Toward a Holistic Privacy Requirements Engineering Process: Insights From a Systematic Literature Review

Privacy requirements engineering is a crucial aspect of privacy engineering. It aims to integrate privacy principles into organizational and technical processes throughout the software development lifecycle. This specialized field involves various strategies, including compliance with regulatory frameworks, asset analysis, and system diagram development for threat modeling. The wide range of approaches, while beneficial in providing different perspectives, presents a significant challenge to the novice privacy engineer or developer in identifying the most effective methodologies. The lack of a single methodology highlights the need for a systematic literature review (SLR) to establish a standardized process for privacy requirements engineering that promotes consistency across different methodologies. To address this issue, we conducted a comprehensive SLR to synthesize existing privacy requirements engineering methodologies. Our analysis involved dissecting each method's processes, tasks, techniques, work products, and resources. Our review examined 40 privacy requirements engineering methodologies detailed in 50 papers, from which we extracted five key processes commonly followed in privacy requirements engineering research. We used this as the foundation for a holistic approach to facilitate the adoption of a comprehensive privacy requirements engineering process. The review also identifies ongoing challenges and suggests future directions in this field.