Big data often involves the gathering of large volumes of data that may contain users' personal information. Companies such as Facebook and Google have flourished on analyzing individual information to target ads and perform other types of marketing. This evidently poses an ethical dilemma. To what extent should personal data be collected? And how much is too much? There are, of course, no correct answers to these questions. The rise of hacking in which information from hundreds of millions of user accounts has been compromised is so commonplace today that we have almost become complacent about the consequences.

In October 2017, Yahoo! disclosed that 3 billion accounts, in fact every single account on Yahoo!, had suffered a data breach. Equifax, one of the largest credit reporting companies in the US suffered a data breach that exposed the personal details of more than 140 million consumers. There were scores of other similar incidents, and in all of them, the common denominator was that all the companies collected some level of users' personal information, whether directly or via third parties.

In essence, whenever user-related information is involved, it begets the implementation of suitable IT security in order to ensure that the data does not get compromised. The repercussions are not limited to only the loss of data, but collateral damage due to impact on reputation and goodwill, apart from the primary fact that real people are involved whose data has been compromised.

Thus, the security of big data, whenever it involves sensitive information and/or any personal information, becomes critically important. Cloud providers, such as AWS and Azure, have gained traction partly due to the fact that they have very stringent standards of security as well as certifications that allow organizations to offload the responsibility to a trusted and formidable entity.

The EU GDPR (General Data Privacy Regulation), effective May 2018, is an excellent step toward securing the personal data of its citizens. In a nutshell, the GDPR regulates the use of any personal data. In this context, the term any is extremely broad, including even the very name of an individual. Violators of the rule will be fined up to 20 million euro, or 4 percent of the global turnover of the defaulting organization.

While this will evidently reduce the availability of Big Data datasets, especially those that relate to individual data, it may also stir a debate and perhaps innovations on how data can be put to best use within the constraints, that is, getting value from data without using personal information.

On the other hand, countries such as the US have been relaxing laws around the collection of personal data. In early 2017, the US removed privacy protections around collection of personal information by internet service providers and in fact made it legal for ISPs such as AT&T to not only collect but also sell users' browsing and app data.