Privacy-Compliant Software Reuse in Early Development Phases: A Systematic Literature Review

Context: Privacy-compliant software development has received substantial attention in recent years, especially with the growth of digital services and the emergence of privacy regulations and standards. The increasing popularity of open-source software repositories and reuse practices challenges privacy-compliant software development.Objective: This paper aims to present the state-of-the-art in privacy-compliant software reuse, focusing on early development phases of requirements engineering, domain analysis and software design, as well as to discuss the current challenges that identify directions for future research.Method: We conducted a Systematic Literature Reviews (SLR) and analyzed 61 papers published in the last two decades, in terms of their business and technological domains, followed reuse approaches, applied privacy strategies, and utilized evaluation approaches. Results: The reviewed studies vary in terms of business domains (e.g., healthcare, smart objects and finance) and technological domains (e.g., IoT, mobile, cloud and microservices). Most of the studies do not refer to a specific regulation and if so - to GDPR. Their common purpose is to support benign reuse, most notably through patterns, components & libraries and model-driven engineering, but malicious reuse is also researched to a lesser extent. A strong emphasis is put on integrating privacy strategies whose goal is building trust and transparency (in particular, inform and demonstrate), while other strategies are studied to a limited extent in software reuse context. Evaluation is commonly performed through analytical, observational and experimental approaches.Conclusions: The operationalization of privacy compliance practices for existing software artifacts is still challenging. The challenges encompass improving trustworthiness of reused artifacts, ensuring privacy compliance in distributed architectures, bridging the gap between legal regulations and software requirements, enhancing privacy analysis and vulnerability detection, supporting late application of privacy strategies, and developing objective assessments for privacy-compliant software reuse.