Members, membership information and marketing
As the 25 May approaches, one of the questions we’re commonly being asked is: “Do we need to get consent from our entire membership and marketing database before the GDPR comes in?” The answer is not a straightforward one but , in many cases, it is likely to be “no”.
For charities with a membership base, the good news is that you do not need to seek consent from your members to continue sending them information relating to their membership package (e.g. information on fees and renewals, membership rights, how you are using their membership fees and so on)
The use of membership data for these purposes falls within a charity’s “legitimate interests” which is a non-consent based ground for processing. Even if you have sought consent from your members in the past, you don’t need to obtain refreshed GDPR compliant consents to use their data for membership purposes. You can just let your members know that your legal basis for processing their data is to provide membership services to them in reliance on your legitimate interests. It’s best to provide those members with your updated GDPR privacy policy at this point.
With all that said, you do still need to be careful with the marketing information that you’re sending.
Under PECR, you generally need specific consent to send marketing texts and emails to individuals. The exception to this is the “soft opt in” which allows you to send marketing texts and emails to previous customers about related products and services (for example, a nature charity sending bird-related promotions to a customer that has previously purchased bird seed or other bird paraphernalia).
Remember, though, that the “soft opt in” under PECR does not cover non-commercial promotions (for example, sending fundraising and campaign emails to an existing supporter). So when sending membership information to members, you need to be careful when straying into the realms of marketing that is not covered by the “soft opt in” under PECR (such as newsletters that extend beyond membership-related information to fundraising campaigns, for example).
For marketing not covered by the “soft opt in”, the ICO’s expectation is that you obtain refreshed consents if your existing consents do not meet the requirements of the GDPR.
Whether relying on consent or “soft opt in”, remember to give recipients an easy way to opt out / unsubscribe from marketing emails and texts.
It’s worth taking a look at the ICO’s website for further information on the GDPR and PECR.. For help with updating your privacy policy so that it complies with the requirements of the GDPR, see the ICO’s checklist here.