The Evolving Landscape of Privacy Engineering: Practitioner Perspectives, Organizational Dynamics, and Current Methodologies

Authors

  • Dr. Ibrahim H. Al-Mutairi Department of Computer Science, King Abdullah University of Science and Technology (KAUST), Saudi Arabia

Keywords:

Privacy engineering, practitioner perspectives, organizational dynamics, data protection

Abstract

The proliferation of personal data and the increasing stringency of global privacy regulations have elevated privacy from a mere legal compliance concern to a fundamental engineering challenge. Privacy engineering, a nascent yet critical discipline, focuses on embedding privacy protections directly into the design and operation of information systems. This article synthesizes existing research to explore the multifaceted realities of privacy engineering as experienced by practitioners in real-world settings. Specifically, it delves into the mindsets of privacy engineers and software developers, examines the organizational factors that influence privacy integration, and reviews the current methodologies and practices employed. Through a qualitative synthesis of relevant literature, we highlight the significant gaps between regulatory expectations and practical implementation, driven by varied practitioner understandings, diverse organizational cultures and climates, and the inherent complexities of translating abstract privacy principles into concrete technical solutions. The findings underscore the socio-technical nature of privacy engineering, emphasizing that effective privacy protection requires not only robust technical tools but also a strong organizational commitment and a pervasive privacy-aware mindset among all stakeholders.

References

W. Stallings, Information Privacy Engineering and Privacy by Design: Understanding Privacy Threats, Technology, and Regulations Based on Standards and Best Practices. London, U.K.: Pearson Education, 2019.

G. Greenleaf, “Now 157 countries: Twelve data privacy laws in 2021/22,” 176 Privacy Laws Bus. Int. Rep. 1, UNSW Law Research, pp. 3–8, Mar., 2022. [Online]. Available: https://ssrn.com/abstract=4137418

European Commission, “Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing directive 95/46/EC (general data protection regulation),” Official J. Eur. Union, vol. 119, pp. 1–88, Apr. 2016.

K. A. Houser and W. G. Voss, “GDPR: The end of Google and Facebook or a new paradigm in data privacy,” Richmond J. Law Technol., vol. 25, pp. 1–109, 2018.

S. Gürses and J. M. Del Álamo, “Privacy engineering: Shaping an emerging field of research and practice,” IEEE Secur. Privacy, vol. 14, no. 2, pp. 40–46, Mar./Apr.2016.

I. Hadar , “Privacy by designers: Software developers’ privacy mindset,” Empirical Softw. Eng., vol. 23, no. 1, pp. 259–289, 2018.

M. Peixoto , “On understanding how developers perceive and interpret privacy requirements research preview,” in Proc. Int. Work. Conf. Requirements Eng. Found. Softw. Qual., Springer, 2020, pp. 116–123.

R. Arizon-Peretz, I. Hadar, G. Luria, and S. Sherman, “Understanding developers’ privacy and security mindsets via climate theory,” Empir. Softw. Eng., vol. 26, no. 6, pp. 1–43, 2021.

R. Balebako, A. Marsh, J. Lin, J. I. Hong, and L. F. Cranor, “The privacy and security behaviors of smartphone app developers,” in Proc. Workshop Usable Secur., San Diego, CA, USA, 2014, pp. 1–10.

T. Li, Y. Agarwal, and J. I. Hong, “Coconut: An IDE plugin for developing privacy-friendly apps,” Proc. ACM Interactive Mobile Wearable Ubiquitous Technol., vol. 2, no. 4, pp. 1–35, 2018.

K. Bednar, S. Spiekermann, and M. Langheinrich, “Engineering privacy by design: Are engineers ready to live up to the challenge?,” Inf. Soc., vol. 35, no. 3, pp. 122–142, 2019.

J. Henrich, S. J. Heine, and A. Norenzayan, “Most people are not weird,” Nature, vol. 466, no. 7302, pp. 29–29, 2010.

V. Braun and V. Clarke, “Using thematic analysis in psychology,” Qualitative Res. Psychol., vol. 3, no. 2, pp. 77–101, 2006.

