More Web Proxy on the site http://driver.im/

research-article

Enhancing LGPD Compliance: Evaluating a Checklist for LGPD Quality Attributes within a Government Office

Authors:

Christiano Neitzke,

Mario Teixeira,

Davi VianaAuthors Info & Claims

SBQS '23: Proceedings of the XXII Brazilian Symposium on Software Quality

Pages 218 - 227

https://doi.org/10.1145/3629479.3629497

Published: 06 December 2023 Publication History

Abstract

The purpose of establishing the Brazilian General Data Protection Law (LGPD) was to introduce regulations for organizations regarding collecting, transmitting, and storing individuals’ data. However, understanding the LGPD poses a significant challenge for requirements analysts, particularly in extracting and operationalizing privacy requirements. This experience report proposes to assess and enhance an existing checklist known as LGPD-Check, which serves as a method for evaluating software systems’ compliance with the quality attributes specified by the LGPD. The assessment checklist consists of multiple attributes distributed among several evaluation categories, including data transparency, holder consent, holder’s rights, data security, and controller’s responsibility. The LGPD-Check was applied within a government office to evaluate the checklist’s effectiveness, involving eight IT professionals responsible for different web applications, followed by a focus group meeting. Moreover, we evaluate the office’s systems regarding compliance with the LGPD. Preliminary findings indicate that the current version of the checklist facilitates the identification of issues related to software systems’ compliance with the LGPD and shows that we have a long journey to attend the LGPD in our software systems.

References

[1]

Eric Araújo, Jéssyka Vilela, Carla Silva, and Carina Alves. 2021. Are My Business Process Models Compliant With LGPD? The LGPD4BP Method to Evaluate and to Model LGPD Aware Business Processes. In XVII Brazilian Symposium on Information Systems (Uberlândia, Brazil) (SBSI 2021). Association for Computing Machinery, New York, NY, USA, Article 46, 9 pages. https://doi.org/10.1145/3466933.3466982

Digital Library

[2]

Masoud Barati, Gagangeet Singh Aujla, Jose Tomas Llanos, Kwabena Adu Duodu, Omer F Rana, Madeline Carr, and Rajiv Rajan. 2021. Privacy-Aware cloud auditing for gdpr compliance verification in online healthcare. IEEE Transactions on Industrial Informatics (2021).

[3]

Victor R Basili and H Dieter Rombach. 1988. The TAME project: Towards improvement-oriented software environments. IEEE Transactions on software engineering 14, 6 (1988), 758–773.

Digital Library

[4]

Anderson Bastos, Emerson Rios, Ricardo Cristalli, Trayahú Moreira, 2007. Base de conhecimento em teste de software. São Paulo 30 (2007), 32.

[5]

Regina Becker, Pinar Alper, Valentin Grouès, Sandrine Munoz, Yohan Jarosz, Jacek Lebioda, Kavita Rege, Christophe Trefois, Venkata Satagopam, and Reinhard Schneider. 2019. DAISY: A Data Information System for accountability under the General Data Protection Regulation. GigaScience 8, 12 (2019), giz140.

[6]

Brasil. 2018. Lei N° 13.709, de 14 De Agosto De 2018. Lei Geral de Proteção de Dados Pessoais (LGPD). 13709 (2018). http://www.planalto.gov.br/ccivil_03/_Ato2015-2018/2018/Lei/L13709.htm

[7]

Brazil. 1988. Constitution of the Federative Republic of Brazil. Presidência da República. https://www.planalto.gov.br/ccivil_03/constituicao/ConstituicaoCompilado.htm

[8]

Brazil. 1993. Supplementary Law No. 75 of 1993: Article 76. https://www.planalto.gov.br/ccivil_03/leis/lcp/Lcp75.htm#art76

[9]

Edna Dias Canedo, Angelica Toffano Seidel Calazans, Ian Nery Bandeira, Pedro Henrique Teixeira Costa, and Eloisa Toffano Seidel Masson. 2022. Guidelines adopted by agile teams in privacy requirements elicitation after the Brazilian general data protection law (LGPD) implementation. Requirements Engineering 27, 4 (2022), 545–567.

Digital Library

[10]

Edna Dias Canedo, Angelica Toffano Seidel Calazans, Anderson Jefferson Cerqueira, Pedro Henrique Teixeira Costa, and Eloisa Toffano Seidel Masson. 2021. Agile Teams’ Perception in Privacy Requirements Elicitation: LGPD’s compliance in Brazil. In 2021 IEEE 29th International Requirements Engineering Conference (RE). IEEE, 58–69.

[11]

Tiago Celidonio, Paulo Sergio Neves, and Claudio Melim Doná. 2020. Metodologia para mapeamento dos requisitos listados na LGPD (Lei Geral de Proteção de Dados do Brasil número 13.709/18) e sua adequação perante a lei em uma instituição financeira-Um estudo de caso/Methodology for mapping and adequacy of the requirements listed in LGPD (Brazil Data Protection General Law number 13 709/18) in a financial institution-A case study. Brazilian Journal of Business 2, 4 (2020), 3626–3648.

