News and Events

Alumni Spotlight: Emerald de Leeuw CEO of EuroComply

20 Jul 2018

Emerald de Leeuw came to UCC to become a lawyer, but altered the direction of her career after a life-changing eureka moment in the library.

After receiving two first class honours degrees from Tilburg University, Emerald de Leeuw came to UCC School of Law with the ambition of becoming a lawyer.

However, soon after graduating, Emerald found herself pitching a business idea that would ultimately see her named European Young Innovator of the Year.


1. How does an LLM Graduate go onto establish a world-renowned data protection consultancy two years after graduating?

 Funnily enough, a eureka moment while studying for my FE-1 exams in the Boole Library at UCC.

I had never set out to become an entrepreneur, I had always wanted to become a solicitor.

Before coming to UCC to study the LL.M Intellectual Property and E-Law at UCC on a full scholarship in 2012, I received first class honours in two law degrees from Tilburg University.

My ambition was to become a technology lawyer. But after writing my thesis on GDPR under Professor Maeve McDonagh, I realised just how much of an impact the Regulation would have.

I began to develop the concept for EuroComply and pitched my idea at the Cork Start-Up Weekend where I met with Sean O’Sullivan (SOSVentures) and Pat Whelan (Trustev).

Although Sean and Pat provided some brilliant feedback, I understood that I would need to broaden my knowledge before setting up EuroComply, plus I was becoming a solicitor, right?

So, I parked the idea and began to focus on the FE-1 exams.

For some reason though, I couldn’t let it go. I kept going back to the idea in my head while studying. Over and over again I would construct the concept in my mind until one day, when I was studying Liability for fire in Ireland, I decided to give up on the FE-1s and begin the process of establishing EuroComply.

That was my eureka moment. It was completely out of character. After all, I had just graduated with a 1.1 from the LL. M Intellectual Property and E-Law and I am, by nature, quite risk-adverse.

To plug the gaps in my knowledge, I enrolled in the MSc Business Information Systems at Cork University Business School in 2014, before being accepted onto the Ignite entrepreneurship programme at UCC one year later.

I received €55,000 in funding from Enterprise Ireland and the NDRC as part of the Competitive Startfund for Female Entrepreneurs and went about developing software that would help firms deal with GDPR.

However, as the GDPR deadline was still three years away, we immediately found that many organisations were a little sceptical regarding the impact of the GDPR and didn’t engage with us. Plus we were a start-up and this was a serious compliance issue.

So, with only €2,000 remaining in the company account, we reimagined EuroComply as a GDPR consultancy firm rather than a software provider. We took the software in-house to improve the efficiency of our consultants.

Very quickly things turned in our favour, and in 2017 I was named European Young Innovator of the Year by the European Young Innovators Forum which is supported by the European Commission and Parliament. I learned a huge amount during my first few months as an entrepreneur.


2. What has been the proudest moment of your career?

The first few years were difficult and I often questioned my decision, but once we started to accumulate some small wins, people began to take note.

I was suddenly being invited to speak at events and that’s when things began to get interesting.

Although some of these events may have been relatively small, quite often some very senior people were in attendance. I always listened to this advice with great disdain but networking truly is key, and I always found the time to accept invitations.

Gradually, I was being invited to speak at bigger and bigger events and last year I gave the keynote at the Irish Independent’s Data Protection Conference.

The conference took place on my 30th birthday which was particularly special, but nothing prepared me for seeing my face on the billboard advertising the sold-out event.

In January, I contributed to a debate on women and entrepreneurship organised by the European Young Innovators Forum at the European Parliament. It was a fascinating experience to learn from each of the delegates who brought a global perspective.

Perhaps though, representing Ireland at the The German Marshall Fund of the United States YTILI fellowship is what I’m most proud of. Just 70 entrepreneurs from Europe and Asia get selected for this every year.

It has allowed me to meet and learn from some amazing entrepreneurs from across Europe. As part of the programme, I’m being mentored by a Boston based mentors including venture capitalists and policy leaders and I’ll be speaking in Washington later this year.

