George Georgiadis

Big Data Analytics enables today's businesses and organisations to process and utilise the raw data that is generated on a daily basis. While Big Data Analytics has improved efficiency and created many opportunities, it has also increased the risk of personal data being compromised or breached. The General Data Protection Regulation (GDPR) mandates Data Protection Impact Assessment (DPIA) as a means of identifying appropriate controls to mitigate risks associated with the protection of personal data. However, little is currently known about how to conduct such a DPIA in a Big Data Analytics context. To this end, we conducted a systematic literature review with the aim of identifying privacy and data protection risks specific to the Big Data Analytics context that could negatively impact individuals' rights and freedoms when they occur. Based on a sample of 159 articles, we applied a thematic analysis to all identified risks which resulted in the definition of nine Privacy Touch Points that summarise the identified risks. The coverage of these Privacy Touch Points was then analysed for ten Privacy Impact Assessment (PIA) methodologies. The insights gained from our analysis will inform the next phase of our research, in which we aim to develop a comprehensive DPIA methodology that will enable data processors and data controllers to identify, analyse and mitigate privacy and data protection risks when storing and processing data involving Big Data Analytics.

Context Big Data Analytics is a rapidly emerging IT practice whose applications offer benefits for a wide variety of business areas across an organisation. Given the wide scope of applications, the many types of processing involved, including those for purposes not yet foreseen, and the inherent privacy concerns resulting from collecting and storing personal data, the newly introduced General Data Protection Regulation (GDPR) poses specific challenges for safeguarding the security and protection of big data. These challenges are not limited to the IT function but extend across the entire organisation. This raises the question whether Enterprise Architecture Management (EAM), as an approach for ensuring the coherence, strategic alignment and focus on value creation of all organisational resources, offers guidance for addressing those challenges in a holistic manner, and thus provides a fruitful ground for developing an approach for complying to GDPR requirements in a Big Data context. Objective This study surveys the state-of-the-art in research on security, privacy, and protection of big data. The focus is on investigating which specific issues and challenges have been identified and whether these have been linked to GDPR requirements. Further, it examines whether previous research has investigated the potential of EAM in addressing those challenges and what the main findings of those studies are. Method We used Systematic Mapping Review (SMR), which is a methodology for literature review aimed at surveying the state-of-the-art in a research field as it is documented in the scientific literature. Further, we used Template Analysis, which is a thematic analysis technique, for coding the texts of the selected papers, classifying the research studies, and interpreting the different themes addressed in the literature. Supplementary Information The online version of this article (https ://doi.org/10.1007/s1025 7-020-00500-5) contains supplementary material, which is available to authorized users. Results Our study indicates that only few researchers have explored the use of EAM practices in relation to data security and protection in a Big Data context. We further identified seven trends within the areas under consideration that could be subjects for further research. Conclusions Our study does not invalidate the potential of EAM to help addressing GDPR requirements in a Big Data context. However, how EAM practices may contribute to risk management and data governance in environments where big data are being processed, is still a huge research gap, which we intend to address in our future research.