Legal requirements reuse: a critical success factor for requirements quality and personal data protection

Information technology misuse has increased the vulnerability of personal data, which has lead to growing concern about issues of personal privacy among political leaders, IT managers, information security consultants and the millions of people currently online. Many countries have developed, or are preparing, laws and regulations to combat the related threats and to guarantee personal data protection. Despite efforts to construct secure systems, few papers have, as yet, focused on security from the very outset of the system development life-cycle. This paper presents a pragmatic proposal to incorporate the legal and regulatory measures to guarantee personal data protection as a part of the requirements engineering process, instead of an addendum to system deployment. The authors investigate how recent efforts in the requirements engineering field can contribute to improving security issues in information systems, in particular those dealing with personal data. A reusable collection of security requirements and, as a novelty, personal data protection requirements (including information on related software components links) are provided. The pre-defined requirements, together with a simple process model based on requirements reuse, provide a strategy that organizations can use to become privacy-compliant.