Factors influencing companies for reducing ambiguity in legal requirements specification and achieving their compliance with data protection laws

Abstract

Software requirements are mainly specified using natural language, but it brings chal- lenges as it is prone to produce ambiguous specifications. These challenges become bigger when dealing with software requirements that must comply with regulations, the so-called le- gal requirements. Ambiguous requirements specifications may cause the system not to satisfy the stakeholders’ needs and not comply with the legislation. Existing Requirements Engineer- ing approaches to addressing ambiguity and/or achieving legal compliance are not based on knowledge from empirical studies conducted in the software development industry. This thesis aims to overcome this limitation by providing a set of factors and guidelines that help re- duce ambiguity in legal requirements specification and achieve specifications compliant with data protection laws. To achieve this objective, we initially carried out a broad study in the literature to characterize the landscape of legal requirements engineering concerning privacy and security. Then, we analyzed works that developed approaches to deal with ambiguity in the specification of legal requirements. We then investigated how the software development industry tackles the problem through an exploratory study based on semi-structured interviews with twenty-two professionals from public and private companies. Data collected from the interviews were analyzed using grounded theory techniques. We identified factors and out- lined a theory explaining the relationships between them and how they reduce ambiguity in the specification of legal requirements and the compliance of such requirements with data privacy laws. To validate these factors, we conducted a self-administered online survey with professionals. Findings from the studies reveal that discussions among the team, customer, specialized support areas (Legal Sector, Ambiguity Analysis sector, Anonymization Sector), consulting experienced team members with domain knowledge reduce ambiguity and promote legal compliance in requirements specifications. The theory that emerged from the interviews explains a set of factors influencing the work practices used by public and private companies to deal with ambiguity in legal requirements specification and achieve their compliance with regulations. Researchers and practitioners can use these factors and guidelines to leverage the methods and tools they develop or use to support legal requirements specifications.