Mapping the Privacy-by-Design Domain and Its Organisational Activities: Two Multivocal Literature Reviews

The privacy-by-design (PbD) paradigm was formulated to embed privacy throughout the entire life cycle of systems, processing activities, and data. However, existing research describes a lack of clarity, guidance, and structure resulting in this field being stuck in high-level principles and guidelines. The aim of this research is to investigate the functional composition of the PbD domain by identifying key practices and distilling activity categories. Two multivocal literature reviews are conducted to examine (1) privacy-related maturity models and (2) works related to PbD application. A total of 847 consolidated PbD practices were identified from various fields and disciplines, aggregated through a coding approach, and subsequently used to structure the domain into 14 prominent activity categories. We provide a first holistic overview of organisational PbD activities. This can aid in developing new artifacts that improve upon existing artifacts which currently insufficiently support the multidisciplinary nature of PbD.