[12]

Clarice Maria Dall’Agnol and Maria Helena Trench. 1999. Grupos focais como estratégia metodológica em pesquisas na enfermagem. Revista gaúcha de enfermagem. Porto Alegre. Vol. 20, n. 1 (jan. 1999), p. 5-25 (1999).

[13]

Fred D Davis, Richard P Bagozzi, and Paul R Warshaw. 1989. User acceptance of computer technology: A comparison of two theoretical models. Management science 35, 8 (1989), 982–1003.

Digital Library

[14]

Verônica de Azevedo Mazza, Norma Suely Falcão de Oliveira Melo, and Anna Maria Chiesa. 2009. O grupo focal como técnica de coleta de dados na pesquisa qualitativa: relato de experiência. Cogitare Enfermagem 14, 1 (2009).

[15]

Mary Debus. 1994. Manual para excelencia en la investigación mediante grupos focales. In Manual para excelencia en la investigación mediante grupos focales. 97–97.

[16]

Thaile Xavier Dantas Duarte 2020. Tecnologia, uso, coleta e tratamento de dados: o futuro do poder econômico? (2020).

[17]

European Commission. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). https://eur-lex.europa.eu/eli/reg/2016/679/oj

[18]

Sâmmara Éllen Renner Ferrão, Artur Potiguara Carvalho, Edna Dias Canedo, Alana Paula Barbosa Mota, Pedro Henrique Teixeira Costa, and Anderson Jefferson Cerqueira. 2021. Diagnostic of Data Processing by Brazilian Organizations—A Low Compliance Issue. Information 12, 4 (2021), 168.

[19]

Marcos Kalinowski, Rodrigo Oliveira Spínola, and Guilherme Horta Travassos. 2004. Infra-estrutura computacional para apoio ao processo de inspeção de software. III Simpósio Brasileiro de Qualidade de Software, Brasília, Brasil (2004), 62–77.

[20]

Jyrki Kontio, Laura Lehtola, and Johanna Bragge. 2004. Using the focus group method in software engineering: obtaining practitioner and user experiences. In Proceedings. 2004 International Symposium on Empirical Software Engineering, 2004. ISESE’04. IEEE, 271–280.

[21]

Karel Kubicek, Jakob Merane, Carlos Cotrini, Alexander Stremitzer, Stefan Bechtold, and David Basin. 2022. Checking Websites’ GDPR Consent Compliance for Marketing Emails. Proceedings on Privacy Enhancing Technologies (2022).

[22]

O. Laitenberger, K. El Emam, and T.G. Harbich. 2001. An internally replicated quasi-experimental comparison of checklist and perspective based reading of code documents. IEEE Transactions on Software Engineering 27, 5 (2001), 387–421. https://doi.org/10.1109/32.922713

Digital Library

[23]

Laila Neves Lorenzon. 2021. Análise comparada entre regulamentações de dados pessoais no Brasil e na União Europeia (LGPD e GDPR) e seus respectivos instrumentos de enforcement. Revista do Programa de Direito da União Europeia 1 (2021), 39–52.

[24]

Rodrigo Machado, Diego Kreutz, Giulliano Paz, and Gustavo Rodrigues. 2019. Vazamentos de Dados: Histórico, Impacto Socioeconômico e as Novas Leis de Proteçao de Dados. In Anais da XVII Escola Regional de Redes de Computadores. SBC, 154–159.

[25]

John McIver and Edward G Carmines. 1981. Unidimensional scaling. Vol. 24. Sage.

[26]

João Mendes, Davi Viana, and Luis Rivero. 2021. Developing an Inspection Checklist for the Adequacy Assessment of Software Systems to Quality Attributes of the Brazilian General Data Protection Law: An Initial Proposal. In Brazilian Symposium on Software Engineering. 263–268.

Digital Library

[27]

Anderson Boa Morte, Anália Meira, Rostand Costa, and Dênio Mariz. 2020. Uma Análise Sobre o Uso de DLTs no Tratamento de Dados Pessoais: Aderência aos Princípios e Direitos elencados na LGPD. In Anais do III Workshop em Blockchain: Teoria, Tecnologia e Aplicações (Rio de Janeiro). SBC, Porto Alegre, RS, Brasil, 74–87. https://doi.org/10.5753/wblockchain.2020.12435

[28]

Jakob Nielsen. 1994. Usability inspection methods. In Conference companion on Human factors in computing systems. 413–414.

Digital Library

[29]

Fabrício Peloso, Marcelo Aparecido Costa, Rodrigo Franklin Frogeri, and Cristina Lelis Leal Calegario. 2019. A lei geral de proteção de dados pessoais em empresas brasileiras: uma análise de múltiplos casos. Suma de Negocios 10, 23 (2019), 89–99.

[30]

Sandra Domenique Ringmann, Hanno Langweg, and Marcel Waldvogel. 2018. Requirements for legally compliant software based on the GDPR. In Cloud and Trusted Computing 2018 (CeTC 2018) (2018-10-22). https://netfuture.ch/wp-content/uploads/2018/10/ringmann2018requirements.pdf

[31]

Marco Antonio Torrez Rojas. 2020. Avaliação da adequação do Instituto Federal de Santa Catarina á Lei Geral de Proteção de Dados Pessoais. (2020).

