{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,27]],"date-time":"2026-04-27T10:27:36Z","timestamp":1777285656615,"version":"3.51.4"},"reference-count":54,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2021,8,9]],"date-time":"2021-08-09T00:00:00Z","timestamp":1628467200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2022,1,31]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>This paper aims to explore the changes imposed by the general data protection regulation (GDPR) on software engineering practices. The fundamental objective is to have a perception of the practices and phases that have experienced the greatest changes. Additionally, it aims to identify a set of good practices that can be adopted by software engineering companies.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>This study uses a qualitative methodology through four case studies involving Portuguese software engineering companies. Two of these companies are small and medium enterprises (SMEs) while the other remaining two are micro-companies. The thematic analysis is adopted to identify patterns in the performed interviews.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The findings indicate that significant changes have occurred at all stages of software development. In particular, the initial stages of identifying requirements and modeling processes were the stages that experienced the greatest changes. On the opposite, the technical development phase has not noticeably changed but, nevertheless, it is necessary to look at the importance of training software developers for GDPR rules and practices.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title>\n<jats:p>Two relevant limitations were identified as follows: only four case studies involving micro-companies and SMEs were considered, and only the traditional software development methodology was considered. The use of agile methodologies was not explored in this study and the findings can only be mainly applied to the waterfall model.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This study offers mainly practical contributions by identifying a set of challenges that are posed to software engineering companies by the implementation of GDPR. Through their knowledge, it is expected to help these companies to better prepare themselves and anticipate the challenges they will necessarily face.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-03-2020-0043","type":"journal-article","created":{"date-parts":[[2021,8,6]],"date-time":"2021-08-06T05:41:16Z","timestamp":1628228476000},"page":"79-96","source":"Crossref","is-referenced-by-count":15,"title":["The impact of general data protection regulation on software engineering practices"],"prefix":"10.1108","volume":"30","author":[{"given":"Lu\u00eds","family":"Leite","sequence":"first","affiliation":[]},{"given":"Daniel Rodrigues","family":"dos Santos","sequence":"additional","affiliation":[]},{"given":"Fernando","family":"Almeida","sequence":"additional","affiliation":[]}],"member":"140","published-online":{"date-parts":[[2021,8,9]]},"reference":[{"issue":"2","key":"key2022012710484285900_ref001","doi-asserted-by":"crossref","first-page":"49","DOI":"10.4018\/IJITWE.2017040103","article-title":"Approaches and principles for UX web experiences: a case study approach","volume":"12","year":"2017","journal-title":"International Journal of Information Technology and Web Engineering (Engineering)"},{"issue":"78","key":"key2022012710484285900_ref002","first-page":"364","article-title":"Efficient cryptographic encryption techniques for data privacy preservation","volume":"8","year":"2019","journal-title":"International Journal of Innovative Technology and Exploring Engineering (IJITEE)"},{"key":"key2022012710484285900_ref003","unstructured":"Barrett, C. (2019), \u201cWhat does GDPR mean for UX?\u201d, available at: https:\/\/uxdesign.cc\/what-does-gdpr-mean-for-ux-9b5ecbc5 (accessed 12 March 2020)."},{"issue":"1","key":"key2022012710484285900_ref004","doi-asserted-by":"crossref","first-page":"26","DOI":"10.1111\/jcom.12276","article-title":"Online privacy concerns and privacy management: a Meta\u2010analytical review","volume":"67","year":"2017","journal-title":"Journal of Communication"},{"key":"key2022012710484285900_ref005","doi-asserted-by":"crossref","first-page":"24","DOI":"10.1016\/S2212-5671(15)01077-1","article-title":"Cyber-Attacks \u2013 trends, patterns and security countermeasures","volume":"28","year":"2015","journal-title":"Procedia Economics and Finance"},{"key":"key2022012710484285900_ref006","unstructured":"Biscoe, C. (2017), \u201cData mapping: where to start for GDPR compliance\u201d, available at: www.itgovernance.co.uk\/blog\/data-mapping-where-to-start-for-gdpr-compliance (accessed 22 March 2020)."