Already, I have taken part in the Global Entrepreneurship Summit in Hyderabad as a representative of the United States Mission to the European Union, where I got to speak with Ivanka Trump’s delegation.

 Emerald de Leeuw speaking at the EU parliament


3. What makes EuroComply stand out from its competitors?


Long before the deadline approached on 25 May, we had established our reputation and were recognised as a leading authority on GDPR. EuroComply always did just one thing: data protection. Focus matters.

Unlike some companies who are new to the scene, we are experts with pedigree and experience. I wrote my thesis on GDPR and lecture on it at the Law Society and Irish Management Institute.

We worked hard to establish that reputation. I never rejected an invitation to speak at prominent events, the company needed that platform.

Like all entrepreneurs, I had to show grit and determination to ensure that EuroComply became a success. All too often we put entrepreneurs on a pedestal and make them look noble and imagine their overnight success, but the reality is that you have to work extremely hard to overcome challenges – success takes time and comes at a price. Entrepreneurship is not for everyone. Good PR and media makes entrepreneurship look bright and shiny, but there are plenty of hard times too. Overall though, I wouldn’t want it any other way.


4. How prepared were firms and organisations for GDPR?


We found that many large firms were able and willing to pay consultants and law firms to ensure compliance. For SMEs however, becoming compliant has been difficult in some cases.

Under the GDPR you are responsible for your entire data supply chain. This mean that a B2B company, with large clients, is now being asked to sign data processing agreements that ensure they are compliant. There is usually a level of indemnity involved, which leaves the smaller firm with all of the liability.

This has placed some SMEs in a difficult position and requires organisations to undergo a huge cultural shift.

Despite what we might read in the headlines, most data breaches are a result of human error. Organisations must therefore understand what data they might hold, own it and delete if there is no lawful basis or purpose for retaining it.

We responded by offering to work pro bono in some instances, identifying some simple solutions SMEs can implement and giving free masterclasses in locations such as the Bank of Ireland workbench

In most cases, undertaking a data protection course should provide SMEs with the insight they need to remain compliant.

Emerald de Leeuw profile picture

5. The reality of GDPR struck home when Facebook were fined £500,000 following the Cambridge Analytica Scandal. Were you expecting such high-profile data breaches and subsequent action being taken against perpetrators?

That was the maximum fine which could be imposed on Facebook under the UK Data Protection Act of 1998. Had they been prosecuted under GDPR, Facebook could have been fined €1.628 billion.

 For far too long people didn’t realise just how valuable their data was. The Cambridge Analytica scandal has changed that.

Personally, I was delighted that the UK Supervisory Authorities flexed their muscles, with their plan to impose a fine on Facebook and criminal prosecute the directors Cambridge Analytica. Too long have companies seen data as the new oil, this is misguided. Trust is the new oil.

This is especially true when you are relying on consent for the processing of data. Companies now have to be transparent about how data is being processed, obtaining trust from individuals will be difficult if what you are doing sounds dodgy. It really requires a shift in culture within data driven organisations.  

Privacy is part of the Universal Declaration of Human Rights and major data breaches can have far reaching consequences. We have seen how the misuse of data and targeted advertising based on profiling during referenda and elections can compromise the foundations of our democracy.

6. We have seen how our data has been used to inform marketing campaigns and possibly influence elections.

Is there any way of telling how much of our data has become widely available and how frightening is that for the public?

 In years gone by, organisations were inclined to collect more data than they needed. Although most of what was happening was not malicious, unconsciously each of us were leaving a large digital footprint.

As a result, data was being mined to such an extent that entire business models relied on collecting it. These types of business may now find themselves in a bit of trouble with the GDPR coming into force. Today, websites must ask for consent before collecting data. They must also provide a list of 3rd party organisations with whom they share data.

GDPR has essentially changed the online advertising landscape overnight. Ensuring transparency and opt-in consent in data supply chains that are largely opaque is impossible, which creates a big problem for adtech.

School of Law

Scoil an Dlí

Room 1.63, Aras na Laoi, T12 T656