ABSTRACT
The purpose of establishing the Brazilian General Data Protection Law (LGPD) was to introduce regulations for organizations regarding collecting, transmitting, and storing individuals’ data. However, understanding the LGPD poses a significant challenge for requirements analysts, particularly in extracting and operationalizing privacy requirements. This experience report proposes to assess and enhance an existing checklist known as LGPD-Check, which serves as a method for evaluating software systems’ compliance with the quality attributes specified by the LGPD. The assessment checklist consists of multiple attributes distributed among several evaluation categories, including data transparency, holder consent, holder’s rights, data security, and controller’s responsibility. The LGPD-Check was applied within a government office to evaluate the checklist’s effectiveness, involving eight IT professionals responsible for different web applications, followed by a focus group meeting. Moreover, we evaluate the office’s systems regarding compliance with the LGPD. Preliminary findings indicate that the current version of the checklist facilitates the identification of issues related to software systems’ compliance with the LGPD and shows that we have a long journey to attend the LGPD in our software systems.
- Eric Araújo, Jéssyka Vilela, Carla Silva, and Carina Alves. 2021. Are My Business Process Models Compliant With LGPD? The LGPD4BP Method to Evaluate and to Model LGPD Aware Business Processes. In XVII Brazilian Symposium on Information Systems (Uberlândia, Brazil) (SBSI 2021). Association for Computing Machinery, New York, NY, USA, Article 46, 9 pages. https://doi.org/10.1145/3466933.3466982Google ScholarDigital Library
- Masoud Barati, Gagangeet Singh Aujla, Jose Tomas Llanos, Kwabena Adu Duodu, Omer F Rana, Madeline Carr, and Rajiv Rajan. 2021. Privacy-Aware cloud auditing for gdpr compliance verification in online healthcare. IEEE Transactions on Industrial Informatics (2021).Google Scholar
- Victor R Basili and H Dieter Rombach. 1988. The TAME project: Towards improvement-oriented software environments. IEEE Transactions on software engineering 14, 6 (1988), 758–773.Google ScholarDigital Library
- Anderson Bastos, Emerson Rios, Ricardo Cristalli, Trayahú Moreira, 2007. Base de conhecimento em teste de software. São Paulo 30 (2007), 32.Google Scholar
- Regina Becker, Pinar Alper, Valentin Grouès, Sandrine Munoz, Yohan Jarosz, Jacek Lebioda, Kavita Rege, Christophe Trefois, Venkata Satagopam, and Reinhard Schneider. 2019. DAISY: A Data Information System for accountability under the General Data Protection Regulation. GigaScience 8, 12 (2019), giz140.Google Scholar
- Brasil. 2018. Lei N° 13.709, de 14 De Agosto De 2018. Lei Geral de Proteção de Dados Pessoais (LGPD). 13709 (2018). http://www.planalto.gov.br/ccivil_03/_Ato2015-2018/2018/Lei/L13709.htmGoogle Scholar
- Brazil. 1988. Constitution of the Federative Republic of Brazil. Presidência da República. https://www.planalto.gov.br/ccivil_03/constituicao/ConstituicaoCompilado.htmGoogle Scholar
- Brazil. 1993. Supplementary Law No. 75 of 1993: Article 76. https://www.planalto.gov.br/ccivil_03/leis/lcp/Lcp75.htm#art76Google Scholar
- Edna Dias Canedo, Angelica Toffano Seidel Calazans, Ian Nery Bandeira, Pedro Henrique Teixeira Costa, and Eloisa Toffano Seidel Masson. 2022. Guidelines adopted by agile teams in privacy requirements elicitation after the Brazilian general data protection law (LGPD) implementation. Requirements Engineering 27, 4 (2022), 545–567.Google ScholarDigital Library
- Edna Dias Canedo, Angelica Toffano Seidel Calazans, Anderson Jefferson Cerqueira, Pedro Henrique Teixeira Costa, and Eloisa Toffano Seidel Masson. 2021. Agile Teams’ Perception in Privacy Requirements Elicitation: LGPD’s compliance in Brazil. In 2021 IEEE 29th International Requirements Engineering Conference (RE). IEEE, 58–69.Google Scholar
