Aoifinn Devitt: This series is brought to you with the kind support of Evershed Sutherland. As a global top 10 law firm, Evershed Sutherland provides legal services to a global client base. With more than 3,000 lawyers, the firm operates in over 70 offices in more than 30 countries across Africa, Asia, Europe, the Middle East, and the United States. The firm recognizes that having diverse talent across its business brings many benefits. It is committed to accessing a wide range of views, perspectives, and thinking in all of its teams, and in this way is building a culture of inclusion where each person feels able to be their true self at work and reach their full potential. Diversity and inclusion is fundamental to the firm’s purpose of helping their clients, their people, and their communities to thrive, and inclusive is one of its 5 values. Our next guest specializes in privacy law and data protection. Find out why trust is the new gold when it comes to consumers’ relationships with brands and how changes in this fast-paced area can be compatible with the rapid innovation in the tech space. I’m Aoifinn Devitt, and welcome to this 50 Faces focus series, which showcases the richness and diversity of inspiring people in the law. I’m joined today by Kate Colleary, who is Chairperson of Strand Advisory, a consulting firm focused on privacy and data protection, and the Director at Pembroke Privacy, a data protection consulting practice, a firm she established in 2019 to assist organisations and their data protection officers achieve compliance with privacy laws. She’s the country leader of the International Association of Privacy Professionals as well as a practicing solicitor. Welcome, Kate. Thanks for joining me today.
Kate Colleary: Thanks, Aoifinn, and I’m absolutely delighted to be here.
Aoifinn Devitt: Well, let’s start by talking about your background, your career journey. Of course, that did overlap a little for us, at least the college background. And how did you first get interested in law and this particular field?
Kate Colleary: Yeah, I grew up in Dublin, and as you know, yes, we went to Trinity College where I studied law from ’91 to ’95, you and I both. And I guess I got into law as a career choice, or even pre-career as a college choice, because I was very interested in debating in school. And my Irish debating teacher at the time said, you must do law. So I thought, well, then I will. And I did. So I studied law. And then once I finished up in Trinity, I trained in a law firm called Iver Fitzpatrick and Company. It was a very political media firm. So very exciting for me as a young trainee working with politicians, media professionals. And then I really enjoyed litigation. So then I moved— once I qualified, I moved to Matheson, which is a large firm here in Dublin specializing in IP and media litigation. I loved court work, and then I was there for 6 years. I then moved to another firm called Evershed Sutherland, which is a global law firm, and I ultimately headed up the intellectual property and data protection practice there. And I was there for 9 years, and then I set up my own firm in 2015, and very quickly within my own firm then specialized in data protection, as I had done for many years. But it suddenly really, I guess it just took over. So we really started only doing data protection work very, very quickly in that firm.
Aoifinn Devitt: How about the decision to set up your own firm? Can you talk us through that and how it’s gone so far?
Kate Colleary: Yeah, I guess my background was always litigation, whether it was IP or media or an element of insurance litigation as well. So There was a bit of a surprising turn, I guess, which ended up having a huge impact on my career. I was developing the data protection practice. It wasn’t a focus of mine, so I took over the team, the data protection team, without really having had that as a goal or anything. And once I had worked in that area for a number of years, I realized that I was really passionate about not just providing legal advice on data protection law, but also really becoming embedded with clients and trying to work with them in a very practical way, not just to advise them, but to actually do some of the work for them in-house. And there is this specter at the time of this pan-European regulation that was going to apply to personal data. We already had a directive, but that wasn’t very harmonized, a piecemeal approach throughout Europe. So there’s this idea of this big regulation that was going to come in and change everything. It was clear then that clients needed practical help, not just being told, yes, here’s a 10-page memo on what this regulation, the GDPR, General Data Protection Regulation, is going to do, but actually say, okay, this is what it says, this is what it means for your organization in practice, and let us help you. Let us help you draft your policies. Let us help you train your staff. Let us help you look at what needs to be put in place to comply with it in a really practical way. And that’s what really encouraged me to leave corporate law, which was such a surprise for me because I was always in my mind, I had always seen myself working in large corporate practices as I had done all my career. But that really, it sparked something in me that I really thought, this is an opportunity and something I would like to do to value my independence as well. And that’s what I did. Yeah, I set up a data protection consulting practice. Our motto is to make the complex clear because we have a very complex regulatory framework that applies in So how do we take what is complex and make it clear for each organization that we work with? And we’ve been very lucky that practice has grown year on year. So yeah, we just do data protection nowadays. That’s all we’re doing.
Aoifinn Devitt: Well, that’s a very noble aspiration that I would certainly commend, making the complex clear. It’s certainly in this area there seems to be an ever-increasing burden perhaps. Can you talk us through, I know that we could do a whole podcast series dedicated to the field of data protection, but maybe in terms of what excites you most about this area today and the advances that you’re seeing on the horizon?
