"What Meta's GDPR Fine Can Teach CISOs About Data Protection"

The Irish Data Protection Commission (DPC), Ireland's supervisory authority for upholding the General Data Protection Regulation (GDPR), recently fined Meta $403 million for allowing users aged 13 to 17 to operate business accounts on Instagram. Under Instagram's sign-up process, business accounts publicly exposed phone numbers and email addresses, exposing minors' personal information online. The fine is the second-largest under the GDPR, following Amazon's $888 million fine in July 2021. While most businesses do not process minors' information, the DPC's decision demonstrates that data protection regulations are being interpreted much more broadly by regulators, to the point where a poorly optimized sign-up process with lax privacy settings can result in serious legal consequences. The Meta decision emphasizes that regulatory burdens on data collection and processing are increasing to the point where companies have less margin for error when collecting and processing data, from data entry to data analysis. Lack of transparency or errors at any stage of this process can result in crippling fines, not just under the GDPR, but also under emerging regulations such as the California Consumer Privacy Act (CCPA), which recently fined online retailer Sephora $1.2 million. The constantly changing regulatory landscape calls for organizations to develop more optimized data protection practices. Organizations cannot afford to rely only on consent forms and privacy policies to ensure compliance. Modern data protection regulations require enterprises to protect confidential information and provide users with transparency into how their data is shared and processed. According to Mohit Tiwari, cofounder and CEO of Symmetry Systems, organizations must be transparent about how they collect customer data, maintaining complete awareness of where it is stored, how it can be accessed, how it is used, and how it is kept secure, under regulatory frameworks such as the GDPR. Regular auditing and privacy impact assessments are critical tools for organizations to assess their data security posture, and should be used continuously to ensure long-term compliance. This article continues to discuss what CISOs should learn from Meta's recent GDPR fine. 

VB reports "Meta's GDPR Fine Can Teach CISOs About Data Protection"