Firstly and most importantly, how much damage has been done to the Instagram brand?
This approach is key to ensuring your reputation is protected as far as possible. Even then, you might misread the mood of commentators and your customers/users (this may have been the case with Instagram), but at least you will be well-prepared.
Secondly, were Instagram transparent enough?
This issue divides up into a couple of separate points, transparency in the actual changes made, and transparency about the fact changes are being made.
Instagram were pulled up in part because their revisions were not clear, and could be argued to be very broad indeed, prompting user concerns. They backed away from such wide interpretations quite quickly, but the damage had been done. The lesson here is unquestionably that clarity is the best policy. If you want broad rights, write them in, but expect users to think the worst; otherwise be specific and explicit about what you want to be able to do with personal data, and then set about managing expectations around why you want to be able to use the data in that way. One trend in the latter area is to talk about how "free" or cheap services are sustained; there is growing chatter (and acceptance?) in the world of the web that "free" just means "no charges" and does not actually mean completely free, and you may wish to consider adding your voice to this movement.
There are also key decisions to be made in how you flag up changes. If you are an EU-based organisation, technically you need customer/user consent to any such change where new or materially changed usage of personal data is envisaged. How are you going to get this consent? Just via changed T&Cs and implied consent from further usage? This was the method Instagram tried, backed up with some blog entries but it arguably came over as a flimsy approach. A better solution might be to use temporary calls to action, notices etc on your site and a short email campaign to you look like you are being very transparent. Transparency encourages positive brand perception, and can come to your aid even if the actual change is unpopular; you don't want to get caught out with a change that looks like a sneaky, back-door exercise.
If you are an EU-based organisation, and the personal data you collect is sensitive, the position is more difficult still. Consent to such change in use has to be "explicit" - e.g. tick box consent - with a fall-back position for those who do not consent. How would this be managed? (Note that the draft EU General Data Protection Regulation will make this position the default one if it becomes law).
Overall, it is worth keeping Instagram in mind going forward as an example of the potential pitfalls that exist when approaching a change in personal data usage.