GDPRShield: AI-Powered GDPR Support for Software Developers in Small and Medium-Sized Enterprises
Tharaka Wijesundara, Mathew Warren, Nalin Arachchilage
TL;DR
This work tackles the GDPR compliance gap in SMEs by introducing GDPRShield, an AI-powered framework that elevates developers' GDPR awareness through privacy descriptions derived from user stories and reinforced by real-world noncompliance consequences. The framework sequences through pre-processing, ambiguity detection, privacy description generation via a KG-augmented LLM, and attitude evaluation based on the Theory of Planned Behavior, aiming to strengthen organizational privacy culture. A knowledge graph anchors GDPR articles to user-story actions, enabling targeted, up-to-date privacy guidance and scalable LLN-based description generation with low-cost adaptation (LoRA). Real-world incident mapping and motivational scenarios are integrated to bridge awareness and action, and a practical use-case with a Jira plugin illustrates end-to-end workflow. The approach promises to help SMEs improve GDPR compliance, user trust, and competitive advantage, with planned extensions to usability testing, cross-regional studies, and broader regulatory support.
Abstract
With the rapid increase in privacy violations in modern software development, regulatory frameworks such as the General Data Protection Regulation (GDPR) have been established to enforce strict data protection practices. However, insufficient privacy awareness among SME software developers contributes to failure in GDPR compliance. For instance, a developer unfamiliar with data minimization may build a system that collects excessive data, violating GDPR and risking fines. One reason for this lack of awareness is that developers in SMEs often take on multidisciplinary roles (e.g., front-end, back-end, database management, and privacy compliance), which limits specialization in privacy. This lack of awareness may lead to poor privacy attitudes, ultimately hindering the development of a strong organizational privacy culture. However, SMEs that achieve GDPR compliance may gain competitive advantages, such as increased user trust and marketing value, compared to others that do not. Therefore, in this paper, we introduce a novel AI-powered framework called "GDPRShield," specifically designed to enhance the GDPR awareness of SME software developers and, through this, improve their privacy attitudes. Simultaneously, GDPRShield boosts developers' motivation to comply with GDPR from the early stages of software development. It leverages functional requirements written as user stories to provide comprehensive GDPR-based privacy descriptions tailored to each requirement. Alongside improving awareness, GDPRShield strengthens motivation by presenting real-world consequences of noncompliance, such as heavy fines, reputational damage, and loss of user trust, aligned with each requirement. This dual focus on awareness and motivation leads developers to engage with GDPRShield, improving their GDPR compliance and privacy attitudes, which will help SMEs build a stronger privacy culture over time.