[32]

Chris Sauer, D Ross Jeffery, Lesley Land, and Philip Yetton. 2000. The effectiveness of software development technical reviews: A behaviorally motivated program of research. IEEE Transactions on Software Engineering 26, 1 (2000), 1–14.

Digital Library

[33]

Jonatas S Souza, Jair M Abe, Luiz A de Lima, and Nilson A de Souza. 2020. The General Law Principles for Protection the Personal Data and their Importance. arXiv preprint arXiv:2009.14313 (2020).

[34]

Tribunal de Contas da União. 2022. Diagnóstico sobre os controles implementados pelas organizações públicas federais para adequação à LGPD. https://portal.tcu.gov.br/data/files/B4/25/78/27/D9C818102DFE0FF7F18818A8/038.172-2019-4-AN%20-%20auditoria_Lei%20Geral%20de%20Protecao%20de%20Dados.pdf Diagnóstico sobre os controles implementados pelas organizações públicas federais para adequação à LGPD.

Cited By

Kosenkov OElahidoost PGorschek TFischbach JMendez DUnterkalmsteiner MFucci DMohanani R(2025)Systematic mapping study on requirements engineering for regulatory compliance of software systemsInformation and Software Technology10.1016/j.infsof.2024.107622178(107622)Online publication date: Feb-2025
https://doi.org/10.1016/j.infsof.2024.107622

Index Terms

Enhancing LGPD Compliance: Evaluating a Checklist for LGPD Quality Attributes within a Government Office
1. Security and privacy
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis

Recommendations

Privacy Compliance in Software Development: A Guide to Implementing the LGPD Principles
SAC '23: Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing

With the increasing usage of digital applications, data breaches happen every day. Therefore, developers and designers of such technologies must comply with standards that guarantee the privacy of users, which in Brazil is provided by the General Data ...
Ensuring privacy in the application of the Brazilian general data protection law (LGPD)
SAC '22: Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing

Currently, many organizations make use of the personal data of their users. Personal data is the set of information that can lead to the identification of a specific person and, therefore, this information is generally vital for the operations and ...
Developing an Inspection Checklist for the Adequacy Assessment of Software Systems to Quality Attributes of the Brazilian General Data Protection Law: An Initial Proposal
SBES '21: Proceedings of the XXXV Brazilian Symposium on Software Engineering

The General Data Protection Law (LGPD) in Brazil was created with the goal of regulating how associations collect, transmit and store users’ personal data. Although it became applicable in 2020, several software development teams still don’t know what ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

SBQS '23: Proceedings of the XXII Brazilian Symposium on Software Quality

November 2023

391 pages

ISBN:9798400707865

DOI:10.1145/3629479

Editors:
Edna Dias Canedo
University of Brasília (CIC, UnB), Brazil
,
Daniel de Paula Porto
University of Brasília (CIC, UnB), Brazil
,
Fábio Lúcio Lopes Mendonça
University of Brasília (FT, UnB), Brazil
,
Rafael Timóteo de Sousa Júnior
University of Brasília (FT, UnB), Brazil
,
Monalessa Perini Barcellos
Federal University of Espírito Santo (UFES), Brazil
,
Ismayle Sousa Santos
Ceará State University (UECE), Brazil
,
Sheila Reinehr
Pontifical Catholic University of Rio de Janeiro (PUC-PR), Brazil
,
Sergio Soares
Federal University of Pernambuco (UFPE), Brazil
,
Uirá Kulesza
Federal University of Rio Grande do Norte (UFRN), Brazil
,
Érica Ferreira de Souza
Federal Technological University of Paraná (UTFPR), Brazil
,
Adriano Albuquerque
University of Fortaleza (UNIFOR), Brazil
,
Carla Bezerra
Federal University of Ceará (UFC), Brazil
,
Rodrigo Santos
Federal University of the State of Rio de Janeiro (UNIRIO), Brazil
,
Alessandro Garcia
Pontifical Catholic University of Rio de Janeiro (PUC-RJ), Brazil
,
Simone Dornelas Costa
Federal University of Espírito Santo (UFES), Brazil
,
Adolfo Gustavo Serra Seca Neto
Federal Technological University of Paraná (UTFPR), Brazil

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 December 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

CAPES
FAPEMA

Conference

SBQS '23

SBQS '23: XXII Brazilian Symposium on Software Quality

November 7 - 10, 2023

Bras\'{\i}lia, Brazil

Acceptance Rates

Overall Acceptance Rate 35 of 99 submissions, 35%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
21
Total Downloads

Downloads (Last 12 months)21
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kosenkov OElahidoost PGorschek TFischbach JMendez DUnterkalmsteiner MFucci DMohanani R(2025)Systematic mapping study on requirements engineering for regulatory compliance of software systemsInformation and Software Technology10.1016/j.infsof.2024.107622178(107622)Online publication date: Feb-2025
https://doi.org/10.1016/j.infsof.2024.107622

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents