Bridging the Privacy Gap: Developers' Practices and the Missing Role of Privacy Engineers

Context: Privacy has become a first order concern in software engineering, yet organizations still struggle to translate legal mandates into actionable engineering practices and governance routines. Goal: This study investigates how Brazilian software practitioners perceive, adopt, and operationalize privacy standards and practices, identifying challenges and actionable opportunities to strengthen privacy by design in real projects. Method: We conduct a conceptual replication of prior work on privacy engineering, adapting it to the Brazilian context via a survey (31 practitioners). The instrument maps roles and privacy perceptions and practices (RQ1), the use of standards, frameworks, and techniques (RQ2), and challenges and improvement opportunities (RQ3). Results: Practitioners consistently distinguish privacy from security, but formalization is limited. Although 60.7% report considering privacy across the Software Development Life Cycle (SDLC), half do not use privacy-focused methods and 46.4% are unaware of them. Practices skew toward classic security controls (e.g., access control, 85.7%) rather than dedicated privacy engineering artifacts. The Brazilian General Data Protection Law (LGPD) is the dominant compliance driver (82.1%), with low uptake of ISO 27701/NIST PF. Key barriers include unclear legal guidance (53.6%), insufficient training (42.9%), and late integration of privacy (39.3%). Automation remains incipient (14.3% fully automated Data Subject Rights (DSAR) workflows; 42.9% manual). Organizational support is uneven (39.3% sufficient; 39.3% partial; 21.4% insufficient). Spearman correlations revealed strong relationships (ρ up to 0.63) between experience, training, and integration practices, indicating that professional maturity and capacity building are key enablers of privacy-by-design adoption. Conclusion: Results indicate a persistent gap between awareness and effective governance. We recommend (i) targeted training and curricular inclusion, (ii) clearer role/accountability assignments, and (iii) investment in tooling/automation to operationalize privacy-by-design. These actions can help shift privacy from reactive compliance to a sustained dimension of software quality in Brazilian