Kate Colleary: Yeah, I was reflecting on this recently, and when we were in college, I loved family law. And I was looking back, and I never practiced in family law as a solicitor, as a lawyer, but I realized that I think what I loved about family law was that at the time in Ireland when we were studying, it was rapidly changing. There was political changes, there was legislative changes, and practitioners had to get up to speed with these new laws. And it was really an area of intense media speculation, media interest, and change in the law. And I think that’s what really ignited a passion in me at the time for family law. But as I said, I’d never worked in family law in practice. But I think it’s the same sort of thing with data protection. I think it’s maybe that is what excites me, what gets me interested in an area of law. It’s that idea that it is a rapidly changing area of law. It’s almost a new frontier. And What I love doing with it is working with clients to create better products and services, to create better privacy outcomes for data subjects or human beings who are the subjects of the data. And one thing that I really love doing, which is a real indicator of my nerdish mentality, is I love these things called data protection impact assessments. And what they are, they’re a mandatory requirement under GDPR for high-risk processing activity. But the idea is that they’re a risk assessment. So if you want to do something new and innovative, or if you just want to use a new technology, this is a way— it’s like a project management tool that enables you to assess the risks to that processing into the future through the lens of a data subject, through the lens of a human being, and work out how do we make this better. So we want to use maybe, I don’t know, an outsourced payroll service provider. Well, let’s have a look at the technology and what could we put in place? What controls or technical or organizational measures could we put in place to make sure that whatever it is that we want to do, that it’s going to be, A, compliant with the law, which of course is essential, but B, is going to ensure that our customers have trust in us, or in the example I’ve given, our employees have trust in what we’re doing with their data. And I love the DPiA example because it’s looking at a very technical piece of law and it’s working through the requirements in practice. You’re matching your processing activity to the legal requirements. And that to me is really exciting. I love doing that. And it’s— I suppose it also gives us access to these new technologies, innovative ideas, innovative products and services. And we work with clients then to try and not be a blocker to innovation, but actually to say, how do we use this and make it work better and make it to ensure that there are better outcomes for people, for data subjects at the end of the day? And again, to make it clear practical and really useful to people.
Aoifinn Devitt: And that’s a fascinating area because I was just about to ask about the tension between this regulation and innovation, in that I read a recent statistic that was 20-25% of apps have been taken down as a result of GDPR because they simply weren’t compatible with the requirements there, that it can stifle innovation in some ways. And you could argue that’s a trade-off that’s necessary. How do you see what this means for the large tech companies and for innovation going forward, in particular social media?
Kate Colleary: I don’t think it necessarily has to be a blocker to innovation at all. I think it’s about a balance, and I think the GDPR is a risk-based framework, so we’re always looking at risks and we’re balancing rights of data subjects and how do we make this work, but work in a way that protects data subjects’ privacy rights. And I would argue that if apps have been removed from app stores, I would ask what were they doing with data that was meant that they weren’t able to comply because in fact, the GDPR really is a baseline. It isn’t overly prescriptive in any way, really, because it is risk-based. So that would beg the question why so many apps perhaps were doing stuff with data that either they weren’t being transparent about or it was problematic in some way. So again, I think it’s a risk-based approach. It can be quite subjective as well. I don’t necessarily think it’s an innovation blocker. I think it’s more of an innovation balancer. It’s about working out how do we do what it is that we want to do with this innovative product or service and also take into account people’s privacy rights. But that isn’t just about a compliance thing. That’s also about feeding into trust. And I was at a conference last week where the regulator from Croatia was speaking and he was saying trust is the new gold for customers. So if you are able to build trust with your customers in your brand, and by that I mean not just by having good products and services, but also having good data management practices that are compliant with the law wherever you’re based, that’s going to build up that customer trust and customer loyalty. I don’t think it’s necessarily an innovation blocker. I think it’s not necessarily an enabler either, but it’s just something that has to be built into products and services and balanced so that it results in a better service, that results in better outcomes for the human beings whose data it is that we want to process.
Aoifinn Devitt: Well, that’s fascinating. Trust is the new gold. I’ve also heard that data is new oil. So I think we’re certainly awash in one and perhaps not so much awash in the other, in the trust. When you look across the world at, say, advances in the EU versus the US, how would you rank both of those regions? And maybe we can also look at other regions too in terms of advancement in this area.
Kate Colleary: Yes, a part of what we do is we offer outsourced DPO services, and as a DPO, it’s a data protection officer. It’s a mandatory requirement in some cases in Europe, but it’s a global role as well. So we’re looking at maybe taking the GDPR as a baseline and then matching it with other local jurisdictional requirements. In the US, we’re seeing an increase in interest in developing a federal privacy law that’s been on the cards for many decades at this point. It’s being discussed, it’s gathering momentum. I probably wouldn’t lay a bet that it will happen in the next 3 years, maybe 5. What we’re now seeing is an increasing number of US states develop their own privacy laws. You’re probably aware of the CCPA in California. We’re seeing privacy acts in Colorado, Virginia, and Utah. And then there are other privacy bills coming through in other states in the US. So what I think will happen in the US is that in, if few years’ time, once you have even more of these states with their own local laws that apply, they will experience the same problems that we did in Europe under our 1995 Data Protection Directive, which was a lack of a harmonized approach, which is a blocker in terms of the transfers of data locally, in terms of business, that you’ll have one set of rules that apply in Virginia, a different set of rules that apply in Louisiana, a different set of rules that apply in Alaska. That is going to be an inhibitor from a business perspective. And that will, I would imagine, ultimately result in a call for a more harmonized approach, as it did in Europe a number of years ago, which ultimately resulted in the GDPR.
Aoifinn Devitt: And just in terms of the cost burden, you mentioned the complexity and clearly looks like the burden is not likely to end. You mentioned the outsourced service you provide. How is this evolving for companies and how do you think it will continue? To evolve the cost?
Kate Colleary: Yeah, I mean, there are baseline requirements across all organizations, but how they are applied will depend on the size of the company. It depends on the type of the data, the sensitivity of it, the number of people whose data is being processed. And again, I was speaking at this conference last week. It was a joint conference between the Irish Data Protection Commission and the Croatian Data Protection Commission, and it was focused on SMEs because there was you know, there’s an understanding of this burden that is perhaps unfair on smaller enterprises and perhaps an inhibitor of competition as well, and new entrants into marketplaces. So there are resources being given today to SMEs, to small and medium enterprises, to help them build compliance programs and trying to train them, trying to give them template documents to help because, you know, there is a recognition, as you say, there is this cost burden that has to be borne. But it is, I suppose, a way of doing a way of building trust with your customers. Nowadays, if you’re a small business and you’re trying to gain customers who are perhaps large tech companies themselves or financial institutions, etc., you’re not going to get a contract with those organizations if you’re not able to give some assurances around security, data protection, and privacy obligations. So it is now just a cost of doing business.
