Selling in EMEA? What You Need to Know About GDPR with Nathan Creswell
In this episode of iQ², Nabeel Ahmed sits down with Nathan Creswell, Head of Product at LeadIQ, to unpack the complexities of working with sales data across regions—specifically North America vs. EMEA. They explore: Why contact data in EMEA is harder to access Key differences between GDPR and U.S. data regulations How suppression lists, DNC registries, and consent laws affect outbound sales What LeadIQ is doing to help customers stay compliant while scaling prospecting
Nabeel Ahmed
00:00 - 00:42
Alright. Hey, everyone.
Welcome to the second episode of our thought leadership series of IQ Squared with the man, the myth, the legend, Nathan Cresswell. Nathan, why don't you give us a quick update and intro on who you are, what you're doing, and what you love doing.
Give us a little bit of personal facts too because it's, always interesting. Sure.
And let's kick into the topic at hand, which is the detaining of two data worlds. North America versus EMEA, why is it difficult? Why is it not difficult? Why is everybody looking to expand there, and why are they having trouble? Okay.
I'm gonna get into that, Nathan. Give us the give us the rundown of who you are.
Nathan Creswell
00:42 - 01:22
Yeah. So, Nathan Creswell, head of product.
If your listeners are watching me, welcome to my beautiful basement office. It's as, pretty as it looks.
It's good. So I've been with, LeadIQ for about a year and a half now, and I'm the head of product at at LeadIQ.
I love all things product, technology product, you know, SaaS product. So, that's really me, bit of personal information.
I live in the Bay Area. I have a nine year old son and a seven year old daughter, and, I love living in Redwood City.
It is my hometown, and I if I was allowed to change my background, you would see a background that says, Redwood City. So.
Nabeel Ahmed
01:22 - 02:28
Yeah. Fun fact.
Anywhere you always know where Nathan is in the world because of his Zoom background. So there's no guessing there.
Yeah. But moving forward, right, the reason why we wanna kinda have a conversation around EMEA data is it's coming up a lot more with not only our prospects, our customers, but even our partners.
There is this move happening, not only in the industry, but when it comes to businesses as they look to expand, the natural expansion of a lot of US based businesses is into EMEA. Right? UK, Ireland, those seem to be, next steps to to see if the business can work overseas.
And the start to a lot of these, you know, endeavors or go to market strategy starts with, hey. Can I have a conversation with anybody in The UK or in EMEA to see if my product could fit? And so contact data or data in itself in EMEA is extremely important.
So the reason why this topic is coming up is because people are asking for it. And I wanted to see and kind of start with the topic of, like, why is this a problem, Nathan? Like, why are we running into this issue?
Nathan Creswell
02:28 - 04:47
Yeah. So okay.
So we kind of have to roll back and compare the two different regions. So they're very, very different in terms of their privacy laws and their stringency as it relates to privacy laws.
So, for example, The United States has a federal do not call list. Okay? I am on that list, and I still get calls.
So, that tells you something about how, that list is viewed in terms of, respecting it, okay, and how much it's enforced. So in addition, there's I believe last I looked, there's about 300,000,000 phones phone numbers on that do not call list in America.
There's about, depending on last census, you know, 300 to 330,000,000 people in The US. Right? So that also tells you something.
Right? Not every single person in The US from age zero to age 99 has a has a cell phone number. Right? So that tells you something is very suspect about the quality of that list in addition.
K? So, you know, that's not to say that The US doesn't have privacy laws. They do, but they're just generally enforced in a much weaker fashion.
Right? There's much more protection for, you know, companies and business and and those sort of things than there is for individual privacy, I will I will say. Okay? So, so that's the the kinda US situation.
In EMEA, as I'm sure some of your listeners and watchers will know, it is very strictly enforced. And the one that you'll hear a lot is GDPR, and GDPR stands for the general data protection regulation.
It replaced a previous directive called the data protection directive, and it is stringently enforced. Companies get significant fines.
You sometimes hear about it even in the news, how big tech gets fined by EMEA, right, by the EU, for Google, for example, or antitrust or all that. Right? So EMEA is just much has a much, much different approach to privacy, much stricter protection for the right to not be contacted, the right to own your data, the right to take your data with you, the right to be deleted.