- Tiago Celidonio, Paulo Sergio Neves, and Claudio Melim Doná. 2020. Metodologia para mapeamento dos requisitos listados na LGPD (Lei Geral de Proteção de Dados do Brasil número 13.709/18) e sua adequação perante a lei em uma instituição financeira-Um estudo de caso/Methodology for mapping and adequacy of the requirements listed in LGPD (Brazil Data Protection General Law number 13 709/18) in a financial institution-A case study. Brazilian Journal of Business 2, 4 (2020), 3626–3648.Google Scholar
- Clarice Maria Dall’Agnol and Maria Helena Trench. 1999. Grupos focais como estratégia metodológica em pesquisas na enfermagem. Revista gaúcha de enfermagem. Porto Alegre. Vol. 20, n. 1 (jan. 1999), p. 5-25 (1999).Google Scholar
- Fred D Davis, Richard P Bagozzi, and Paul R Warshaw. 1989. User acceptance of computer technology: A comparison of two theoretical models. Management science 35, 8 (1989), 982–1003.Google ScholarDigital Library
- Verônica de Azevedo Mazza, Norma Suely Falcão de Oliveira Melo, and Anna Maria Chiesa. 2009. O grupo focal como técnica de coleta de dados na pesquisa qualitativa: relato de experiência. Cogitare Enfermagem 14, 1 (2009).Google Scholar
- Mary Debus. 1994. Manual para excelencia en la investigación mediante grupos focales. In Manual para excelencia en la investigación mediante grupos focales. 97–97.Google Scholar
- Thaile Xavier Dantas Duarte 2020. Tecnologia, uso, coleta e tratamento de dados: o futuro do poder econômico? (2020).Google Scholar
- European Commission. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). https://eur-lex.europa.eu/eli/reg/2016/679/ojGoogle Scholar
- Sâmmara Éllen Renner Ferrão, Artur Potiguara Carvalho, Edna Dias Canedo, Alana Paula Barbosa Mota, Pedro Henrique Teixeira Costa, and Anderson Jefferson Cerqueira. 2021. Diagnostic of Data Processing by Brazilian Organizations—A Low Compliance Issue. Information 12, 4 (2021), 168.Google ScholarCross Ref
- Marcos Kalinowski, Rodrigo Oliveira Spínola, and Guilherme Horta Travassos. 2004. Infra-estrutura computacional para apoio ao processo de inspeção de software. III Simpósio Brasileiro de Qualidade de Software, Brasília, Brasil (2004), 62–77.Google ScholarCross Ref
- Jyrki Kontio, Laura Lehtola, and Johanna Bragge. 2004. Using the focus group method in software engineering: obtaining practitioner and user experiences. In Proceedings. 2004 International Symposium on Empirical Software Engineering, 2004. ISESE’04. IEEE, 271–280.Google ScholarCross Ref
- Karel Kubicek, Jakob Merane, Carlos Cotrini, Alexander Stremitzer, Stefan Bechtold, and David Basin. 2022. Checking Websites’ GDPR Consent Compliance for Marketing Emails. Proceedings on Privacy Enhancing Technologies (2022).Google Scholar
- O. Laitenberger, K. El Emam, and T.G. Harbich. 2001. An internally replicated quasi-experimental comparison of checklist and perspective based reading of code documents. IEEE Transactions on Software Engineering 27, 5 (2001), 387–421. https://doi.org/10.1109/32.922713Google ScholarDigital Library
- Laila Neves Lorenzon. 2021. Análise comparada entre regulamentações de dados pessoais no Brasil e na União Europeia (LGPD e GDPR) e seus respectivos instrumentos de enforcement. Revista do Programa de Direito da União Europeia 1 (2021), 39–52.Google Scholar
- Rodrigo Machado, Diego Kreutz, Giulliano Paz, and Gustavo Rodrigues. 2019. Vazamentos de Dados: Histórico, Impacto Socioeconômico e as Novas Leis de Proteçao de Dados. In Anais da XVII Escola Regional de Redes de Computadores. SBC, 154–159.Google Scholar
- John McIver and Edward G Carmines. 1981. Unidimensional scaling. Vol. 24. Sage.Google Scholar