},{"key":"key2022012710484285900_ref007","unstructured":"Bluestone, D. (2021), \u201cState of GDPR in 2021: cookie consent for designers and developers\u201d, available at: www.smashingmagazine.com\/2021\/03\/state-gdpr-2021-cookie-consent-designers-developers\/ (accessed 6 March 2021)."},{"issue":"2","key":"key2022012710484285900_ref008","doi-asserted-by":"crossref","first-page":"243","DOI":"10.1007\/s41125-019-00042-z","article-title":"A framework for GDPR compliance for small- and medium-sized enterprises","volume":"4","year":"2019","journal-title":"European Journal for Security Research"},{"issue":"2","key":"key2022012710484285900_ref009","doi-asserted-by":"crossref","first-page":"105","DOI":"10.18261\/issn.2387-3299-2017-02-03","article-title":"Data protection by design and by default: deciphering the EU\u2019s legislative requirements","volume":"1","year":"2017","journal-title":"Oslo Law Review"},{"issue":"1","key":"key2022012710484285900_ref010","doi-asserted-by":"crossref","first-page":"349","DOI":"10.1146\/annurev-orgpsych-041015-062352","article-title":"How technology is changing work and organizations","volume":"3","year":"2016","journal-title":"Annual Review of Organizational Psychology and Organizational Behavior"},{"key":"key2022012710484285900_ref011","unstructured":"Cavoukian, A. (2006), \u201cPrivacy by design: the 7 foundational principles\u201d, available at: https:\/\/iapp.org\/media\/pdf\/resource_center\/pbd_implement_7found_principles.pdf (accessed 5 July 2020)."},{"issue":"3","key":"key2022012710484285900_ref012","doi-asserted-by":"crossref","first-page":"11","DOI":"10.1080\/08874417.2015.11645767","article-title":"Impacts of comprehensive information security programs on information security culture","volume":"55","year":"2015","journal-title":"Journal of Computer Information Systems"},{"key":"key2022012710484285900_ref013","unstructured":"Clearwater, A. and Philbrook, B. (2018), \u201cPrivacy by design and GDPR: putting policy into practice\u201d, available at: www.cpomagazine.com\/data-privacy\/privacy-by-design-and-gdpr-putting-policy-into-practice\/ (accessed 5 July 2020)."},{"issue":"05","key":"key2022012710484285900_ref014","doi-asserted-by":"crossref","first-page":"679","DOI":"10.1017\/glj.2019.56","article-title":"Pre-formulated declarations of data subject consent \u2013 citizen-consumer empowerment and the alignment of data, consumer and competition law protections","volume":"20","year":"2019","journal-title":"German Law Journal"},{"issue":"11","key":"key2022012710484285900_ref015","doi-asserted-by":"crossref","first-page":"1347","DOI":"10.1080\/08870446.2019.1606222","article-title":"Why and how we should care about the general data protection regulation","volume":"34","year":"2019","journal-title":"Psychology and Health"},{"issue":"4","key":"key2022012710484285900_ref016","doi-asserted-by":"crossref","first-page":"1013","DOI":"10.1177\/1073110518822003","article-title":"The EU general data protection regulation: Implications for international scientific research in the digital era","volume":"46","year":"2018","journal-title":"Journal of Law, Medicine and Ethics"},{"key":"key2022012710484285900_ref017","doi-asserted-by":"crossref","unstructured":"Duan, F. (2017), \u201cThe universal declaration of human rights and the modern history of human rights\u201d, available at: https:\/\/papers.ssrn.com\/sol3\/papers.cfm?abstract_id=3066882 (accessed 15 March 2020).","DOI":"10.2139\/ssrn.3066882"},{"issue":"1","key":"key2022012710484285900_ref018","doi-asserted-by":"crossref","first-page":"36","DOI":"10.1093\/idpl\/ipw026","article-title":"The business of personal data: Google, Facebook, and privacy issues in the EU and the USA","volume":"7","year":"2017","journal-title":"International Data Privacy Law"},{"issue":"13","key":"key2022012710484285900_ref019","first-page":"88","article-title":"How do We like to learn qualitative data analysis software?","volume":"24","year":"2019","journal-title":"The Qualitative Report"},{"key":"key2022012710484285900_ref020","unstructured":"Groen, M. (2019), \u201cThe anatomy of a non-intrusive, GDPR-compliant cookie message\u201d, available at: https:\/\/uxdesign.cc\/the-least-obtrusive-and-gdpr-compliant-cookie-message-5df8b82fde8e (accessed 6 March 2021)."},{"key":"key2022012710484285900_ref021","first-page":"139","article-title":"Towards DevOps for privacy-by-design in Data-Intensive applications: a research roadmap","volume-title":"Proceedings of the 8th ACM\/SPEC on International Conference on Performance Engineering Companion, L'Aquila, Italy","year":"2017"},{"issue":"6","key":"key2022012710484285900_ref022","doi-asserted-by":"crossref","first-page":"434","DOI":"10.1111\/eulj.12273","article-title":"Taking proportionality seriously: the use of contextual integrity for a more informed and transparent analysis in EU data protection law","volume":"24","year":"2018","journal-title":"European Law Journal"},{"key":"key2022012710484285900_ref023","unstructured":"HIPAA Journal (2018), \u201cGDPR: What is the role of the data protection officer?