This study addresses the challenge of operationalizing GDPR compliance in software engineering—specifically, how to realize “Privacy by Design” (PbD) at the requirements and system specification levels while reconciling heterogeneous stakeholder interests and ensuring semantic consistency and traceability between legal provisions and technical specifications. We propose a formal modeling approach grounded in original legal concepts, systematically mapping GDPR articles to reusable privacy requirement patterns. Integrating systematic literature analysis, industry interviews, and requirements modeling, we develop a joint specification framework supporting cross-layer abstraction and transparent, bidirectional traceability. Empirical evaluation demonstrates that the framework significantly improves the accuracy of privacy requirement elicitation and the transparency of regulatory specification, thereby providing a scalable, methodology-driven foundation for law–technology co-governance.

Context: Consistent requirements and system specifications are essential for the compliance of software systems towards the General Data Protection Regulation (GDPR). Both artefacts need to be grounded in the original text and conjointly assure the achievement of privacy by design (PbD). Objectives: There is little understanding of the perspectives of practitioners on specification objectives and goals to address PbD. Existing approaches do not account for the complex intersection between problem and solution space expressed in GDPR. In this study we explore the demand for conjoint requirements and system specification for PbD and suggest an approach to address this demand. Methods: We reviewed secondary and related primary studies and conducted interviews with practitioners to (1) investigate the state-of-practice and (2) understand the underlying specification objectives and goals (e.g., traceability). We developed and evaluated an approach for requirements and systems specification for PbD, and evaluated it against the specification objectives. Results: The relationship between problem and solution space, as expressed in GDPR, is instrumental in supporting PbD. We demonstrate how our approach, based on the modeling GDPR content with original legal concepts, contributes to specification objectives of capturing legal knowledge, supporting specification transparency, and traceability. Conclusion: GDPR demands need to be addressed throughout different levels of abstraction in the engineering lifecycle to achieve PbD. Legal knowledge specified in the GDPR text should be captured in specifications to address the demands of different stakeholders and ensure compliance. While our results confirm the suitability of our approach to address practical needs, we also revealed specific needs for the future effective operationalization of the approach.