An Empirical Study On Socio-Technical Modeling For Interdisciplinary Privacy Requirements

Data protection regulations impose requirements on organizations that require interdisciplinary. Conceptual modeling of information systems, particularly goal modeling, has served to communicate with stakeholders of different backgrounds for software requirements analysis. An extension for a Socio-Technical Security (STS) modeling language was proposed to include data protection modeling concepts to help represent relevant issues of the European Union’s General Data Protection Regulation. This article examines whether models designed with this extension serve as communication facilitators for privacy compliance and common ground across stakeholders. Through a series of 8 focus groups, with 21 subjects, we observed if professionals with different backgrounds (software developers, business analysts, and privacy experts) could detect discuss about the GDPR principles and identify privacy compliance “red flags” that we seeded in a use case. Using a qualitative approach to analyze the data, all the groups discussed the majority of the GDPR principles and identified more than 80% of the seeded red flags, with privacy experts identifying the most. This research provides preliminary results on using conceptual modeling as a communicator facilitator between stakeholders to contribute to a common ground between them.