\u201d, available at: https:\/\/www.hipaajournal.com\/gdpr-role-of-the-data-protection-officer\/ (accessed 15 March 2020)."},{"issue":"1","key":"key2022012710484285900_ref024","doi-asserted-by":"crossref","first-page":"65","DOI":"10.1080\/13600834.2019.1573501","article-title":"The european union general data protection regulation: what it is and what it means","volume":"28","year":"2019","journal-title":"Information and Communications Technology Law"},{"key":"key2022012710484285900_ref025","unstructured":"KPMG (2017), \u201cThe impact of the general data protection regulation in Portugal\u201d, available at: https:\/\/home.kpmg\/pt\/en\/home\/insights\/2017\/04\/impact-of-gdpr.html (accessed 22 March 2020)."},{"key":"key2022012710484285900_ref026","first-page":"453","article-title":"Empirical studies on online information privacy concerns: literature review and an integrative framework","volume":"28","year":"2011","journal-title":"Communications of the Association for Information Systems"},{"issue":"1","key":"key2022012710484285900_ref027","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1080\/1097198X.2019.1569186","article-title":"The impact of GDPR on global technology development","volume":"22","year":"2019","journal-title":"Journal of Global Information Technology Management"},{"issue":"2","key":"key2022012710484285900_ref028","doi-asserted-by":"crossref","first-page":"146","DOI":"10.1080\/13600834.2017.1321096","article-title":"Consent for processing children\u2019s personal data in the EU: following in US footsteps?","volume":"26","year":"2017","journal-title":"Information and Communications Technology Law"},{"key":"key2022012710484285900_ref029","unstructured":"Marinina, M. (2019), \u201cAI, ML, and data analytics in the age of privacy regulations\u201d, available at: https:\/\/towardsdatascience.com\/ai-ml-and-data-analytics-in-the-age-of-privacy-regulations-2b79447d5239 (accessed 22 March 2020)."},{"issue":"2","key":"key2022012710484285900_ref030","doi-asserted-by":"crossref","first-page":"11","DOI":"10.1080\/2058802X.2019.1668192","article-title":"The data series \u2013 solving the data privacy problem using synthetic data","volume":"2019","year":"2019","journal-title":"Impact"},{"issue":"1","key":"key2022012710484285900_ref031","first-page":"1","article-title":"Privacy-by-design in big data analytics and social mining","volume":"3","year":"2014","journal-title":"EPJ Data Science"},{"issue":"2083","key":"key2022012710484285900_ref032","article-title":"Privacy is an essentially contested concept: a multi-dimensional analytic for mapping privacy","volume":"374","year":"2016","journal-title":"Philosophical Transactions. Series A, Mathematical, Physical, and Engineering Sciences"},{"key":"key2022012710484285900_ref033","doi-asserted-by":"crossref","first-page":"12","DOI":"10.1016\/j.jisa.2018.11.003","article-title":"An analysis on the dimensions of information security culture concept: a review","volume":"44","year":"2019","journal-title":"Journal of Information Security and Applications"},{"issue":"1","key":"key2022012710484285900_ref034","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1186\/s13174-018-0098-z","article-title":"Pseudonymization risk analysis in distributed systems","volume":"10","year":"2019","journal-title":"Journal of Internet Services and Applications"},{"key":"key2022012710484285900_ref035","unstructured":"OECD (2020), \u201cEmployees by business size (indicator)\u201d, available at: https:\/\/data.oecd.org\/entrepreneur\/employees-by-business-size.htm#indicator-chart (accessed 23 (March 2020)."},{"key":"key2022012710484285900_ref036","unstructured":"OPCC (2017), \u201cPrivacy enhancing technologies \u2013 a review of tools and techniques. Office of the privacy commissioner of Canada\u201d, available at: www.priv.gc.ca\/en\/opc-actions-and-decisions\/research\/explore-privacy-research\/2017\/pet_201711 (accessed 22 March 2020)."