Evaluating Privacy Requirement Patterns Based on the Brazilian General Personal Data Protection Law

Resumo

The literature has shown that requirements analysts often lack comprehensive knowledge about privacy requirements and applicable legislation, such as the Brazilian General Personal Data Protection Law (GDPL). Consequently, software projects may fail to implement privacy requirements, compromising software quality and exposing users to unpleasant risks. As privacy requirements are ubiquitous to most software systems, we developed a reuse-based approach to organize those requirements into a Privacy Requirement Patterns Catalog. Analysts can reuse and adapt requirement patterns according to their needs, saving time and effort when eliciting, specifying, and validating privacy requirements. This paper evaluates the correctness and completeness of the patterns catalog by two experts in GDPL and Software Engineering. Results show that, on average, 85% and 83% of the privacy requirement patterns are correct and complete considering the Brazilian law, suggesting that the catalog can contribute to the quality of the software development process.