What Meta’s GDPR fine can teach CISOs about data protection
Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
Earlier this week, Meta was fined €405 million ($403 million) by the Irish Data Protection Commission (DPC), Ireland’s supervisory authority for upholding the General Data Protection Regulation (GDPR), for letting users between 13 and 17 operate business accounts on Instagram.
Under Instagram’s sign-up process, business accounts have publicly exposed phone numbers and email addresses, leaving the personal data of minors exposed online.
The fine is the second largest under the GDPR, following $888 million charged to Amazon in July 2021, and comes shortly after the DPC fined the organization $16.9 million in March 2022.
While most enterprises don’t process the information of minors, the DPC’s decision highlights that data protection regulations are being interpreted much more broadly by regulators to the point where a poorly optimized sign-up process with loose privacy settings can trigger serious legal repercussions.
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
Organizations can’t wing data protection
At a high level, the Meta decision highlights that the regulatory burdens on collecting and processing data are expanding to the point where companies have less margin for error when collecting and processing data, from entering the data to analyzing it.
Lack of transparency or blunders at any stage of this process can lead to devastating fines — not just under the GDPR, but also emerging regulations like the California Consumer Privacy Act (CCPA), which recently handed out a fine of $1.2 million to online retailer Sephora.
Due to fast movement in the regulatory landscape, enterprises are forced to implement new controls at speed to protect customer data.
Research shows that 49% of compliance professionals report that regulatory change has had an adverse impact on their compliance function’s ability to perform its role.
In a regulatory landscape that’s continually evolving, organizations need to develop much more optimized data protection practices and can’t afford to rely on consent forms and privacy policies to guarantee compliance.
“Society cares deeply about how their data is used by software services, in particular the personal information of children.” said Mohit Tiwari, cofounder and CEO at Symmetry Systems.
“Individuals may not have the knowledge or, in most cases, time to sufficiently inform complex privacy settings that aren’t set by default. Hence, we have pushed for stronger compliance protections. This case is yet another example which demonstrates that companies are now being held responsible for securing personal information at point of data entry,” Tiwari said.
The writing on the wall for CISOs
Modern data protection regulations not only expect enterprises to protect confidential information, but also to offer users transparency over how their data is shared and processed.
Tiwari explained that under regulatory frameworks like the GDPR, organizations need to be transparent about how they collect customer information, maintaining complete awareness of where it’s stored, how it can be accessed, how it is used and how it is kept secure.
As a consequence, regular auditing and privacy impact assessments are critical tools that organizations have at their disposal to assess their data security posture, and should be applied continuously to ensure compliance long term.
Reevaluating the balance of power
Enterprises need to attempt to redress the balance of power between themselves and consumers. In practice, this means giving users greater control over how their data is used and processed.
“When it comes to data, particularly personal information, the relationship that exists today between consumers and organizations is deeply asymmetrical. That’s because virtual all the power over its collection, use, and access resides with developers and the owners of applications,” said director of operations for the Data Collaboration Alliance, Chris McLellan.
Going forward, McLellan recommends we accelerate the use of frameworks like Zero-Copy Integration and encourage developers to adopt technologies like data ware and block china to minimize data and reduce copies so that it can be controlled by the rightful owner.
Under a zero-copy integration approach, developers would decouple data from apps and set access controls at the data-level rather than app-by-app.
The idea is to eliminate the risks of sharing data between data silos like databases, data warehouses, data lakes and spreadsheets and give users more visibility over their data.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.