirements are expected to save meeting time and feedback cycles. They are also expected to compensate for some lack of awareness and experience – however this does not hold in highly-sensitive industries like finance and healthcare. Most importantly, optimal privacy requirements would give developers peace of mind regarding the privacy-compliance of software.
Author: Maximilian Josef Frank (ORCID: 0000-0002-0714-7748). For further author profiles see ORCID profile.
Any use of first person plural is to be understood as the author and the readers, advised by advisors and supervisor. This is due to the formal requirements of a master's thesis.
| Name | Type | Size | Last Modification | Last Editor |
|---|---|---|---|---|
| 241125 MT_KickOff_Presentation_Maximilian_Josef_Frank.pdf | 925 KB | 09.05.2025 | ||
| 250506 MT_Final_Presentation_Maximilian_Josef_Frank.pdf | 1,54 MB | 09.05.2025 | ||
| MT_Proposal_Maximilian_Josef_Frank.pdf | 80 KB | 02.05.2025 | Maximilian Josef Frank |