M. Bishop , Introduction to Computer Security, vol. 50. Boston, MA, USA: Addison-Wesley, 2005.

M. Hansen, “Top 10 mistakes in system design from a privacy perspective and privacy protection goals,” in Proc. IFIP PrimeLife Int. Summer Sch. Privacy Identity Manage. Life, Trento, Italy, Springer, 2012, pp. 14–31.

M. Hansen, M. Jensen, and M. Rost, “Protection goals for privacy engineering,” in Proc. IEEE Secur. Privacy Workshops, 2015, pp. 159–166.

S. Brooks, M. Garcia, N. Lefkovitz, S. Lightman, and E. Nadeau, “An introduction to privacy engineering and risk management in federal systems,” Jan.2017. [Online]. Available: https://doi.org/10.6028/NIST.IR.8062

Brazilian Government, “Lei geral de protecao de dados pessoais (LGPD). (redacao dada pela lei no 13.853, de 2019),” 2018. [Online]. Available: http://www.planalto.gov.br/ccivil_03/_ato2015–2018/2018/Lei/L13709.htm

Australian Government, “Privacy Act 1988, no. 119, 1988 - compilation no. 86,” 2021. [Online]. Available: https://www.legislation.gov.au/Details/C2021C00139/02315fce-95e7–41e5-acf1-e39c157fc4bc

E. Commission, “Adequacy decisions—How the EU determines if a non-EU country has an adequate level of data protection,” Mar.2021. [Online]. Available: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

S. Fischer-Hübner and S. Berthold, “Privacy-enhancing technologies,” in Computer and Information Security Handbook, Amsterdam, Netherlands: Elsevier, 2017, pp. 759–778.

G. Van Blarkom, J. J. Borking, and J. E. Olk, “Handbook of privacy and privacy-enhancing technologies,” Privacy Incorporated Softw. Agent (PISA) Consortium, The Hague, vol. 198, pp. 1–372, 2003.

A. Ceross and A. Simpson, “Rethinking the proposition of privacy engineering,” in Proc. New Secur. Paradigms Workshop, New York, NY, USA, 2018, pp. 89–102.

M. Colesky, K. Demetzou, L. Fritsch, and S. Herold, “Helping software architects familiarize with the General Data Protection Regulation,” in Proc. IEEE Int. Conf. Softw. Architecture Companion, 2019, pp. 226–229.

A. Cavoukian , “Privacy by design: The 7 foundational principles,” Inf. Privacy Commissioner Ontario, Canada, vol. 5, pp. 1–12, 2009.

S. Gürses, C. Troncoso, and C. Diaz, “Engineering privacy by design,” Comput. Privacy Data Protection, vol. 14, no. 3, pp. 1–25, 2011.

J.-H. Hoepman, “Privacy design strategies,” in Proc. IFIP Int. Inf. Secur. Conf., Springer, 2014, pp. 446–459.

M. Colesky, J.-H. Hoepman, and C. Hillen, “A critical analysis of privacy design strategies,” in Proc. IEEE Secur. Privacy Workshops, 2016, pp. 33–40.

M. Hafiz, “A collection of privacy design patterns,” in Proc. Conf. Pattern Lang. Programs, 2006, pp. 1–13.

J. Lenhard, L. Fritsch, and S. Herold, “A literature study on privacy patterns research,” in Proc. IEEE 43rd Euromicro Conf. Softw. Eng. Adv. Appl., 2017, pp. 194–201.

R. Clarke, “Privacy impact assessment: Its origins and development,” Comput. Law Secur. Rev., vol. 25, no. 2, pp. 123–135, 2009.

ISO, “ISO/IEC TR 27550:2019 information technology - security techniques - privacy engineering for system life cycle processes,” Sep.2019. [Online]. Available: https://www.iso.org/standard/72024.html

K. R. Boeckl and N. B. Lefkovitz, “NIST privacy framework: A tool for improving privacy through enterprise risk management, version 1.0,” Jan.2020. [Online]. Available: https://doi.org/10.6028/NIST.CSWP.01162020

S. P. Brown and T. W. Leightanding user privacy expectations: A software developer's perspective,” Telematics Informat., vol. 35, no. 7, pp. 1845–1862, 2018.

