Towards a Goal-Centric Assessment of Requirements Engineering Methods for Privacy by Design
Oleksandr Kosenkov, Ehsan Zabardast, Jannik Fischbach, Tony Gorschek, Daniel Mendez
TL;DR
The paper tackles the challenge of selecting appropriate RE methods for privacy by design (PbD) under GDPR, arguing that current practice focuses on process characteristics rather than organizational goals. It introduces a goal-centric assessment framework rooted in the $GQM$ approach, developed from a literature review, practitioner interviews, and validation. Key contributions include identifying five RE method characteristics (MCs) and eleven method goals (MGs) for PbD, and presenting a three-level assessment structure (conceptual, operational, quantitative) with predefined components. The framework aims to support the selection, tailoring, and development of PbD-oriented RE practices, emphasizing the importance of capturing legal knowledge and ensuring transparent, traceable specifications to achieve GDPR compliance throughout the SDLC.
Abstract
Implementing privacy by design (PbD) according to the General Data Protection Regulation (GDPR) is met with a growing number of requirements engineering (RE) approaches. However, the question of which RE method for PbD fits best the goals of organisations remains a challenge. We report our endeavor to close this gap by synthesizing a goal-centric approach for PbD methods assessment. We used literature review, interviews, and validation with practitioners to achieve the goal of our study. As practitioners do not approach PbD systematically, we suggest that RE methods for PbD should be assessed against organisational goals, rather than process characteristics only. We hope that, when further developed, the goal-centric approach could support the development, selection, and tailoring of RE practices for PbD.