Right? So they just are much, much more stringent about enforcing that, giving fines to companies that violate that, and it's just a very different regulatory framework that exists between the two different regions.
Nabeel Ahmed
04:47 - 05:05
And do and do you think the driver of that is is typically the culture associated with with that? Like, it was there an event in the past that actually forced folks to be, like, in in EMEA to be, like, hey. We we don't wanna give any more of this data out.
Right? And this is just a general statement or question.
Nathan Creswell
05:05 - 05:44
I mean, I don't know if it was a particular event. I mean, I think the the EU has generally just been more about, you know, restricting company overreach, restricting capitalist businesses from misusing things, you know, or doing things that they should not be allowed to do, whether that's merging with another company or, you know, an antitrust or whether contacting someone that doesn't want to be contacted.
Right? So I don't know if it was really a particular event, but it's just the different nature of the two of the two regions and the two different even social and and government society, the way they think about companies and what companies should and shouldn't be allowed to do.
Nabeel Ahmed
05:44 - 06:14
Yeah. Yeah.
And and so I appreciate you giving us a background on what GDPR is, because I know a lot of folks, you know, including myself in the past, always used to say it, but didn't know what it really actually meant. So hopefully, somebody gained some knowledge there.
When it comes to GDPR, how how does it specifically work? Is it, can someone be contacted if there is some sort of legitimate interest, or do they have to fully consent? Like, well, how is that process evolved?
Nathan Creswell
06:14 - 08:31
So so generally, speaking, I mean, we don't have time. The GDPR is a significant piece of legislation.
So in this in this, little podcast, we're not gonna have time to go over the, all the elements of of GDPR. Right? But at a very high level, it talks about certain rights that an individual has.
Those that's what I referenced earlier, you know, the right to be deleted, the right to be forgotten, the right to own your data. Right? It it it really talks about that.
And the spirit of it is that if you do not want to be contacted, you should not be contacted. That's the spirit, I would say, of the framework.
But it is a very, very complex regulatory and legal framework. Right? So so but those those are the broad strokes.
And so, what I would say is that, you know, LEADIQ is compliant with GDPR. Full stop.
Right? So we have many, many mechanisms to ensure that. So for example, we, abide by country specific do not call lists within within EMEA.
If you are on the do not call list in France or whatever country that that we're talking about that we support, you we you will be you will not see them in our in our system to be able to call. Right? That's very important.
Okay? That we respect the do not call list. So that's kind of, you know, step one.
Right? We also have an idea of suppression lists. So even if, you're not on the do not call list, if you specifically request and we do have to verify that you are requesting.
We have to verify that it's you that's that's requesting it. Right? You you can't do it really on behalf of someone.
It's gotta be we gotta know that it's you that wants this. So we can remove you can specifically request and we will delete your data from from our system.
Okay? So that's the other way that we remain compliant. Okay? So, there's other there's other things to talk about in terms of data storage and and things like that.
That. But in general, you know, we make sure that if you do want to be and this can be country by country even within EU.
Right? If you want to be forgotten or you don't want to be seen as a person being contacted, we allow you to do that. Right? You just need to sign up for your country's do not call list or email us, and we will remove you from our list.
It's as simple as that.
Nabeel Ahmed
08:31 - 08:39
Is there a difference between the do not call list, which is typically DNC versus a suppression list, or is there overlap?
Nathan Creswell
08:39 - 09:02
More in the sense of deletion of data, I would say. You know, suppression, list really means, you know, I I do not want you to I may or may not be on the do not call list, but regardless of that, I just want you I want to be out of your system.
Right? Okay. Whereas the do not call list is more like I'm on the do not call list and I just don't wanna be contacted.
So.
Nabeel Ahmed
09:02 - 09:14
Yeah. Okay.
Good to know. So suppression list is like, it can be adapted.
It can grow. It's not on the general mandate or ledger of, like, DNC, do not contact.
So Yeah.
Nathan Creswell
09:14 - 09:15
That's right.
Nabeel Ahmed
09:15 - 09:34
Kinda get good for me to know. What are some, like, use cases when it comes to, folks in EMEA that a business can look at and say, okay.
That user has opted in. Now I can reach out and have a conversation with them.
