Organisational Privacy Culture and Climate: A Scoping Review

Iwaya, Leonardo Horn; Iwaya, Gabriel Horn; Fischer‐Hübner, Simone; Steil, Andrea Valéria

doi:10.1109/access.2022.3190373

Cited by 11 publications

(10 citation statements)

References 84 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It is also worth mentioning that six out of the ten studies in the related work (see Table 1) are country-specific, i.e., in which all the interviewed participants live in the same country. The importance of including more diverse populations and independently replicating prominent studies has already been stressed in the literature, such as the scoping review on OPCC [43]. For such reasons, our research contributes to the existing body of evidence, corroborating and introducing new findings.…”

Section: Identified Research Gapsmentioning

confidence: 52%

“…Scholars have also turned to large software repositories (e.g., GitHub and Stack Overflow), mining posts and question-and-answer websites to interpret how developers talk about privacy [40], [41]. Lastly, secondary research, in the forms of systematic reviews, has also been able to synthesise this growing body of evidence on factors affecting the implementation of privacy and security practices [42] and the conceptualisation of emerging topics such as Organisational Privacy Culture and Climate (OPCC) [43].…”

Section: Related Workmentioning

confidence: 99%

“…Currently, the field of Organisational Privacy Culture and Climate (OPCC) remains largely unexplored from information systems and software engineering perspectives. A scoping review on the topic has shown that the area is still emerging and that there needs to be more primary research to substantiate its theory, constructs, and practical instruments [43]. Studies such as [68], [6], and [8] are some examples of quantitative and qualitative research.…”

Section: Researching Organisational Privacy Culture and Climatementioning

confidence: 99%

See 2 more Smart Citations

Privacy Engineering in the Wild: Understanding the Practitioners' Mindset, Organisational Culture, and Current Practices

Iwaya¹,

Babar²,

Rashid³

2022

Preprint

View full text Add to dashboard Cite

Privacy engineering, as an emerging field of research and practice, comprises the technical capabilities and management processes needed to implement, deploy, and operate privacy features and controls in working systems. For that, software practitioners and other stakeholders in software companies need to work cooperatively toward building privacy-preserving businesses and engineering solutions. Significant research has been done to understand the software practitioners' perceptions of information privacy, but more emphasis should be given to the uptake of concrete privacy engineering components. This research delves into the software practitioners' perspectives and mindset, organisational aspects, and current practices on privacy and its engineering processes. A total of 30 practitioners from various countries and backgrounds were interviewed, sharing their experiences and voicing their opinions on a broad range of privacy topics. The thematic analysis methodology was adopted to code the interview data qualitatively and construct a rich and nuanced thematic framework. As a result, we identified three critical interconnected themes that compose our thematic framework for privacy engineering "in the wild": (1) personal privacy mindset and stance, categorised into practitioners' privacy knowledge, attitudes and behaviours; (2) organisational privacy culture, such as decision-power and positive and negative examples of privacy climate; and, (3) privacy engineering practices, such as procedures and controls concretely used in the industry. Among the main findings, this study provides many insights about the state-of-the-practice of privacy engineering, pointing to a positive influence of privacy laws (e.g., EU General Data Protection Regulation) on practitioners' behaviours and organisations' cultures. Aspects such as organisational privacy culture and climate were also confirmed to have a powerful influence on the practitioners' privacy behaviours. A conducive environment for privacy engineering needs to be created, aligning the privacy values of practitioners and their organisations, with particular attention to the leaders' and top management's commitment to privacy. Organisations can also facilitate education and awareness training for software practitioners on existing privacy engineering theories, methods and tools that have already been proven effective.

show abstract

Section: Identified Research Gapsmentioning

confidence: 52%

Section: Related Workmentioning

confidence: 99%

Section: Researching Organisational Privacy Culture and Climatementioning

confidence: 99%

See 1 more Smart Citation

Privacy Engineering in the Wild: Understanding the Practitioners' Mindset, Organisational Culture, and Current Practices

Iwaya¹,

Babar²,

Rashid³

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Case studies are shown to be one of the most common methodologies for evaluation; nonetheless, other methodologies could be considered, such as using grounded theory in the context of socio-technical systems [96]. This need for further evaluation research has also been discussed in the broader area of privacy engineering [14], [97].…”

Section: B Research Directions 1) Evaluation Researchmentioning

confidence: 99%

On the Evaluation of Privacy Impact Assessment and Privacy Risk Assessment Methodologies: A Systematic Literature Review

