Identifying How the Brazilian Software Industry Specifies Legal Requirements
[Background] Software requirements are usually specified in Natural Language, bringing challenges for Requirements Engineering (RE) as these specifications are inherently ambiguous. These challenges become bigger when dealing with software requirements that must comply with regulations, the so-called legal requirements. The state of practice to tackle ambiguity of legal requirements and their compliance with regulations is missing. [Goal] This work investigates how ambiguity in legal requirements specification is addressed and how the software development industry performs legal compliance. [Method] We followed a qualitative approach based on semi-structured interviews involving nine professionals from different companies who presented their views on the RE process, including legal compliance and ambiguity resolution of legal requirements. Data was collected using audio-recorded and analyzed using Grounded Theory. [Results] Findings revealed that customer and legal expert support during the project could reduce the risk of misinterpreting the legislation. Verification and Validation of Legal Compliance are customer assignments. [Conclusions] Ambiguity resolution and legal compliance of requirements are based on the tacit knowledge of experienced team members or discussions between the team and the customer.
Vanessa Ayala-Rivera and Liliana Pasquale. 2018. The Grace Period Has Ended: An Approach to Operationalize GDPR Requirements. In 26th International Requirements Engineering Conference (RE). IEEE, Banff, AB, Canada, 136--146.
Kent Beck, Mike Beedle, Arie Van Bennekum, Alistair Cockburn, Ward Cunningham, Martin Fowler, James Grenning, Jim Highsmith, Andrew Hunt, Ron Jeffries, Jon Kern, Brian Marick, Robert Martin, Steve Mellor, Ken Schwaber, Jeff Sutherland, and Dave Thomas. 2001. Manifesto for agile software development. http://agilemanifesto.org/
Izak Benbasat, David K Goldstein, and Melissa Mead. 1987. The case research strategy in studies of information systems. MIS quarterly 11, 3 (1987), 369--386.
Daniel Berry and Erik Kamsties. 2004. Ambiguity in requirements specification. In Perspectives on software requirements, Julio C. S. do P. Leite and Jorge H. Doorn (Eds.). Springer US, Boston, MA, 7--44.
Jaspreet Bhatia, Travis Breaux, Joel Reidenberg, and Thomas Norton. 2016. A theory of vagueness and privacy risk perception. In 24th International Requirements Engineering Conference (RE). IEEE, Beijing, China, 26--35.
Guido Boella, Llio Humphreys, Robert Muthuri, Piercarlo Rossi, and Leendert van der Torre. 2014. A critical analysis of legal requirements engineering from the perspective of legal practice. In 7th International Workshop on Requirements Engineering and Law (RELAW). IEEE, Karlskrona, Sweden, 14--21.
BRASIL. 2018. Lei Geral de Protecao de Dados n. 13.709, 14/Ago. http: //www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htm
Juliet Corbin and Anselm Strauss. 2014. Basics of qualitative research. sage, Thousand Oaks, California, CA.
EU. 2016. General Data Protection Regulation. https://eugdpr.org/
Sepideh Ghanavati, Daniel Amyot, and André Rifaut. 2014. Legal goal-oriented requirement language (legal GRL) for modeling regulations. In 6th International Workshop on Modeling in Software Engineering. ACM, NY, USA, 1--6.
Martin Glinz. 2007. On non-functional requirements. In 15th International Requirements Engineering Conference (RE). IEEE, Delhi, India, 21--26.
Luis Gonçalves and Alberto Rodrigues da Silva. 2018. A Catalogue of Reusable Security Concerns: Focus on Privacy Threats. In 20th Conference on Business Informatics (CBI), Vol. 2. IEEE, Vienna, Austria, 52--61.
Aaron Massey, Eric Holtgrefe, and Sepideh Ghanavati. 2017. Modeling regulatory ambiguities for requirements analysis. In International Conference on Conceptual Modeling (ER). Springer Intl. Publishing, Cham, 231--238.
Aaron Massey, Richard Rutledge, Annie Antón, and Peter Swire. 2014. Identifying and classifying ambiguity for regulatory requirements. In 22nd International Requirements Engineering Conference (RE). IEEE, Karlskrona, Sweden, 83--92.
Sharan Merriam and Elizabeth Tisdell. 2015. Qualitative research: A guide to design and implementation. Jossey-Bass, San Francisco, CA.
Dorgival Netto, Mariana Peixoto, and Carla Silva. 2019. Privacy and Security in Requirements Engineering: Results from a Systematic Literature Mapping. Anais do WER19 - Workshop em Engenharia de Requisitos, Recife-PE, Brasil, Agosto 13-16, 2019 (2019).
Dorgival Netto, Carla Silva, and Jo ao Araújo. 2019. Supplementary Material. https://dorgivalnetto.github.io/SBES2019/
Paul Otto. 2009. Reasonableness meets requirements: Regulating security and privacy in software. Duke LJ 59 (2009), 309.
Paul Otto and Annie Antón. 2007. Addressing legal requirements in requirements engineering. In 15th International Requirements Engineering Conference (RE). IEEE, Delhi, India, 5--14.
C Robson. 2002. Real World Research 2nd edition Blackwell Oxford. Blackwell Publishing 2nd, 2 (2002), 587.
Per Runeson, Martin Höst, Austen Rainer, and Björn Regnell. 2012. Case study research in software engineering. In Guidelines and examples. Wiley Online Library, Hoboken, New Jersey.