- João Mendes, Davi Viana, and Luis Rivero. 2021. Developing an Inspection Checklist for the Adequacy Assessment of Software Systems to Quality Attributes of the Brazilian General Data Protection Law: An Initial Proposal. In Brazilian Symposium on Software Engineering. 263–268.Google ScholarDigital Library
- Anderson Boa Morte, Anália Meira, Rostand Costa, and Dênio Mariz. 2020. Uma Análise Sobre o Uso de DLTs no Tratamento de Dados Pessoais: Aderência aos Princípios e Direitos elencados na LGPD. In Anais do III Workshop em Blockchain: Teoria, Tecnologia e Aplicações (Rio de Janeiro). SBC, Porto Alegre, RS, Brasil, 74–87. https://doi.org/10.5753/wblockchain.2020.12435Google ScholarCross Ref
- Jakob Nielsen. 1994. Usability inspection methods. In Conference companion on Human factors in computing systems. 413–414.Google ScholarDigital Library
- Fabrício Peloso, Marcelo Aparecido Costa, Rodrigo Franklin Frogeri, and Cristina Lelis Leal Calegario. 2019. A lei geral de proteção de dados pessoais em empresas brasileiras: uma análise de múltiplos casos. Suma de Negocios 10, 23 (2019), 89–99.Google ScholarCross Ref
- Sandra Domenique Ringmann, Hanno Langweg, and Marcel Waldvogel. 2018. Requirements for legally compliant software based on the GDPR. In Cloud and Trusted Computing 2018 (CeTC 2018) (2018-10-22). https://netfuture.ch/wp-content/uploads/2018/10/ringmann2018requirements.pdfGoogle Scholar
- Marco Antonio Torrez Rojas. 2020. Avaliação da adequação do Instituto Federal de Santa Catarina á Lei Geral de Proteção de Dados Pessoais. (2020).Google Scholar
- Chris Sauer, D Ross Jeffery, Lesley Land, and Philip Yetton. 2000. The effectiveness of software development technical reviews: A behaviorally motivated program of research. IEEE Transactions on Software Engineering 26, 1 (2000), 1–14.Google ScholarDigital Library
- Jonatas S Souza, Jair M Abe, Luiz A de Lima, and Nilson A de Souza. 2020. The General Law Principles for Protection the Personal Data and their Importance. arXiv preprint arXiv:2009.14313 (2020).Google Scholar
- Tribunal de Contas da União. 2022. Diagnóstico sobre os controles implementados pelas organizações públicas federais para adequação à LGPD. https://portal.tcu.gov.br/data/files/B4/25/78/27/D9C818102DFE0FF7F18818A8/038.172-2019-4-AN%20-%20auditoria_Lei%20Geral%20de%20Protecao%20de%20Dados.pdf Diagnóstico sobre os controles implementados pelas organizações públicas federais para adequação à LGPD.Google Scholar
Index Terms
- Enhancing LGPD Compliance: Evaluating a Checklist for LGPD Quality Attributes within a Government Office
Recommendations
Are My Business Process Models Compliant With LGPD? The LGPD4BP Method to Evaluate and to Model LGPD aware Business Processes
SBSI '21: Proceedings of the XVII Brazilian Symposium on Information SystemsContext: Data privacy and data security became a priority among the problems faced by many Brazilian organizations that should be compliant with the Lei Geral de Proteção de Dados Pessoais (LGPD). This law defines the privacy rights on user data and ...
Ensuring privacy in the application of the Brazilian general data protection law (LGPD)
SAC '22: Proceedings of the 37th ACM/SIGAPP Symposium on Applied ComputingCurrently, many organizations make use of the personal data of their users. Personal data is the set of information that can lead to the identification of a specific person and, therefore, this information is generally vital for the operations and ...
Developing an Inspection Checklist for the Adequacy Assessment of Software Systems to Quality Attributes of the Brazilian General Data Protection Law: An Initial Proposal
SBES '21: Proceedings of the XXXV Brazilian Symposium on Software EngineeringThe General Data Protection Law (LGPD) in Brazil was created with the goal of regulating how associations collect, transmit and store users’ personal data. Although it became applicable in 2020, several software development teams still don’t know what ...
Comments