Toward Data Protection by Design: Assessing the Current State of GDPR Disclosure in Web Applications

With the growing popularity of web applications, there is a corresponding need to ensure that they comply with relevant regulations and standards, such as the General Data Protection Regulation (GDPR), which mandates strict guidelines for processing the personal data of European Union data subjects. In this paper, we leverage machine learning and natural language processing techniques to gather a data set of web applications to evaluate their GDPR disclosure by scrutinizing their privacy policies. We present an overview of the current state of GDPR disclosure among web applications and identify areas that require attention. The results show that, among other things, web applications have a relatively high level of GDPR disclosure, with most requirements being covered at around 80-90% when considering them individually. However, there is still room for improvement in disclosing all requirements and providing clarity about user rights regarding data processing. Also, the findings may indicate a deeper underlying cause for the lack of disclosure beyond inaccurate privacy policies, namely, that the data processing activities of the web systems are not aligned with the GDPR. By highlighting the areas where disclosure falls short, our research may offer a starting point for enhancing requirements engineering practices for web applications, aiding the pursuit of data protection by design.