“Those things are written by lawyers, and programmers are reading that.” Mapping the Communication Gap Between Software Developers and Privacy Experts
Authors: Stefan Albert Horstmann (Ruhr University Bochum), Samuel Domiks (Independent), Marco Gutfleisch (Ruhr University Bochum), Mindy Tran (Paderborn University), Yasemin Acar (Paderborn University , The George Washington University), Veelasha Moonsamy (Ruhr University Bochum), Alena Naiakshina (Ruhr University Bochum)
Volume: 2024
Issue: 1
Pages: 151–170
DOI: https://doi.org/10.56553/popets-2024-0010
Abstract: To ensure data-privacy compliance, it is common for companies to consult privacy experts for the identification and communication of privacy requirements to software developers. However, developers often fail to fulfill those requirements resulting in companies regularly being fined for violations due to non-compliance with privacy data regulations. To investigate why software developers struggle with the implementation of privacy requirements and explore their communication modality, we conducted a qualitative semi-structured interview study with 30 participants involving 10 software developers, 10 privacy experts, and 10 team coordinators with an average experience of nine years in the privacy communication and implementation process within a company context. We found a communication gap between software developers and privacy experts, suggesting a lack of proper procedural steps during the software development process to guarantee that the privacy requirements have been adequately addressed. We also uncovered that since privacy requirements were mostly communicated in a uni-directional manner, they were often perceived as a hindrance during software development, thus fostering an adversarial relationship between privacy experts and developers. Therefore, in order to fulfill the experts' requirements, software developers requested concrete steps to take during the software development process, as observed in the security field. However, privacy experts often lacked the technical knowledge to provide such instructions. This work contributes an explanatory theory on the communication gap between software developers and privacy experts. We discuss common obstacles in the communication of privacy experts and software developers and provide guidance on how to address them.
Keywords: privacy, privacy requirements, software engineering, GDPR, CCPA, communication, qualitative research
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.