Wairimu,

Iwaya,

Fritsch

et al. 2024

IEEE Access

Self Cite

View full text Add to dashboard Cite

Assessing privacy risks and incorporating privacy measures from the onset requires a comprehensive understanding of potential impacts on data subjects. Privacy Impact Assessments (PIAs) offer a systematic methodology for such purposes, which are closely related to Data Protection Impact Assessments (DPIAs), particularly outlined in Article 35 of the General Data Protection Regulation (GDPR). The core of a PIA is a Privacy Risk Assessment (PRA). PRAs can be integrated as part of full-fledged PIAs or independently developed to support PIA processes. Although these methodologies have been identified as essential enablers of privacy by design, their effectiveness has been criticized because of the lack of evidence of their rigorous and systematic evaluation. Hence, we conducted a Systematic Literature Review (SLR) to identify published PIA and PRA methodologies and assess how and to what extent they have been scientifically validated or evaluated. We found that these methodologies are rarely evaluated for their performance in practice, and most of them have only been validated in limited studies. Most validation evidence is found with PRA methodologies. Of the evaluated methodologies, PIAs were the most evaluated, where case studies were the predominant evaluation method. These evaluated methodologies can be easily transferred to an industrial setting or used by practitioners, as they provide evidence of their use in practice. In addition, the findings in this study can be used to inform researchers of the current state-of-the-art, and practitioners can understand the benefits and current limitations of the methodologies and adopt evidencebased practices.

show abstract

“…Scholars have also turned to large software repositories (e.g., GitHub and Stack Overflow), mining posts and question-and-answer websites to interpret how developers talk about privacy [57], [58]. Lastly, secondary research, in the forms of systematic reviews, has also been able to synthesise this growing body of evidence on factors affecting the implementation of privacy and security practices [59] and the conceptualisation of emerging topics such as Organisational Privacy Culture and Climate (OPCC) [60].…”

Section: Related Workmentioning

confidence: 99%

Privacy Engineering in the Wild: Understanding the Practitioners’ Mindset, Organizational Aspects, and Current Practices

Iwaya

Babar

Rashid

2023

IIEEE Trans. Software Eng.

Self Cite

View full text Add to dashboard Cite

Privacy engineering, as an emerging field of research and practice, comprises the technical capabilities and management processes needed to implement, deploy, and operate privacy features and controls in working systems. For that, software practitioners and other stakeholders in software companies need to work cooperatively toward building privacy-preserving businesses and engineering solutions. Significant research has been done to understand the software practitioners' perceptions of information privacy, but more emphasis should be given to the uptake of concrete privacy engineering components. This research delves into the software practitioners' perspectives and mindset, organisational aspects, and current practices on privacy and its engineering processes. A total of 30 practitioners from nine countries and backgrounds were interviewed, sharing their experiences and voicing their opinions on a broad range of privacy topics. The thematic analysis methodology was adopted to code the interview data qualitatively and construct a rich and nuanced thematic framework. As a result, we identified three critical interconnected themes that compose our thematic framework for privacy engineering "in the wild": (1) personal privacy mindset and stance, categorised into practitioners' privacy knowledge, attitudes and behaviours; (2) organisational privacy aspects, such as decision-power and positive and negative examples of privacy climate; and, (3) privacy engineering practices, such as procedures and controls concretely used in the industry. Among the main findings, this study provides many insights about the state-of-the-practice of privacy engineering, pointing to a positive influence of privacy laws (e.g., EU General Data Protection Regulation) on practitioners' behaviours and organisations' cultures. Aspects such as organisational privacy culture and climate were also confirmed to have a powerful influence on the practitioners' privacy behaviours. A conducive environment for privacy engineering needs to be created, aligning the privacy values of practitioners and their organisations, with particular attention to the leaders and top management's commitment to privacy. Organisations can also facilitate education and awareness training for software practitioners on existing privacy engineering theories, methods and tools that have already been proven effective.

show abstract

Organisational Privacy Culture and Climate: A Scoping Review

Cited by 11 publications

References 84 publications

Privacy Engineering in the Wild: Understanding the Practitioners' Mindset, Organisational Culture, and Current Practices

Privacy Engineering in the Wild: Understanding the Practitioners' Mindset, Organisational Culture, and Current Practices

On the Evaluation of Privacy Impact Assessment and Privacy Risk Assessment Methodologies: A Systematic Literature Review

Privacy Engineering in the Wild: Understanding the Practitioners’ Mindset, Organizational Aspects, and Current Practices

Contact Info

Product

Resources

About