Aoifinn Devitt: And in terms of the attractiveness of this area, because it’s so fast-paced, as you mentioned, and certainly privacy seems to be attracting a lot more attention in the legal field, what advice would you give to a young student looking to work in that field? What would you say they should study? Where should they gain experience?
Kate Colleary: I would certainly suggest grabbing every opportunity you can in terms of internships, because there’s nothing quite like having hands-on experience, and lots of organizations offer really interesting internships. So how do you identify those? Well, get in involved in those representative organizations. And I’m the country leader for Ireland of the IAPP, the International Association of Privacy Professionals. And that’s one organization that really supports young people coming through in the profession because we’ve gone from a membership of, say, 7,000 to 10,000 globally to 75,000 in under 5 years. One of the reasons for that, I suppose, is the mandatory requirement to appoint a DPO in the EU. So there is— it’s a burgeoning area. It’s an emerging area. A new profession, if you will. So for young people coming through, my gosh, there’s so many opportunities for them. We are crying out for people with an interest in this area. And what we see is we see people from legal backgrounds, from tech backgrounds, from compliance backgrounds, and then they maybe specialize in data protection through a master’s program or indeed through doing professional certifications like the IAPPs. CIPPE or CIPM. So they do these professional credentials that demonstrate they have a very basic sort of fundamental understanding of data protection law. But if you’re interested in a rapidly changing area of law involving innovation, involving new technologies, that’s good fun, well then it’s definitely for you. So I would suggest looking into it, looking at the IPP, looking at maybe the Future of Privacy Forum as well, Meet people, engage with people, be curious, and be positive as well. Have a, you know, a can-do attitude. If you do get a chance to have an internship, be that person that puts your hand up and says, ‘Yes, I’d love to do that. I’d love to get more experience in that area.’.
Aoifinn Devitt: Well, that’s some great advice, and I’ll put some links to those organizations in the show notes here. So now, just looking at diversity in the profession, even when we went to law school, our law class was at least 50% women. So it was well represented. How would you assess the practice of law now and its diversity, not only by gender but also by ethnicity?
Kate Colleary: I think it still has a long way to go. I think the legal profession is much further behind than other professions. I know that the published metrics would appear to show some progress, but I think if we start looking behind the titles of, say, partner, etc., I would like to know how many equity partners are from diverse backgrounds. I’m not even looking at this from a gender perspective across the board. How many equity partners are there from different backgrounds? What we have in Ireland, you see again and again, is a group of people who all went to the same single gender school as equity partners and very few others. So it really is not representative of the population. It’s unfortunate, but I think we do need to not just grant people titles, but actually look at who’s making decisions in the organization. So how diverse is the makeup of the executive board? How many equity partners are women? How many are from diverse backgrounds? So I think it still has a long way to go. Data protection is interesting, though, because that’s an outlier. So we see perhaps a majority of women leaders in the data protection sphere. So that is a bit of an outlier when it comes to both within the legal sector and also data protection consulting. Yeah, there’s quite a few very high-profile women leaders in that area, which is great to see.
Aoifinn Devitt: And it’s interesting, it’s probably no coincidence that it’s a very new and fast-paced area. So therefore, it’s not so much about what legacy learning you bring to the table, but your ability to learn on the fly and to evolve with the profession is probably, probably no coincidence in terms of being an entrepreneur and a business owner. Because that also can have challenges for women, especially when it comes to, to breaking into the field. Did you have any particular challenges around that?
Kate Colleary: I mean, I’ve been in practice as a lawyer since I qualified in 1999, so we’ve come such a huge way. And my personal experience, I’ve seen where I first trained, women weren’t allowed to wear trousers. That’s definitely putting me in an age bracket. And there was one firm I worked in at one point where women weren’t made partners, they consultants at a certain stage when they became relatively senior. So things have definitely moved on from there. I think there’s probably less overt problematic behavior, discriminatory conduct, etc. I don’t think it’s gone away, though. I think perhaps, you know, there are still issues there that need to be dealt with. As a business owner, it’s interesting. You’ll click with some people, you don’t with others. And I think We have a rule in our team that we won’t work with people or organizations that are abusive, that aren’t nice to work with. And that’s the benefit, I guess, of running my own business, that the team know that they can talk to me and we can work out, well, is this person’s behavior causing difficulties? And we won’t work with organizations sometimes on that basis. In terms of our own team, we are female-led and female-heavy, and that’s something I’m aware of. Constantly looking to balance that because I think it is important to have different viewpoints and different people from different backgrounds result in different experience which they bring to the table, which I think, and has been proven in the metrics, to result in better outcomes. So organizations with more diverse boards perform better. So that’s something that we’re very keen on, on making sure that we always have a diverse background. We’re not just— and we are a global organization, so we have members in, you know, from a Strand perspective, it’s a consulting practice that we’re made up of Pembroke Privacy in Ireland, but then we also work with teams in Israel, California, Italy, Germany, etc. So it’s something that is a positive. I think that if we can have a real melting pot of opinions, we’re going to come up with better ideas.
Aoifinn Devitt: And that is, of course, the beauty of running your own business. You can set your rules, set your own rules and your parameters. So that’s great to see. So let’s go back to some personal reflections now. So we’ve spoken about your career and the various different places you’ve spent it. Were there any high or low points there that you can share in particular?
