Prior GDPR privacy research in mobile applications lacks systematic secondary reviews, suffers from disciplinary fragmentation, and has long neglected core principles—such as data minimisation, the right to erasure, and the right to data portability. Method: This paper presents the first systematic literature review (SLR) specifically targeting GDPR privacy research in mobile applications, integrating thematic coding with cross-domain conceptual mapping. Contribution/Results: We find widespread superficial understanding of GDPR among existing studies and a significant disconnect between requirements engineering and software engineering practices in achieving compliance. Six categories of conceptual coverage gaps and practical shortcomings are identified. Building on these findings, we propose a novel GDPR compliance pathway that integrates privacy-by-design into the software development lifecycle and distil six key future research directions and actionable practice recommendations to bridge the theory–practice gap.

The General Data Protection Regulation (GDPR) is the benchmark in the European Union (EU) for privacy and data protection standards. Substantial research has been conducted in the requirements engineering (RE) literature investigating the elicitation, representation, and verification of privacy requirements in GDPR. Software systems including mobile apps must comply with the GDPR. With the growing pervasiveness of mobile apps and their increasing demand for personal data, privacy concerns have acquired further interest within the software engineering (SE) community at large. Despite the extensive literature on GDPR-relevant privacy concerns in mobile apps, there is no secondary study that describes, analyzes, and categorizes the current focus. Research gaps and persistent challenges are thus left unnoticed. In this article, we aim to systematically review existing primary studies highlighting various GDPR concepts and how these concepts are addressed in mobile apps research. The objective is to reconcile the existing work on GDPR in the RE literature with the research on GDPR-related privacy concepts in mobile apps in the SE literature. Our findings show that the current research landscape reflects a rather shallow understanding of GDPR requirements. Some GDPR concepts such as data subject rights (i.e., the rights of individuals over their personal data) are fundamental to GDPR, yet under-explored in the literature. In this article, we highlight future directions to be pursued by the SE community for supporting the development of GDPR-compliant mobile apps.