This study addresses a critical gap in Privacy by Design (PbD) requirements engineering: the absence of an effective evaluation mechanism grounded in organizational objectives, which often leads to a misalignment between selected PbD methods and actual organizational goals. To bridge this gap, the authors propose a novel goal-oriented evaluation framework that shifts away from traditional process-centric paradigms by positioning organizational goals as a central dimension for assessing PbD approaches. Through an iterative process involving literature review, interviews with practitioners, and empirical validation, the framework was developed and refined. The research demonstrates the feasibility and practical utility of this approach, offering both theoretical grounding and actionable guidance for selecting, tailoring, and developing PbD methods aligned with organizational priorities.

Implementing privacy by design (PbD) according to the General Data Protection Regulation (GDPR) is met with a growing number of requirements engineering (RE) approaches. However, the question of which RE method for PbD fits best the goals of organisations remains a challenge. We report our endeavor to close this gap by synthesizing a goal-centric approach for PbD methods assessment. We used literature review, interviews, and validation with practitioners to achieve the goal of our study. As practitioners do not approach PbD systematically, we suggest that RE methods for PbD should be assessed against organisational goals, rather than process characteristics only. We hope that, when further developed, the goal-centric approach could support the development, selection, and tailoring of RE practices for PbD.