Kate Colleary: Yeah, certainly as a high point of my career, a few years after I set up practice, I was approached by the IAPP. And as a young privacy lawyer, the IAPP is the go-to place. It’s the representative body for privacy professionals. And they approached me and asked me to be their country leader for Ireland. And frankly, I mean, I just couldn’t believe it. I really couldn’t. For me, you know, it really was the pinnacle of my career where my peers, as I had seen them, and people I really looked up to, they asked whether I would take on that role. And they appointed us at a conference. There was myself, there was a French country leader, UK, Netherlands, Germany, and at the time— and we have more country leaders now— but those of us who were appointed at that moment, it was this huge conference and big kind of music and lights, and it was this gigantic 4,000 privacy professionals in this place in Washington, D.C. That’ll always stick with me as being a very special moment in my career, and perhaps all the sweeter for having occurred where I had set up my own practice. And a big surprise, I have to say. As I said, I actually didn’t even believe it when they phoned me and were asking whether I would do it. To balance that with some lows, I guess when I left, you know, big corporate law firms, that’s always going to be a stressor, leaving what you know. And I had always worked in large corporate organizations all my life, and that environment, I really liked that environment. I liked the working with other people. I liked the support that you have in that environment. And I really I worried. Worried, you know, whether would clients come to a boutique, a specialist place? How are we going to deliver the same excellence of service without those supports, without the marketing team, without the accounting team or the IT team? And I think you psychologically, know, closing one chapter is always difficult, but I’m a resilient person. So, you know, I worked my butt off and I’m very fortunate to have had the training I’ve had in my career from Trinity all all the way through the Law Society and, and the various certifications and diplomas I’ve done since then. And that really stood to me and it helped me develop the practice. And I’ve been hugely lucky, I really have. So while that was a low at the time, now looking back, it was the best thing that ever happened.
Aoifinn Devitt: It’s certainly daunting to get outside the comfort zone and certainly to cast off the safety nets of a large firm, but you seem to have thrived. And you mentioned training— were there any key people throughout your career or in life in general? Who made an impression on you, maybe a mentor or just somebody whose knowledge you have really benefited from?
Kate Colleary: Yeah, I mean, there’s been so many people. I really have been so fortunate career-wise. I’ve worked with— there’s a, you know, financial controller who took me under his wing and sort of explained the business of law, which isn’t something that you’re really taught in law school. You’re taught how to balance account books and things, but you’re not really taught about the business of law and how to make it successful. And I, you know, I really appreciated that. And the same There was a marketing team as well. People in there really taught me how to go out there and look for clients and, you know, all of that sort of stuff. But I guess from a personal perspective, my mum and my grandmother both were very strong women. Both were teachers. My mum also wrote home economics textbooks. And at the time, you know, in the 1980s in Ireland, they were revolutionary in how they communicated information in a sort of an entertaining, practical, understandable way. So I was lucky. I had a strong history of strong women behind me. And both mum and granny were feminists, absolutely, who believed in equality. They were very politically interested, so there was always discussions about politics at the dinner table. And I guess one of the defining moments then was both my parents died, actually, where they were very young, they were in their 50s, I was maybe 24, and I was still living at home. So the outcome of that, I think, for me, on a personality perspective, is I’ve always seized the day, you know, I’ve always had this insatiable need to live life as fully as possible. And particularly around travel. I love travel, and I think it was my mum, she was afraid of flying all of her life, and it was only where she got diagnosed with cancer that she found it within herself to get on some planes and to go and to travel. But unfortunately, you know, that was curtailed by treatment, so she wasn’t able to experience some of the amazing places that I’ve been very lucky to travel to. And I think that’s perhaps another reason why I really appreciate the work that I do and the role that I have with IAPP. I’m able to travel almost anywhere in the world and be welcomed by a network of privacy professionals. You know, it’s like a large family, and it’s one that I’m terribly proud and grateful to be a member of.
Aoifinn Devitt: Well, that’s wonderful, and particularly that you mentioned your mother, because Deirdre Madden’s All About Home Economics, I think, is the tome that all of us— not just my generation, our generation— but many generations have referred to and continue to refer back to for the scrambled egg recipe, among others. So I’ll definitely put a link to that in the notes as well. And thank you for those reflections. My final question is around any advice, a key piece of advice or a creed or motto that you live by that you can share.
Kate Colleary: I don’t think there’s anything necessarily formal, but I really firmly believe that in order to succeed, whatever it is we want to do, if it’s in a relationship, career, finance, health, we can achieve our goals if we identify why we want to do whatever it is, and that why is strong enough and we have a plan, and then we take massive action to action that plan and to take steps towards it. And I love that phrase or that saying from Samuel Beckett, a very well-known Irish writer: ever tried, ever failed, no matter, try again, fail again, fail better. And I love that idea that I don’t believe in failure. You know, if you make a mistake, if something goes wrong, you learn from it and then you improve on it. I think that’s maybe a way of looking at life that makes it, you know, back to innovation, that assists innovation, that idea that you’re constantly evolving, constantly improving. But I guess, yeah, I think I mentioned my curiosity and my love of travel. So I think probably my abiding motto is, you know, don’t die wondering. I think go experience everything, you know, everything that life has to offer because life is short. So, so that would be, I think, my driver.
Aoifinn Devitt: Well, that’s a wonderful place to end this. I have so enjoyed, Kate, watching your career and your star rise through LinkedIn mostly, as we now live in different countries. But I can’t think of a better person to be at the helm of this fast-paced area of technology and privacy that is affecting all of our lives, perhaps in ways that we don’t even know yet. So thank you for staying on the cutting edge of that and for blending it with the commercialism that I think is key to getting it through and to getting it accepted more generally. So thank you for sharing your insights with us.
Kate Colleary: Thank you so much, Aoifinn, and I’ve really enjoyed talking.
Aoifinn Devitt: I’m Aoifinn Devitt. Thank you for listening to our 50 Faces Focus Series. If you liked what you heard and would like to tune in to hear more inspiring lawyers and their stories, please subscribe on Apple Podcasts, wherever you get your podcasts. This podcast is for information only and should not be considered construed as investment or legal advice. All views are personal and should not be attributed to the organizations of the host or any guest.
