Translating Privacy Design Principles Into Human-Centered Software Lifecycle: A Literature Review

Companies and organizations involved in software development are stimulated and often obliged to consider procedures and technical solutions to guarantee data privacy and protection from the early phases of the software lifecycle. In addition, by default, personal data might be processed with the highest privacy protection level. These two requirements are Privacy by Design and Privacy by Default principles. Their importance has grown quickly in the last few years, as demonstrated by data protection regulations, like GDPR and PIPEDA, which include them as an important part of some of their articles. However, such regulations do not provide any practical or concrete indications of software requirements, and developers often lack adequate knowledge to understand the privacy prescriptions expressed in legal language. This study addresses these limitations by presenting a systematic and rigorous literature review that aims to answer the following research questions: (RQ1) How do Privacy-By-Design and Privacy-By-Default principles translate into software requirements? and (RQ2) How Privacy-By-Design and Privacy-By-Default principles integrate into a Human-Centred Design process? For RQ1, the analysis of the resulting publications led to identifying several software requirements and business processes organized along 8 data-oriented and process-oriented privacy design strategies. For RQ2, the analysis of the retrieved publications provided a comprehensive view of the HCI methodologies adopted to comply with privacy requirements identified current shortcomings, and proposed future research directions. The results have been distilled into an initial framework that may aid the development of software that must comply with such principles and aims to integrate them into an HCD process.