Nathan Creswell
09:34 - 09:41
Sorry. Can you explain the question a bit more? Use cases in terms of the user wanting to be contacted.
Is that what you're saying?
Nabeel Ahmed
09:41 - 10:13
Yeah. So it's it's finding the green area, right, not the gray area associated with Outreach in EMEA.
And so what I'm looking to try to understand is that there's the there's yep. Companies have to be GDPR compliant.
There's DNC list. There's suppression lists.
Who can you go after and have a conversation with? And Yeah. My understanding is they need to gauge some legitimate or general interest in the services that you're providing to actually be contacted in EMEA.
So what are the That's.
Nathan Creswell
10:13 - 11:30
right. So, again, we don't have time to go over every country's specific privacy laws.
There's a nice law website, you can direct your listeners to that they can spend days reading the privacy regulations of specific countries in EMEA. They're significant.
Right? But I'll give you an example. In Germany, they have double opt in.
Right? Mhmm. So not only does the, you know, the the user have to opt in, but the company has to opt in as well as a double opt in.
They have to give specific consent to be contacted. Right? Yeah.
So so with that concept in mind, we leave that up to the customer. Right? It's largely.
So where we say to the customer, okay. If you need to get specific consent for your country for opt in, then that's up to you.
You get that consent. Right? Aside from those specific country privacy laws, then the persons that can be contacted are the negative of the what I just said before.
So if you are not on the DNC list and you are not, on the suppression list, then at a as a general as a very generic statement, which you have to be careful about when it comes to EU privacy, yes, you can be contacted. Right? But that has to be adjusted for each country's uniqueness, if that makes sense, like Germany and double opt in.
Nabeel Ahmed
11:30 - 12:30
That makes sense. Okay.
So there is there are some some rules and boundaries associated with who you can cannot contact because where I was getting worried and where a lot of our clients prospects come to us is, like, oh, how do I even just enter this market? If there's so many rules and regulations, is is it even worth it? So this is really good information for us to have. When you're when you're kind of moving into, let's say, the folks who wanna be on suppression lists or do not call lists, there's kind of a new trend happening in the market when it comes to data providers and aggregators.
Right? Where the use of a waterfall of multiple data providers can be done through a table or through other providers. If somebody doesn't wanna be contacted, but they're using a provider that aggregates a lot of data providers, is it the same process? Go to the provider and say, hey.
I don't wanna be on this list anymore, and then they would relay that information to a lot of their providers in that waterfall.
Nathan Creswell
12:30 - 13:02
Yeah. It largely is.
Yeah. They I mean, unfortunately, the nature of the of the market is that, yeah, you have to go to each data provider and you have to say, you know, if you are using us in a waterfall fashion, you know, I I do not want to be contacted.
The one exception being, of course, the do not call list. I would imagine all data vendors abide by do not call list because that is a central place to get a list of people who do not want to be called.
You know? Mhmm. So, you would hope that most data vendors are like us and also similarly respect the do not call lists of India.
Nabeel Ahmed
13:02 - 13:35
Yeah. So so that brings in the the second question on that is, data acquisition, Right? And how important it is on the data that you're looking at and acquiring.
How how do how do we look at it at EliteIQ when it comes to data acquisition and the process that we take to make sure that we're providing not only the best data or the highest coverage data, but also data that is compliant, especially in EMEA with GDPR, DNC, and suppression lists.
Nathan Creswell
13:35 - 14:11
So without saying too much about our our data vendors, which is extensive, I mean, I think that, you know, we are the last line of defense in terms of not being contacted, if that makes any sense. Right? Because we are the customer facing aspect of the data that we procure.
And we get our data from many, many places, not just data vendors. But, whether they have abided by that or not, we make sure we abide by that.
So regardless of how we acquire the data, we make sure that we are compliant before we show the numbers to you, if that makes sense.
Nabeel Ahmed
14:11 - 14:44
Yeah. And and and I love that.
Right? So it's it's another layer of, not only cleansing, cleaning, but making sure that we're all compliant so that our users are are good, or or operating in the in the best fashion. Mhmm.
The the other thing which is really quite interesting and we talk about quite a bit is we have the by request feature, which seems to only be specific to EMEA. Is that correct? Could you give us a little background on why buy request even exists for people prospecting in EMEA for the Sorry.
