A First Look at the General Data Protection Regulation (GDPR) in Open-Source Software

TL;DR

The study addresses how GDPR affects open-source software development, a topic with limited prior OSS-specific research. Using an exploratory qualitative approach with a broad sample of developers, the authors combine pilot interviews, a GDPR-focused OSS survey, and open coding under IRB oversight to characterize phenomena and assess inter-rater reliability. Key findings show mixed reception to GDPR and three engineering-challenges categories: Software Design, including data minimization and logging constraints; Legal Compliance, involving legal consultation that can slow the development lifecycle; and Validation, the absence of robust methods to evaluate compliance. The work highlights practical needs for policy resources and tooling to support GDPR implementation in OSS, with implications for developers, organizations, and policymakers.

Abstract

This poster describes work on the General Data Protection Regulation (GDPR) in open-source software. Although open-source software is commonly integrated into regulated software, and thus must be engineered or adapted for compliance, we do not know how such laws impact open-source software development. We surveyed open-source developers (N=47) to understand their experiences and perceptions of GDPR. We learned many engineering challenges, primarily regarding the management of users' data and assessments of compliance. We call for improved policy-related resources, especially tools to support data privacy regulation implementation and compliance in open-source software.