SoK: engineering privacy-aware high-tech systems

The processing of personal data is becoming a key business factor, especially for high-tech system industries such as automotive and healthcare service providers. To protect such data, the European Union (EU) has introduced the General Data Protection Regulation (GDPR), with the aim to standardize and strengthen data protection policies across EU countries. The GDPR defines stringent requirements on the collection and processing of personal data and imposes severe fines and penalties on data controllers and processors for non-compliance. Although the GDPR is enforce since 2018, many public and private organizations are still struggling to fully comply with the regulation. A main reason for this is the lack of usable methodologies that can support developers in designing of GDPR-complaint high-tech systems. This paper examines the growing literature on methodologies for the design of privacy-aware systems, and identifies the main challenges to be addressed in order to facilitate developers in the design of such systems. In particular, we investigate to what extent existing methodologies (i) cover GDPR and privacy-by-design principles, (ii) address different levels of system design concerns, and (iii) have demonstrated their suitability for the purpose. Our literature study shows that the domain landscape appears to be heterogeneous and disconnected, as existing methodologies often focus only on subsets of the GDPR principles and/or on specific angles of system design. Based on our findings, we provide recommendations on the definition of comprehensive methodologies tailored to designing GDPR-compliant high-tech systems.