Nathan Creswell
14:44 - 16:23
By by by request, you mean premium search? Correct. Yeah.
Yeah. Yeah.
Yeah. So, so really, so, really in order to call, to get, data in EMEA, right, we call in real time various vendors.
Right? So we we all and we ensure that that's in a mechanism that has been researched and approved by our data quality team. We have an extensive data engineering team, and they have done the assessment of what to call when for, how precisely, if that makes any sense.
Right? So there's a lot of rigor to it. Right? So and because it's in real time, you don't want to be calling that, you know, too often.
So it's really at least in our Chrome extension, it's by when when it doesn't exist. Right? But we're moving to a world more and more, in the product where that will be called automatically, and you will not even need to do it by request.
So that's actually changing. Right? And that same kind of, thinking in terms of our premium search feature to go get these numbers will be expressed in all of our product lines.
We are on a path that's currently exposed in track. It's going to be exposed in refresh.
It will be in bulk capture and web search. So it will be everywhere.
Right? But where we started was our Chrome extension and by request. But I think by request will very soon as in, you know, in a quarter or so, not be not be the case anymore.
It will just be there, and you will get the best EMEA phone numbers that can possibly you can get, that is compliant.
Nabeel Ahmed
16:23 - 16:27
What's the SLA again on the premium search request?
Nathan Creswell
16:27 - 16:34
It's currently I believe it's it's within, it's within certain sec, within a a few seconds, I think. So.
Nabeel Ahmed
16:34 - 17:07
Oh, perfect. So just to summarize, and this is a a an amazing product or or or feature.
If you're prospecting into EMEA and the contact data is not there, there is a premium search feature where it will, ping out to other data providers to identify the mobile phone number for that contact real time as people are going. So I think that we mentioned it.
It takes a few seconds. Right.
The reason and this is only implemented for EMEA. Is that correct?
Nathan Creswell
17:07 - 17:12
Right. And sorry.
I got a bit distracted by a phone call that I that just came on my phone. I apologize.
Nabeel Ahmed
17:12 - 17:14
Man, I like it.
Nathan Creswell
17:14 - 17:22
Actually, sorry. So because I got a bit distracted, it's actually a a more in the in the range of, minutes.
It's a few minutes. Sorry.
So yeah.
Nabeel Ahmed
17:22 - 17:35
Yeah. No.
And I think minutes to getting a number that you didn't have before to a number that you have now, I think, is is pretty ideal. The reason why we had to implement that for EMEA is why again?
Nathan Creswell
17:35 - 17:47
Mainly because, you know, in obtaining these these these phone numbers, it comes from various vendors that we use. Right? So we have to we have to call out in real time for this data, if that makes sense.
Nabeel Ahmed
17:47 - 17:57
Yeah. So it's it's an it's a a process where we invest and grow the database depending on the ICPs that our users are real time prospecting.
Nathan Creswell
17:57 - 18:28
Yeah. Yeah.
Exactly. And I will say that, you know, I would need to go back to engineering to to get the latest on terms of seconds and minutes.
Right? They're constantly doing analysis on how fast it can be. So we are getting it down more and more because we need to expose it in other areas of our, in other areas of our product lines where you may have to process bulk bulk amounts of data getting getting those phone numbers.
Right? So so we are getting that down. So but it's an ongoing, you know, area of improvement always.
Nabeel Ahmed
18:28 - 19:00
Yeah. And and and for all our data nerds out here who are super and hyper interested in the EMEA versus, North America, my next question, not to keep you guys strung along, is could you give us a little bit of the history on you know, there's an assumption where you needed to create, some localized data in EMEA to be compliant, but that's not necessarily the case anymore, where US based companies can host, EMEA data locally.
Could you explain that a bit more to us? Why is that important?
Nathan Creswell
19:00 - 19:32
Yeah. Data storage used to be a big deal.
Like, you had to have a server in Germany to to store the data locally. That's no longer the case with GDPR.
There was a recent amendment to the GDPR regulations. And so what what tends to happen is when you become a customer of LEEDIQ, you sign a data processing agreement, the DPA.
And within that data processing agreement, it gives the right to store that data within US servers. So it's not as stringent as, say, five to ten years ago when, they said, no.