A. Senarath and N. A. Arachchilage, “Why developers cannot embed privacy into software systems? An empirical investigation,” in Proc. 22nd Int. Conf. Eval. Assessment Softw. Eng., 2018, pp. 211–216.

[A. Senarath, M. Grobler, and N. A. G. Arachchilage, “Will they use it or not? Investigating software developers’ intention to follow privacy engineering methodologies,” ACM Trans. Privacy Secur., vol. 22, no. 4, pp. 1–30, 2019.

A. Alhazmi and N. A. G. Arachchilage, “I’m all ears! Listening to software developers on putting GDPR principles into software development practice,” Pers. Ubiquitous Comput., vol. 25, no. 5, pp. 879–892, 2021.

T. Li, E. Louie, L. Dabbish, and J. I. Hong, “How developers talk about personal data and what it means for user privacy: A case study of a developer forum on reddit,” Proc. ACM Hum.- Comput. Interaction, vol. 4, pp. 1–28, 2021.

M. Tahaei, T. Li, and K. Vaniea, “Understanding privacy-related advice on stack overflow,” Proc. Priv. Enhancing Technol., vol. 2022, no. 2, pp. 114–131, 2022.

L. Nurgalieva, A. Frik, and G. Doherty, “WiP: Factors affecting the implementation of privacy and security practices in software development: A narrative review,” in Proc. 8th Annu. Hot Topics Sci. Secur. Symp., 2021, pp. 1–15.

L. H. Iwaya, G. H. Iwaya, S. Fischer-Hübner, and A. V. Steil, “Organizational privacy culture and climate: A scoping review,” IEEE Access, vol. 10, pp. 73907–73930, 2022.

N. Agrawal, R. Binns, M. Van Kleek, K. Laine, and N. Shadbolt, “Exploring design and governance challenges in the development of privacy-preserving computation,” in Proc. CHI Conf. Hum. Factors Comput. Syst., 2021, pp. 1–13.

S. Alkhatib, J. Waycott, and G. Buchanan, “Privacy in aged care monitoring devices (ACMD): The developers’ perspective,” in Digital Health: Changing the Way Healthcare is Conceptualised and Delivered, Amsterdam Netherlands: IOS Press, 2019.

N. Alomar and S. Egelman, “Developers say the darnedest things: Privacy compliance processes followed by developers of child-directed apps,” Proc. Privacy Enhancing Technol., vol. 4, pp. 250–273, 2022.

D. Adams, A. Bah, C. Barwulor, N. Musaby, K. Pitkin, and E. M. Redmiles, “Ethics emerging: The story of privacy and security perceptions in virtual reality,” in Proc. 14th Symp. Usable Privacy Secur., 2018, pp. 427–442.

S. Sirur, J. R. Nurse, and H. Webb, “Are we there yet? Understanding the challenges faced in complying with the General Data Protection Regulation (GDPR),” in Proc. 2nd Int. Workshop Multimedia Privacy Secur., 2018, pp. 88–95.

Downloads

Published

2025-04-11

How to Cite

Dr. Ibrahim H. Al-Mutairi. (2025). The Evolving Landscape of Privacy Engineering: Practitioner Perspectives, Organizational Dynamics, and Current Methodologies. Journal of Computer Science Implications, 4(1), 20–28. Retrieved from https://csimplications.com/index.php/jcsi/article/view/64

Issue

Vol. 4 No. 1 (2025): Volume 04 Issue 01

Section

Articles

License

Copyright (c) 2025 Dr. Ibrahim H. Al-Mutairi

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Authors retain full copyright of their published work. By submitting to an ERDAST journal and upon acceptance of the article, the author(s) agree to grant the journal a non-exclusive license to publish, reproduce, distribute, and archive the article. All articles are published under the terms of the Creative Commons Attribution 4.0 International License (CC BY 4.0).

Under this license: Others may copy, distribute, display, remix, adapt, and build upon the work, even commercially, As long as proper credit is given to the original author(s) and source, A link to the license is provided, an, Any changes are clearly indicated.

???? License link: https://creativecommons.org/licenses/by/4.0/