Aoifinn Devitt: This series is brought to you with the kind support of Evershed Sutherland. As a global top 10 law firm, Evershed Sutherland provides legal services to a global client base. With more than 3,000 lawyers, the firm operates in over 70 offices in more than 30 countries across Africa, Asia, Europe, the Middle East, and the United States. The firm recognizes that having diverse talent across its business brings many benefits. It is committed to accessing a wide range of views, perspectives, and thinking in all of its teams, and in this way is building a culture of inclusion where each person feels able to be their true self at work and reach their full potential. Diversity and inclusion is fundamental to the firm’s purpose of helping their clients, their people, and their communities to thrive, and inclusive is one of its 5 values. Our next guest specializes in privacy law and data protection. Find out why trust is the new gold when it comes to consumers’ relationships with brands and how changes in this fast-paced area can be compatible with the rapid innovation in the tech space. I’m Aoifinn Devitt, and welcome to this 50 Faces focus series, which showcases the richness and diversity of inspiring people in the law. I’m joined today by Kate Colleary, who is Chairperson of Strand Advisory, a consulting firm focused on privacy and data protection, and the Director at Pembroke Privacy, a data protection consulting practice, a firm she established in 2019 to assist organisations and their data protection officers achieve compliance with privacy laws. She’s the country leader of the International Association of Privacy Professionals as well as a practicing solicitor. Welcome, Kate. Thanks for joining me today.
Kate Colleary: Thanks, Aoifinn, and I’m absolutely delighted to be here.
Aoifinn Devitt: Well, let’s start by talking about your background, your career journey. Of course, that did overlap a little for us, at least the college background. And how did you first get interested in law and this particular field?
Kate Colleary: Yeah, I grew up in Dublin, and as you know, yes, we went to Trinity College where I studied law from ’91 to ’95, you and I both. And I guess I got into law as a career choice, or even pre-career as a college choice, because I was very interested in debating in school. And my Irish debating teacher at the time said, you must do law. So I thought, well, then I will. And I did. So I studied law. And then once I finished up in Trinity, I trained in a law firm called Iver Fitzpatrick and Company. It was a very political media firm. So very exciting for me as a young trainee working with politicians, media professionals. And then I really enjoyed litigation. So then I moved— once I qualified, I moved to Matheson, which is a large firm here in Dublin specializing in IP and media litigation. I loved court work, and then I was there for 6 years. I then moved to another firm called Evershed Sutherland, which is a global law firm, and I ultimately headed up the intellectual property and data protection practice there. And I was there for 9 years, and then I set up my own firm in 2015, and very quickly within my own firm then specialized in data protection, as I had done for many years. But it suddenly really, I guess it just took over. So we really started only doing data protection work very, very quickly in that firm.
Aoifinn Devitt: How about the decision to set up your own firm? Can you talk us through that and how it’s gone so far?
Kate Colleary: Yeah, I guess my background was always litigation, whether it was IP or media or an element of insurance litigation as well. So There was a bit of a surprising turn, I guess, which ended up having a huge impact on my career. I was developing the data protection practice. It wasn’t a focus of mine, so I took over the team, the data protection team, without really having had that as a goal or anything. And once I had worked in that area for a number of years, I realized that I was really passionate about not just providing legal advice on data protection law, but also really becoming embedded with clients and trying to work with them in a very practical way, not just to advise them, but to actually do some of the work for them in-house. And there is this specter at the time of this pan-European regulation that was going to apply to personal data. We already had a directive, but that wasn’t very harmonized, a piecemeal approach throughout Europe. So there’s this idea of this big regulation that was going to come in and change everything. It was clear then that clients needed practical help, not just being told, yes, here’s a 10-page memo on what this regulation, the GDPR, General Data Protection Regulation, is going to do, but actually say, okay, this is what it says, this is what it means for your organization in practice, and let us help you. Let us help you draft your policies. Let us help you train your staff. Let us help you look at what needs to be put in place to comply with it in a really practical way. And that’s what really encouraged me to leave corporate law, which was such a surprise for me because I was always in my mind, I had always seen myself working in large corporate practices as I had done all my career. But that really, it sparked something in me that I really thought, this is an opportunity and something I would like to do to value my independence as well. And that’s what I did. Yeah, I set up a data protection consulting practice. Our motto is to make the complex clear because we have a very complex regulatory framework that applies in So how do we take what is complex and make it clear for each organization that we work with? And we’ve been very lucky that practice has grown year on year. So yeah, we just do data protection nowadays. That’s all we’re doing.
Aoifinn Devitt: Well, that’s a very noble aspiration that I would certainly commend, making the complex clear. It’s certainly in this area there seems to be an ever-increasing burden perhaps. Can you talk us through, I know that we could do a whole podcast series dedicated to the field of data protection, but maybe in terms of what excites you most about this area today and the advances that you’re seeing on the horizon?
