Investigating the adaptation of privacy by design in software aimed at Sri Lankan end users

Abstract

Software across desktop, mobile, web, and Internet of Things (IoT) technologies have evolved into powerful tools for customization and understanding user preferences which in turn collect vast amounts of user data. Consequently, organizations and governments worldwide have emphasized the importance of safeguarding user privacy through legal frameworks and principles such as Privacy by Design (PbD). PbD is a proactive approach that integrates privacy considerations into systems and processes from the outset rather than as an afterthought. While several studies have explored the integration of PbD in software development across different countries, there is a lack of research examining how Sri Lanka’s software industry adapts these principles. With the recent enactment of Sri Lanka’s Personal Data Protection Act (PDPA), software development firms are increasingly required to incorporate privacy and data protection measures. However, achieving a comprehensive approach necessitates going beyond regulatory compliance. This study investigates how software companies in Sri Lanka integrate PbD principles into the Software Development Life Cycle (SDLC) to ensure customer data privacy. A qualitative research design was adopted to gain in-depth insights into privacy considerations in software development. Data were collected through semi-structured interviews with seven experienced professionals working in medium-to-large-scale software firms or leading their own companies. Thematic analysis was employed to identify key themes related to privacy, privacy regulation, privacy design, and privacy embedding within the SDLC. Findings indicate that Sri Lankan software developers possess a strong understanding of privacy and legal compliance, particularly in relation to the PDPA. However, opinions remain divided regarding the implementation of pseudonymization and data encryption due to the associated costs and complexities, despite legal recommendations. Privacy embedding was found to be influenced by PbD principles, though not all principles are universally applied across contexts. The most commonly implemented privacy protection measures include data minimization and access control mechanisms. Additionally, the study highlights a trade-off between privacy and software performance, where excessive privacy measures can impact system efficiency and usability. This research contributes to the global discourse on privacy-aware software development by providing the first empirical insights into how the Sri Lankan software industry adapts PbD principles. The findings offer practical implications for industry professionals and policymakers seeking to enhance privacy integration within software development practices in emerging markets