How Software Industry Specifies Requirements Compliant with Data Protection Laws: a survey-based study

Resumo

[Context] There are few studies focused on discovering the state of practice related to how Information Technology (IT) industry achieves legal compliance in software requirements activities. A previous work reported an interview-based study with seven practitioners from seven IT companies tackling with legal compliance in software requirements specification (SRS). As a result, a initial theory emerged from the interviews and explains a set of factors influencing the work practices used by public and private companies to achieve requirements specification compliance with data protection laws. [Objective] This study reviews and improves the initial theory with information obtained from 39 practitioners regarding how they produce requirements specifications compliant with data protection laws. [Method] We designed a survey protocol that contains an questionnaire composed of a set of propositions inferred from the previous interview-based study and the related literature. [Results] Findings reveal that legal requirements are specified textually and the techniques that help achieve legal compliance are basic knowledge about law for software engineers, training in ambiguity identification techniques, assigning a person for tracing laws and legal regulations, identifying relevant laws and legal regulations to be analysed by lawyers and defining a glossary for all domain-specific concepts and acronyms. [Conclusion] The factors and actions that emerged in this study can be used by researchers and practitioners to leverage the methods and tools they develop or use to specify system requirements that must comply with data protection laws.