Carey Lening

InfoSec & Risk Consultant

About Carey

Carey Lening, CIPP-E, CIPP-US works for Castlebridge as an information security and risk consultant. She has over 20 years of progressive experience assessing risks and enabling top-tier data security and data protection for industry leaders like Facebook, Palantir and numerous Fortune 500 companies. Her cross-functional and cross-domain knowledge makes her equally comfortable discussing the legal nuances of data protection with lawyers, hashing out technical and operational security controls with engineers and information security professionals, doing a risk audit, and providing a high-level overview to the C-Suite.


Carey earned a Bachelor’s degree from the University of California, Irvine, and her JD from the University of New Hampshire School of Law. As a former attorney, Carey focused on the legal and policy issues surrounding computer & data security and privacy law. Carey has written and lectured extensively on best practices in cybersecurity and data protection, with a particular interest on emerging threats, risk mitigation, and how to make sense of it all. 


Carey consumes far too much coffee, and has a strong appreciation for cats, homebrewing, and travel.  





Blog Posts by Carey

Lately, I've been thinking a lot about language.

As a former (recovering) attorney, I spent many a day pouring over contracts, writing policies, and explaining how the law interprets a given word or phrase to my clients. Lawyers spend their careers arguing over language -- working with words to create beneficial outcomes for their clients, whether in a contract, or in front of a court. But here's the thing: for all our skill with parsing words

It’s been a busy few months in the world of data protection. Since our last Advisory Note, the DPC has been issuing fines and judgments in a number of cases including:

Limerick City and County Council – The CCC’s use of CCTV was unlawful, excessive, lacked legal basis for processing and failed to ensure that numerous technical and organisational measures were in place. The DPC imposed a €110,000 fine and a reprimand, and ordered the

A few days ago, I came across a fascinating YouTube video and interview between Tim Dodd, of the Everyday Astronaut, and Elon Musk.

The interview explored a number of interesting ideas (including the manufacturing and design process of SpaceX and its various rockets). Oneinteresting nugget to me was the discussion of Musk’s wider engineering philosophy, which easily applies to incorporating the data protection principles of Article 5, and Article 25’s Data Protection by Design and Default

Technical and Organisational Measures (TOMs) for the handling of data are key to Data Governance and Data Protection. On 20 Aug 2021[1], the DPC issued a decision (DPC Case Ref: IN-20-7-1) against the charity MOVE Ireland, imposing a reprimand, a fine of €1,500, and demanding various corrective actions, after detailing numerous failings on the part of the charity concerning Articles 5I1)(f) and 32(1) GDPR as it pertained to ensuring integrity and confidentiality of data, and

Recently, I advised a Castlebridge client, an animal welfare charity, that our furry, four-legged friends, as adorable and cute as they are, do not have data protection rights under the GDPR. That’s because the GDPR (and fundamental rights in the EU generally), only apply to natural persons -- aka, living human beings.[1]

All was right and well in the world, and I thought, surely, it was understood that animals don’t generally have data protection or privacy

Oftentimes, I find myself staring at Excel, slaving away on some menial data entry task. A thought pops into my mind -- “I should really automate this thing, because this is hell, and if I write a little script, it’ll go so much faster!” With the excitement of someone whose programming skills rate only slightly above the skill of copy-and-pasting directly from Stackoverflow, I confidently march upstairs to seek the wise counsel of my husband

[This is a guest post by our Associate Consultant Carey Lening. In it she discusses the Department of Commerce's rosy view of privacy in the post-Schrems world. It highlights the need for Data Controllers to adopt a "trust but verify" posture on Standard Contractual Clauses and poses some questions regarding the 'on the ground' practicalities of the Dept of Commerce's position.]
The Department of Commerce's Rosy View and Reality
Late last month, the US Department of Commerce