Kate Colleary: Yeah, I was reflecting on this recently, and when we were in college, I loved family law. And I was looking back, and I never practiced in family law as a solicitor, as a lawyer, but I realized that I think what I loved about family law was that at the time in Ireland when we were studying, it was rapidly changing. There was political changes, there was legislative changes, and practitioners had to get up to speed with these new laws. And it was really an area of intense media speculation, media interest, and change in the law. And I think that’s what really ignited a passion in me at the time for family law. But as I said, I’d never worked in family law in practice. But I think it’s the same sort of thing with data protection. I think it’s maybe that is what excites me, what gets me interested in an area of law. It’s that idea that it is a rapidly changing area of law. It’s almost a new frontier. And What I love doing with it is working with clients to create better products and services, to create better privacy outcomes for data subjects or human beings who are the subjects of the data. And one thing that I really love doing, which is a real indicator of my nerdish mentality, is I love these things called data protection impact assessments. And what they are, they’re a mandatory requirement under GDPR for high-risk processing activity. But the idea is that they’re a risk assessment. So if you want to do something new and innovative, or if you just want to use a new technology, this is a way— it’s like a project management tool that enables you to assess the risks to that processing into the future through the lens of a data subject, through the lens of a human being, and work out how do we make this better. So we want to use maybe, I don’t know, an outsourced payroll service provider. Well, let’s have a look at the technology and what could we put in place? What controls or technical or organizational measures could we put in place to make sure that whatever it is that we want to do, that it’s going to be, A, compliant with the law, which of course is essential, but B, is going to ensure that our customers have trust in us, or in the example I’ve given, our employees have trust in what we’re doing with their data. And I love the DPiA example because it’s looking at a very technical piece of law and it’s working through the requirements in practice. You’re matching your processing activity to the legal requirements. And that to me is really exciting. I love doing that. And it’s— I suppose it also gives us access to these new technologies, innovative ideas, innovative products and services. And we work with clients then to try and not be a blocker to innovation, but actually to say, how do we use this and make it work better and make it to ensure that there are better outcomes for people, for data subjects at the end of the day? And again, to make it clear practical and really useful to people.
Aoifinn Devitt: And that’s a fascinating area because I was just about to ask about the tension between this regulation and innovation, in that I read a recent statistic that was 20-25% of apps have been taken down as a result of GDPR because they simply weren’t compatible with the requirements there, that it can stifle innovation in some ways. And you could argue that’s a trade-off that’s necessary. How do you see what this means for the large tech companies and for innovation going forward, in particular social media?
Kate Colleary: I don’t think it necessarily has to be a blocker to innovation at all. I think it’s about a balance, and I think the GDPR is a risk-based framework, so we’re always looking at risks and we’re balancing rights of data subjects and how do we make this work, but work in a way that protects data subjects’ privacy rights. And I would argue that if apps have been removed from app stores, I would ask what were they doing with data that was meant that they weren’t able to comply because in fact, the GDPR really is a baseline. It isn’t overly prescriptive in any way, really, because it is risk-based. So that would beg the question why so many apps perhaps were doing stuff with data that either they weren’t being transparent about or it was problematic in some way. So again, I think it’s a risk-based approach. It can be quite subjective as well. I don’t necessarily think it’s an innovation blocker. I think it’s more of an innovation balancer. It’s about working out how do we do what it is that we want to do with this innovative product or service and also take into account people’s privacy rights. But that isn’t just about a compliance thing. That’s also about feeding into trust. And I was at a conference last week where the regulator from Croatia was speaking and he was saying trust is the new gold for customers. So if you are able to build trust with your customers in your brand, and by that I mean not just by having good products and services, but also having good data management practices that are compliant with the law wherever you’re based, that’s going to build up that customer trust and customer loyalty. I don’t think it’s necessarily an innovation blocker. I think it’s not necessarily an enabler either, but it’s just something that has to be built into products and services and balanced so that it results in a better service, that results in better outcomes for the human beings whose data it is that we want to process.
Aoifinn Devitt: Well, that’s fascinating. Trust is the new gold. I’ve also heard that data is new oil. So I think we’re certainly awash in one and perhaps not so much awash in the other, in the trust. When you look across the world at, say, advances in the EU versus the US, how would you rank both of those regions? And maybe we can also look at other regions too in terms of advancement in this area.
Kate Colleary: Yes, a part of what we do is we offer outsourced DPO services, and as a DPO, it’s a data protection officer. It’s a mandatory requirement in some cases in Europe, but it’s a global role as well. So we’re looking at maybe taking the GDPR as a baseline and then matching it with other local jurisdictional requirements. In the US, we’re seeing an increase in interest in developing a federal privacy law that’s been on the cards for many decades at this point. It’s being discussed, it’s gathering momentum. I probably wouldn’t lay a bet that it will happen in the next 3 years, maybe 5. What we’re now seeing is an increasing number of US states develop their own privacy laws. You’re probably aware of the CCPA in California. We’re seeing privacy acts in Colorado, Virginia, and Utah. And then there are other privacy bills coming through in other states in the US. So what I think will happen in the US is that in, if few years’ time, once you have even more of these states with their own local laws that apply, they will experience the same problems that we did in Europe under our 1995 Data Protection Directive, which was a lack of a harmonized approach, which is a blocker in terms of the transfers of data locally, in terms of business, that you’ll have one set of rules that apply in Virginia, a different set of rules that apply in Louisiana, a different set of rules that apply in Alaska. That is going to be an inhibitor from a business perspective. And that will, I would imagine, ultimately result in a call for a more harmonized approach, as it did in Europe a number of years ago, which ultimately resulted in the GDPR.
Aoifinn Devitt: And just in terms of the cost burden, you mentioned the complexity and clearly looks like the burden is not likely to end. You mentioned the outsourced service you provide. How is this evolving for companies and how do you think it will continue? To evolve the cost?
Kate Colleary: Yeah, I mean, there are baseline requirements across all organizations, but how they are applied will depend on the size of the company. It depends on the type of the data, the sensitivity of it, the number of people whose data is being processed. And again, I was speaking at this conference last week. It was a joint conference between the Irish Data Protection Commission and the Croatian Data Protection Commission, and it was focused on SMEs because there was you know, there’s an understanding of this burden that is perhaps unfair on smaller enterprises and perhaps an inhibitor of competition as well, and new entrants into marketplaces. So there are resources being given today to SMEs, to small and medium enterprises, to help them build compliance programs and trying to train them, trying to give them template documents to help because, you know, there is a recognition, as you say, there is this cost burden that has to be borne. But it is, I suppose, a way of doing a way of building trust with your customers. Nowadays, if you’re a small business and you’re trying to gain customers who are perhaps large tech companies themselves or financial institutions, etc., you’re not going to get a contract with those organizations if you’re not able to give some assurances around security, data protection, and privacy obligations. So it is now just a cost of doing business.