},{"issue":"1","key":"key2022012710484285900_ref037","first-page":"1","article-title":"Forgetting personal data and revoking consent under the GDPR: Challenges and proposed solutions","volume":"4","year":"2018","journal-title":"Journal of Cybersecurity"},{"issue":"5","key":"key2022012710484285900_ref038","doi-asserted-by":"crossref","first-page":"510","DOI":"10.1108\/DPRG-05-2019-0039","article-title":"The benefits and challenges of general data protection regulation for the information technology sector\u201d, digital policy","volume":"21","year":"2019","journal-title":"Digital Policy, Regulation and Governance"},{"issue":"9","key":"key2022012710484285900_ref039","first-page":"369","article-title":"Strengths and limitation of qualitative and quantitative research methods","volume":"3","year":"2017","journal-title":"European Journal of Education Studies"},{"issue":"1","key":"key2022012710484285900_ref040","article-title":"Open source, open standards, and health care information systems","volume":"13","year":"2011","journal-title":"Journal of Medical Internet Research"},{"issue":"3","key":"key2022012710484285900_ref041","first-page":"176","article-title":"Contribution of privacy by design (of the processes)","volume":"VI","year":"2017","journal-title":"Harvard Deusto Business Research"},{"issue":"2","key":"key2022012710484285900_ref042","doi-asserted-by":"crossref","first-page":"151","DOI":"10.1093\/ijlit\/eaw002","article-title":"Making privacy by design operative","volume":"24","year":"2016","journal-title":"International Journal of Law and Information Technology"},{"key":"key2022012710484285900_ref043","volume-title":"Software Engineering","year":"2015"},{"key":"key2022012710484285900_ref044","doi-asserted-by":"crossref","first-page":"303","DOI":"10.1016\/j.procs.2019.04.043","article-title":"GDPR principles in data protection encourage pseudonymization through most popular and full-personalized devices - mobile phones","volume":"151","year":"2019","journal-title":"Procedia Computer Science"},{"key":"key2022012710484285900_ref045","unstructured":"Taylor, S. (2020), \u201c2020 Cybersecurity statistics, threats, and mitigation options\u201d, available at: https:\/\/restoreprivacy.com\/cyber-security-statistics-2020\/ (accessed 23 March 2020)."},{"issue":"4","key":"key2022012710484285900_ref046","doi-asserted-by":"crossref","first-page":"402","DOI":"10.1108\/DPRG-01-2019-0007","article-title":"The critical success factors of GDPR implementation: a systematic literature review\u201d, digital policy","volume":"21","year":"2019","journal-title":"Digital Policy, Regulation and Governance"},{"issue":"1","key":"key2022012710484285900_ref047","doi-asserted-by":"crossref","first-page":"134","DOI":"10.1016\/j.clsr.2017.05.015","article-title":"EU general data protection regulation: changes and implications for personal data collecting companies","volume":"34","year":"2018","journal-title":"Computer Law and Security Review"},{"key":"key2022012710484285900_ref048","unstructured":"Titus (2018), \u201cGDPR makes employee data security education essential\u201d, available at: https:\/\/titus.com\/blog\/compliance-regulation\/gdpr-makes-employee-data-security-education-essential (accessed 22 March 2020)."},{"key":"key2022012710484285900_ref049","doi-asserted-by":"crossref","first-page":"1746","DOI":"10.1109\/TIFS.2019.2948287","article-title":"GDPR-compliant personal data management: a Blockchain-Based solution","volume":"15","year":"2020","journal-title":"IEEE Transactions on Information Forensics and Security"},{"issue":"2\/3","key":"key2022012710484285900_ref050","first-page":"230","article-title":"Right engineering? The redesign of privacy and personal data protection\u201d, international review of law","volume":"32","year":"2018","journal-title":"Computers and Technology"},{"issue":"1","key":"key2022012710484285900_ref051","doi-asserted-by":"crossref","first-page":"6","DOI":"10.1038\/s41928-018-0193-y","article-title":"Data protection in the age of big data","volume":"2","year":"2019","journal-title":"Nature Electronics"},{"key":"key2022012710484285900_ref052","unstructured":"Wiesemborski, M. (2019), \u201cHow to design with privacy in mind | on privacy by design\u201d, available at: www.getrevue.co\/profile\/martinwiesemborski\/issues\/how-to-design-with-privacy-in-mind-on-privacy-by-design-178180 (accessed 5 July 2020)."},{"key":"key2022012710484285900_ref053","volume-title":"Case Study Research and Applications: Design and Methods","year":"2017"},{"key":"key2022012710484285900_ref054","volume-title":"Qualitative Inquiry and Research Design: Choosing among Five Approaches","year":"2017"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-03-2020-0043\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-03-2020-0043\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:47Z","timestamp":1753406567000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/30\/1\/79-96\/104682"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,8,9]]},"references-count":54,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2021,8,9]]},"published-print":{"date-parts":[[2022,1,31]]}},"alternative-id":["10.1108\/ICS-03-2020-0043"],"URL":"https:\/\/doi.org\/10.1108\/ics-03-2020-0043","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2021,8,9]]}}}