Towards a taxonomy of privacy requirements based on the LGPD and ISO/IEC 29100

Context: Ensuring compliance with current data privacy legislation poses a significant challenge for software development teams, demanding adaptations to processes in order to align with legal requirements. Objective: This study proposes a comprehensive taxonomy of privacy requirements, drawing from the Brazilian General Data Protection Law (LGPD) and ISO/IEC 29100. The aim is to assist software development teams in navigating the complexities of legal compliance. Method: To define the research gap, we conducted a systematic literature review (SLR) initially, identifying existing taxonomies of privacy requirements. Subsequently, we applied the Goal-Based Requirements Analysis Method (GBRAM) to extract privacy requirements from LGPD and ISO/IEC 29000. Finally, we implemented the proposed taxonomy in the privacy policies of Brazil's three largest banks. Results: The taxonomy comprises 129 requirements, categorized into 10 distinct groups across 5 contexts. In applying the taxonomy to ISO/IEC 29100, analysis of 63 statements for GDPR+ISO/IEC 29100 yielded 33 requirements, whereas for LGPD+ISO/IEC 29100, 58 statements resulted in 57 requirements. Application of the taxonomy revealed adherence percentages ranging from 40% to 71% concerning the evaluated solutions. Conclusions: The outcomes strongly suggest that major corporations are yet to achieve full LGPD compliance. We posit that the proposed taxonomy offers a valuable industry tool for validating LGPD compliance within implemented systems, as exemplified by our successful use case with Brazilian banks.