Privacy in Practice: Exploring Concrete Relationships Between Privacy Patterns and Privacy by Design Principles in Software Engineering

  • Vinícius C. Andrade UTFPR
  • Richard D. Ribeiro UTFPR
  • Rafael dos P. Canteri UFMS
  • Sheila Reinehr PUCPR
  • Cinthia O. de A. Freitas PUCPR
  • Andreia Malucelli PUCPR


Ensuring the fulfillment of customer preferences and requirements and adherence to legal compliance have emerged as critical considerations for software development organizations. Legislation such as the Brazillian LGPD and the European Union's GDPR highlight the importance of integrating personal data privacy rights from the beginning of system development and throughout the data lifecycle, as mentioned in the fundamental principles of Privacy by Design. However, recent studies still emphasize the need for processes, methods, guides, and tools that help translate Privacy by Design principles into practical software engineering activities. In this context, this article aims to explore the integration of abstract Privacy by Design principles into tangible Software Engineering practices. To this end, a mapping was carried out between Privacy Patterns and the principles of Privacy by Design. This process translated abstract concepts into practical activities. The reliability of the mapping process among the researchers was assessed by calculating the Intraclass Correction Coefficient (ICC). The findings underscore that when software engineers apply one or more Privacy Patterns to address personal data privacy requirements, as revealed through the correlations conducted in this study, they also tend to adhere to one or more Privacy by Design principles.
Palavras-chave: Privacy, Privacy by Design, Privacy Patterns, Software Engineering


Andrade, V. C., Gomes, R. D., Reinehr, S., Freitas, C. O. D. A. and Malucelli, A. (2022). Privacy by Design and Software Engineering: a Systematic Literature Review. In Proceedings of the XXI Brazilian Symposium on Software Quality.

Baldassarre, M. T., Santa Barletta, V., Caivano, D. and Scalera, M. (2020). Integrating security and privacy in software development. Software Quality Journal, p. 1–32.

BRASIL (2018). Lei Geral de Proteção de Dados Pessoais (LGPD). [link], [accessed on Oct 9].

Brito, I. S., Moreira, A. and Araújo, J. (2020). Handling Nonfunctional Requirements for Smart Cities. In 23rd Iberoamerican Conference on Software Engineering, CIbSE 2020.

Browning, K. (2021). A “potentially disastrous” data breach hits Twitch, the livestreaming site. [link], [accessed on Jun 7].

Cavoukian, A. (2009). Privacy by Design - The 7 foundational principles - Implementation and mapping of fair information practices. Information and Privacy Commissioner of Ontario, Canada, p. 5.

Cavoukian, A. (2012). Operationalizing Privacy by Design: A Guide to Implementing.

Cavoukian, A., Shapiro, S. and Cronk, R. J. (2014). Privacy engineering: Proactively embedding privacy, by design. Office of the Information and Privacy Commissioner.

Colesky, M., Caiza, J. C., Del Lamo, J. M., Hoepman, J. H. and Martín, Y. S. (2018). A system of privacy patterns for user control. Proceedings of the ACM Symposium on Applied Computing, p. 1150–1156.

Colesky, M., Hoepman, J. and Hillen, C. (2016). A Critical Analysis of Privacy Design Strategies. In 2016 IEEE Security and Privacy Workshops (SPW).

EU (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46. Official Journal of the European Union (OJ), v. 59, n. 1–88, p. 294.

Ferrão, S. É. R., Carvalho, A. P., Canedo, E. D., et al. (2021). Diagnostic of Data Processing by Brazilian Organizations - A Low Compliance Issue. Information, v. 12, n. 4, p. 1–30.

Fleiss, J. L., Levin, B. and Paik, M. C. (2013). Statistical methods for rates and proportions. John Wiley & Sons.

Hoepman, J. H. J.-H. (2014). Privacy design strategies. IFIP Advances in Information and Communication Technology, v. 428, p. 446–459.

Malar, J. P. (2022). Banco Central anuncia vazamento de dados ligados a mais de 130 mil chaves Pix. [link], [accessed on Jan 25].

Moral-García, S., Ortiz, R., Moral-Rubio, S., Vela, B., Garzás, J. and Fernández-Medina, E. (2010). A new pattern template to support the design of security architectures. In The Second International Conferences of Pervasive Patterns and Applications.

Morales-trujillo, M. E., Matla-cruz, E. O., García-Mireles, G. A. and Piattini, M. (2018). Privacy by Design in Software Engineering: a Systematic Mapping Study. In Ibero-American Conference on Software Engineering (CIbSE).

Peixoto, M., Ferreira, D., Cavalcanti, M., et al. (2023). The Perspective of Brazilian Software Developers on Data Privacy. Journal of Systems and Software, v. 195, p. 111523.

Petkauskas, V. (2024). Mother of all breaches reveals 26 billion records: what we know so far. [link] of all breaches reveals,what we know so far&text=Image by Cybernews.,mind-boggling 26 billion records., [accessed on Feb 6].

Redação Veja (2018). Banco Inter vai pagar R$ 1,5 milhão por vazamento de dados de clientes. [link], [accessed on May 24].

Rohr, A. (2021). Megavazamentos de dados expõem informações de 223 milhões de números de CPF. [link], [accessed on May 24].

Rosenberg, M. (2018). Cambridge Analytica and Facebook: The Scandal and the Fallout So Far. [link], [accessed on Mar 10].

Team, C. 4 N. I. (2018). Revealed: Cambridge Analytica data on thousands of Facebook users still not deleted. [link], [accessed on Mar 10].

Tidy, J. and Molloy, D. (2021). Twitch confirms massive data breach. [link], [accessed on Jun 7].

UC Berkeley School of Information (2024). Privacy Patterns. [link], [accessed on Feb 6].
ANDRADE, Vinícius C.; RIBEIRO, Richard D.; CANTERI, Rafael dos P.; REINEHR, Sheila; FREITAS, Cinthia O. de A.; MALUCELLI, Andreia. Privacy in Practice: Exploring Concrete Relationships Between Privacy Patterns and Privacy by Design Principles in Software Engineering. In: CONGRESSO IBERO-AMERICANO EM ENGENHARIA DE SOFTWARE (CIBSE), 27. , 2024, Curitiba/PR. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2024 . p. 271-285. DOI: