With Ellen Demey, Corporate Data Protection Manager at Umicore
Umicore is one of the most versatile industrial players in the world, active across Europe, Asia, North and South America and beyond. At the heart of that complex, international whole, Ellen Demey works as Corporate Data Protection Manager. She is responsible for GDPR and international privacy regulation across all those sites.
That means setting out a privacy policy across countries, processes, sites, cultures, and regulatory frameworks. No small undertaking, and for that very reason a striking illustration of where a career in consultancy can take you.
Her path there began at a small but driven consultancy in the privacy world. We spoke with Ellen about what she learnt at CRANIUM, then still White Wire, what surprised her when she made the move to a large organisation, and why privacy in an industrial context is far more complex than most people might think.
From the Flemish government to White Wire.
Ellen began her career at the Flemish government, where she worked at Youth Welfare adapting processes to the then brand-new GDPR. “At that point it was still new for everyone. I had never led an implementation project before, either.”
That changed in October 2018, when she joined White Wire, the company that would later be acquired by CRANIUM. White Wire specialised specifically in data protection within the healthcare sector. Ellen started with smaller projects in that sector, before eventually growing into a DPO role at several large organisations simultaneously. “That was really rewarding: what you learn at one organisation, you can then carry through to the next. That way you build something up and keep learning constantly.”
““Consultancy means you learn two to three times faster than you would in an in-house role. It is a very good launchpad for the rest of your career.”
Privacy consultancy as a launchpad.
If you ask Ellen what she would pass on to someone considering joining CRANIUM, she is clear: “Consultancy means you learn two to three times faster than you would in an in-house role. It is a very good launchpad for the rest of your career.”
The reason is as simple as it is demanding: “Your client is not waiting for you to figure out what you’re talking about. They simply expect you to know.” That accelerates your growth in a way few other environments can match. Every client brings a new context, new challenges, and new people you need to learn to convince. Anyone who does that for a few years develops not only deep privacy expertise but also the ability to grasp context quickly, build trust, and bring people along.
Ellen also built a solid foundation in terms of content at CRANIUM. The privacy implementation framework she became familiar with there remains a recognisable reference point for how she approaches privacy programmes today.
“Whenever we start a new implementation, I fall back on that framework. Data mapping within a processing register always comes first, even where it may not be legally required under a particular country’s legislation. Privacy notices only follow after that.”
After CRANIUM: the move to a large organisation.
After her years at CRANIUM, Ellen spent time at Securitas, her first step outside consultancy. There she noticed that moving to an in-house role gave her the opportunity to go deeper into a single organisation. That line continued at Umicore, where she now works as Corporate Data Protection Manager.
Towards the end of her consultancy years, Ellen had five or six different clients each week. That meant constantly switching between sectors, people, questions, and priorities.
“That challenge was great fun in the beginning, but after a few years I wanted to focus on one organisation, one large programme.”
Within Umicore, that focus centres on two major challenges. First and foremost, she had to get to know stakeholders in an organisation of that size. Who do you need, who do you need to convince, and who is your point of contact at each site? That takes time and experience.
Alongside that, Ellen is building a coherent privacy framework to prevent a patchwork of approaches. “You do not want every site doing its own thing, but you also have to respect that a country like China or India has different regulations from Belgium.” To manage this, Umicore uses an overarching Data Protection Framework with universal guidelines, supplemented by local adaptations where necessary. “As you can see on our website, we have separate privacy notices for Europe, South Africa, California, and so on. That way you respect the local context while keeping the big picture together.”
“Some people assume that in the industrial sector you only have employee data. In reality it is broader. We have so many sites with access control, cameras, biometrics, national registry numbers, ISPS regulations… There is a great deal of sensitive data, many privacy obligations, and action points that demand attention.”
Privacy in an industrial sector: more than employee data.
There is a common misconception that privacy and data protection are mainly relevant in the digital sector. Ellen sets this straight with one clear statement: “It’s hugely relevant.”
“Some people assume that in the industrial sector you only have employee data. In reality it is broader. We have so many sites with access control, cameras, biometrics, national registry numbers, ISPS regulations… There is a great deal of sensitive data, many privacy obligations, and action points that demand attention.”
And then there are the particular challenges specific to the sector. “We work with toxic products, for instance, which means medical data is kept on record. You have to handle that with care. These are things you might not think of from the outside.”
Every week, Ellen learns something new about the products Umicore makes and the processes required to make them. “That is what makes it particularly interesting.”
Bringing people along.
Whether you work at a small consultancy, a multinational, in the public sector or the private sector, the biggest challenge remains the same: convincing people that data protection matters.
“The principles are the same, large or small. But every organisation naturally has its own challenges and specific context. And the hardest part remains getting people over the line.”
Ellen prefers working bottom-up rather than through obligations.
“Forcing people rarely works. People need to understand why something matters. I try to gradually spread my reach, make myself known, and let that story grow organically.”
She writes monthly articles on the intranet, works with local newsletters, and relies on a network of regional security managers across the world.
A throwback to CRANIUM.
Her warmest memory of her time at CRANIUM is surprisingly personal:
“I could always talk about privacy there. Really go into depth with people who were just as enthusiastic about the subject as I was.”
Although she has colleagues today with whom she can exchange thoughts on data protection, that memory of the expertise at CRANIUM remains something special. “I sometimes miss having a colleague I can really geek out with about privacy. That is something unique about a consultancy environment: everyone is equally absorbed in the same topic.”
Finally: Ellen’s advice.
For anyone considering joining CRANIUM, Ellen has one clear piece of advice: “Consultancy is a great springboard. You learn faster than anywhere else because you are surrounded by like-minded people.”
What you build there goes beyond experience alone. You learn to set up privacy programmes that bring structure, to bring people along, and to keep working within the reality of an organisation.
That is the quiet strength of an environment like CRANIUM: people grow there in knowledge, approach, and the ability to convince. From a small project in healthcare to a worldwide programme at Umicore. The scale may change, but the foundation stays.
Ellen Demey works as Corporate Data Protection Manager at Umicore, a Belgian materials technology company active in more than 30 countries. She began her career in privacy at White Wire, now CRANIUM.