No. No.
You've gotta keep the data within EU geographical boundaries.
Nabeel Ahmed
19:32 - 20:13
Amazing. Okay.
So that shouldn't that should be not even an issue for anybody that's looking to expand or anybody that's looking to procure any kind of data vendor out there is whether where the data is stored and and localized, or where it's stored right now. So it's in a US US based data storage, then it shouldn't be an issue.
They're compliant. Yep.
Cool. That's right.
Beautiful. I know we're we've we've only touched probably scratch the surface on anything EMEA versus North America.
Right? Could you summarize? If I was a customer and I'm looking to expand into EMEA, what are the top items I should think about when it comes to procuring a data vendor and how they are.
Nathan Creswell
20:13 - 22:44
what? So aside from everything that I've said before, make sure they respect the DNC call list, which we do. Make sure they have a way to opt out, which we do suppression lists.
Right? We've talked you want to be sure that they're certified, that they have the certifications. We use AWS for our infrastructure, and we're SOC two, we're SOC two type two compliant, which is largely an American, obviously, certification, but it's largely equivalent with ISO certification.
A lot of EU divisions or a lot of EU companies will ask for ISO certification. So although we don't claim to have ISO certification, right, we are aligned with ISO ISO standards, right, through our SOC two type two compliance.
Okay? Some of our inform you want to be sure that a vendor has information security measures in place. So you want to be sure that you have encryption in transit and at rest, right, which we both have.
You want to be sure you have good key management. You want to be sure that you have strong role based access control.
So we have all sorts of things around groups and locking down certain things depending on, your your group that you are a part of, right, in our prospector, product that you can control. Okay? If there are, you need to ensure that your company has a data breach incident response plan.
Right? What are you going to do if you if you do get breached? Right? Even the best companies can sometimes get breached. And so you need to be sure that you have a plan in place to deal with that.
You need to be ensured that you notify that you are do have a legal obligation to notify if you do have a breach. And you need to ensure that you have regular audits and certifications.
You can't be SOC two type two compliant and then never keep it up. We do it annually to ensure that we're compliant with SOC two type two.
You need to be sure that they've done penetration testing with third party security s experts. It's called pen test.
Right? So ensure that they're doing pen testing. Ensure that they're doing, quarterly, if not, sooner reviews in terms of password management, user access.
Right? So old users should be, being purged from the system, things like that. Right? And that's just a a kind of a just a very high level approach of I mean, security is a whole domain, area of expertise in itself.
That's why chief security officers exist. Right? But Yeah.
You know, these are the sorts of things you wanna hear from a vendor in terms of being both compliance, secure, and storage. Right? And ensuring that you can reach out to EMEA prospects with no fear that you're in foul of law or in any kind of regulation whatsoever.
Nabeel Ahmed
22:44 - 23:23
Awesome. Well, I appreciate you summarizing all of that.
I know it's a high level and there's a lot of nuances associated with each of those line items. But for us, what we'll do is we'll create a general checklist for anybody that's looking to procure data vendors within EMEA and just see if they can match these requirements and hopefully we can provide some value into the market there too.
But, Nathan, appreciate you jumping on. Appreciate you giving us a rundown, and dealing with my, general questions around EMEA versus North America data, but I've learned something.
I also learned that your basement is actually not that bad. It's probably the nicest basement I've ever seen.
So Yeah. You haven't seen the rest.
Nathan Creswell
23:23 - 23:26
of it. So I won't turn the camera so you can see it.
So.
Nabeel Ahmed
23:26 - 23:33
Well, if there's anybody that has any other questions, feel free to message Nathan directly. We have the data.
I'll give you I'll give you his cell phone number.
Nathan Creswell
23:33 - 23:35
to We'll.
Nabeel Ahmed
23:35 - 23:37
get him off the phone.
Nathan Creswell
23:37 - 23:42
Yeah. Oh, yeah.
Definitely. Alright.
Thank you so much for being able to appreciate the time to chat. Thanks, Nathan.
Bye.
Meet the Guests


Nathan Creswell is the Head of Product at LeadiQ, where he focuses on building tools that make sales data more accurate, compliant, and actionable. With deep expertise in B2B data and automation, Nathan helps sales teams prospect smarter.