Aoifinn Devitt: And in terms of the attractiveness of this area, because it’s so fast-paced, as you mentioned, and certainly privacy seems to be attracting a lot more attention in the legal field, what advice would you give to a young student looking to work in that field? What would you say they should study? Where should they gain experience?
Kate Colleary: I would certainly suggest grabbing every opportunity you can in terms of internships, because there’s nothing quite like having hands-on experience, and lots of organizations offer really interesting internships. So how do you identify those? Well, get in involved in those representative organizations. And I’m the country leader for Ireland of the IAPP, the International Association of Privacy Professionals. And that’s one organization that really supports young people coming through in the profession because we’ve gone from a membership of, say, 7,000 to 10,000 globally to 75,000 in under 5 years. One of the reasons for that, I suppose, is the mandatory requirement to appoint a DPO in the EU. So there is— it’s a burgeoning area. It’s an emerging area. A new profession, if you will. So for young people coming through, my gosh, there’s so many opportunities for them. We are crying out for people with an interest in this area. And what we see is we see people from legal backgrounds, from tech backgrounds, from compliance backgrounds, and then they maybe specialize in data protection through a master’s program or indeed through doing professional certifications like the IAPPs. CIPPE or CIPM. So they do these professional credentials that demonstrate they have a very basic sort of fundamental understanding of data protection law. But if you’re interested in a rapidly changing area of law involving innovation, involving new technologies, that’s good fun, well then it’s definitely for you. So I would suggest looking into it, looking at the IPP, looking at maybe the Future of Privacy Forum as well, Meet people, engage with people, be curious, and be positive as well. Have a, you know, a can-do attitude. If you do get a chance to have an internship, be that person that puts your hand up and says, ‘Yes, I’d love to do that. I’d love to get more experience in that area.’.
Aoifinn Devitt: Well, that’s some great advice, and I’ll put some links to those organizations in the show notes here. So now, just looking at diversity in the profession, even when we went to law school, our law class was at least 50% women. So it was well represented. How would you assess the practice of law now and its diversity, not only by gender but also by ethnicity?
Kate Colleary: I think it still has a long way to go. I think the legal profession is much further behind than other professions. I know that the published metrics would appear to show some progress, but I think if we start looking behind the titles of, say, partner, etc., I would like to know how many equity partners are from diverse backgrounds. I’m not even looking at this from a gender perspective across the board. How many equity partners are there from different backgrounds? What we have in Ireland, you see again and again, is a group of people who all went to the same single gender school as equity partners and very few others. So it really is not representative of the population. It’s unfortunate, but I think we do need to not just grant people titles, but actually look at who’s making decisions in the organization. So how diverse is the makeup of the executive board? How many equity partners are women? How many are from diverse backgrounds? So I think it still has a long way to go. Data protection is interesting, though, because that’s an outlier. So we see perhaps a majority of women leaders in the data protection sphere. So that is a bit of an outlier when it comes to both within the legal sector and also data protection consulting. Yeah, there’s quite a few very high-profile women leaders in that area, which is great to see.
Aoifinn Devitt: And it’s interesting, it’s probably no coincidence that it’s a very new and fast-paced area. So therefore, it’s not so much about what legacy learning you bring to the table, but your ability to learn on the fly and to evolve with the profession is probably, probably no coincidence in terms of being an entrepreneur and a business owner. Because that also can have challenges for women, especially when it comes to, to breaking into the field. Did you have any particular challenges around that?
Kate Colleary: I mean, I’ve been in practice as a lawyer since I qualified in 1999, so we’ve come such a huge way. And my personal experience, I’ve seen where I first trained, women weren’t allowed to wear trousers. That’s definitely putting me in an age bracket. And there was one firm I worked in at one point where women weren’t made partners, they consultants at a certain stage when they became relatively senior. So things have definitely moved on from there. I think there’s probably less overt problematic behavior, discriminatory conduct, etc. I don’t think it’s gone away, though. I think perhaps, you know, there are still issues there that need to be dealt with. As a business owner, it’s interesting. You’ll click with some people, you don’t with others. And I think We have a rule in our team that we won’t work with people or organizations that are abusive, that aren’t nice to work with. And that’s the benefit, I guess, of running my own business, that the team know that they can talk to me and we can work out, well, is this person’s behavior causing difficulties? And we won’t work with organizations sometimes on that basis. In terms of our own team, we are female-led and female-heavy, and that’s something I’m aware of. Constantly looking to balance that because I think it is important to have different viewpoints and different people from different backgrounds result in different experience which they bring to the table, which I think, and has been proven in the metrics, to result in better outcomes. So organizations with more diverse boards perform better. So that’s something that we’re very keen on, on making sure that we always have a diverse background. We’re not just— and we are a global organization, so we have members in, you know, from a Strand perspective, it’s a consulting practice that we’re made up of Pembroke Privacy in Ireland, but then we also work with teams in Israel, California, Italy, Germany, etc. So it’s something that is a positive. I think that if we can have a real melting pot of opinions, we’re going to come up with better ideas.
Aoifinn Devitt: And that is, of course, the beauty of running your own business. You can set your rules, set your own rules and your parameters. So that’s great to see. So let’s go back to some personal reflections now. So we’ve spoken about your career and the various different places you’ve spent it. Were there any high or low points there that you can share in particular?
Kate Colleary: Yeah, certainly as a high point of my career, a few years after I set up practice, I was approached by the IAPP. And as a young privacy lawyer, the IAPP is the go-to place. It’s the representative body for privacy professionals. And they approached me and asked me to be their country leader for Ireland. And frankly, I mean, I just couldn’t believe it. I really couldn’t. For me, you know, it really was the pinnacle of my career where my peers, as I had seen them, and people I really looked up to, they asked whether I would take on that role. And they appointed us at a conference. There was myself, there was a French country leader, UK, Netherlands, Germany, and at the time— and we have more country leaders now— but those of us who were appointed at that moment, it was this huge conference and big kind of music and lights, and it was this gigantic 4,000 privacy professionals in this place in Washington, D.C. That’ll always stick with me as being a very special moment in my career, and perhaps all the sweeter for having occurred where I had set up my own practice. And a big surprise, I have to say. As I said, I actually didn’t even believe it when they phoned me and were asking whether I would do it. To balance that with some lows, I guess when I left, you know, big corporate law firms, that’s always going to be a stressor, leaving what you know. And I had always worked in large corporate organizations all my life, and that environment, I really liked that environment. I liked the working with other people. I liked the support that you have in that environment. And I really I worried. Worried, you know, whether would clients come to a boutique, a specialist place? How are we going to deliver the same excellence of service without those supports, without the marketing team, without the accounting team or the IT team? And I think you psychologically, know, closing one chapter is always difficult, but I’m a resilient person. So, you know, I worked my butt off and I’m very fortunate to have had the training I’ve had in my career from Trinity all all the way through the Law Society and, and the various certifications and diplomas I’ve done since then. And that really stood to me and it helped me develop the practice. And I’ve been hugely lucky, I really have. So while that was a low at the time, now looking back, it was the best thing that ever happened.
Aoifinn Devitt: It’s certainly daunting to get outside the comfort zone and certainly to cast off the safety nets of a large firm, but you seem to have thrived. And you mentioned training— were there any key people throughout your career or in life in general? Who made an impression on you, maybe a mentor or just somebody whose knowledge you have really benefited from?
Kate Colleary: Yeah, I mean, there’s been so many people. I really have been so fortunate career-wise. I’ve worked with— there’s a, you know, financial controller who took me under his wing and sort of explained the business of law, which isn’t something that you’re really taught in law school. You’re taught how to balance account books and things, but you’re not really taught about the business of law and how to make it successful. And I, you know, I really appreciated that. And the same There was a marketing team as well. People in there really taught me how to go out there and look for clients and, you know, all of that sort of stuff. But I guess from a personal perspective, my mum and my grandmother both were very strong women. Both were teachers. My mum also wrote home economics textbooks. And at the time, you know, in the 1980s in Ireland, they were revolutionary in how they communicated information in a sort of an entertaining, practical, understandable way. So I was lucky. I had a strong history of strong women behind me. And both mum and granny were feminists, absolutely, who believed in equality. They were very politically interested, so there was always discussions about politics at the dinner table. And I guess one of the defining moments then was both my parents died, actually, where they were very young, they were in their 50s, I was maybe 24, and I was still living at home. So the outcome of that, I think, for me, on a personality perspective, is I’ve always seized the day, you know, I’ve always had this insatiable need to live life as fully as possible. And particularly around travel. I love travel, and I think it was my mum, she was afraid of flying all of her life, and it was only where she got diagnosed with cancer that she found it within herself to get on some planes and to go and to travel. But unfortunately, you know, that was curtailed by treatment, so she wasn’t able to experience some of the amazing places that I’ve been very lucky to travel to. And I think that’s perhaps another reason why I really appreciate the work that I do and the role that I have with IAPP. I’m able to travel almost anywhere in the world and be welcomed by a network of privacy professionals. You know, it’s like a large family, and it’s one that I’m terribly proud and grateful to be a member of.
Aoifinn Devitt: Well, that’s wonderful, and particularly that you mentioned your mother, because Deirdre Madden’s All About Home Economics, I think, is the tome that all of us— not just my generation, our generation— but many generations have referred to and continue to refer back to for the scrambled egg recipe, among others. So I’ll definitely put a link to that in the notes as well. And thank you for those reflections. My final question is around any advice, a key piece of advice or a creed or motto that you live by that you can share.
Kate Colleary: I don’t think there’s anything necessarily formal, but I really firmly believe that in order to succeed, whatever it is we want to do, if it’s in a relationship, career, finance, health, we can achieve our goals if we identify why we want to do whatever it is, and that why is strong enough and we have a plan, and then we take massive action to action that plan and to take steps towards it. And I love that phrase or that saying from Samuel Beckett, a very well-known Irish writer: ever tried, ever failed, no matter, try again, fail again, fail better. And I love that idea that I don’t believe in failure. You know, if you make a mistake, if something goes wrong, you learn from it and then you improve on it. I think that’s maybe a way of looking at life that makes it, you know, back to innovation, that assists innovation, that idea that you’re constantly evolving, constantly improving. But I guess, yeah, I think I mentioned my curiosity and my love of travel. So I think probably my abiding motto is, you know, don’t die wondering. I think go experience everything, you know, everything that life has to offer because life is short. So, so that would be, I think, my driver.
Aoifinn Devitt: Well, that’s a wonderful place to end this. I have so enjoyed, Kate, watching your career and your star rise through LinkedIn mostly, as we now live in different countries. But I can’t think of a better person to be at the helm of this fast-paced area of technology and privacy that is affecting all of our lives, perhaps in ways that we don’t even know yet. So thank you for staying on the cutting edge of that and for blending it with the commercialism that I think is key to getting it through and to getting it accepted more generally. So thank you for sharing your insights with us.
Kate Colleary: Thank you so much, Aoifinn, and I’ve really enjoyed talking.
Aoifinn Devitt: I’m Aoifinn Devitt. Thank you for listening to our 50 Faces Focus Series. If you liked what you heard and would like to tune in to hear more inspiring lawyers and their stories, please subscribe on Apple Podcasts, wherever you get your podcasts. This podcast is for information only and should not be considered construed as investment or legal advice. All views are personal and should not be attributed to the organizations of the host or any guest.
