How will GDPR affect the way you communicate with Members and Contacts?
In this article, we look at the legal aspects of marketing emails, as they apply to clubs (although this is general advice that would apply to many other sectors). Please note, this is general and advisory information, for details of your own clubs' situations we would advise that you seek specific advice from your legal team.
Sending an email is defined as a data processing activity, but it is also important to remember that segmenting email lists (e.g. into dinghy and keelboat sailors to send them different marketing materials or information) is also a form of processing, and one that you might have to justify.
Personal data is defined as "any information relating to an identifiable [natural] person who can be directly or indirectly identified in particular by reference to an identifier" (ICO, 2018a). In other words, any details that on their own OR in combination with other information could be used to identify a living person. Note that this relates only to "natural persons", as "legal persons" (companies etc.) are not in possession of personal data and are not protected by the GDPR.
Under the GDPR there are a number of different legal bases that can be used to justify the processing of personal data. It is important to remember that "No single basis is 'better' or more important than the others - which basis is most appropriate to use will depend on your purpose and relationship with the individual." (ICO, 2018b). Therefore, we should use the most appropriate basis for the task at hand.
The six available basis are:
- Consent - the contact must have given freely given specific and unambiguous permission for their data to be used for a particular purpose. This might include, for example, asking if people want to sign up for an optional newsletter.
- Contract - the data is being processed for the performance of a contract. This, for example, might be used cover processing a member's address and payment details, for billing purposes.
- Legal obligation - you are required by law to process the data. It could easily be argued that this would cover keeping qualification records, for example.
- Vital interests - processing the data is necessary to protect someone's life. This might, for example, be relevant if the club had an employee or member with a severe allergy.
- Public task - the processing is necessary to perform a task in the public interest.
- Legitimate interests - the data is processed to perform a task in your legitimate interests AND there is no good reason to protect the Data Subject's personal data that overrides those legitimate interests. This is the basis that is most appropriate for most member communications - for example, contacting a member about their boat, or sending them email newsletters.
For emailing a member or contact, the appropriate basis would be either Consent or Legitimate Interests.
In the sections below we will consider these different approaches, and how to be legally compliant using either.
The GDPR sets several specific conditions that are required for consent to be considered valid.
- It must be freely given - in other words, contacts must not be required to give consent to marketing to access another service. So, you cannot require contacts to give you consent to marketing before you will enroll them.
- It must be unambiguous - contacts must be aware of exactly what they are consenting to; specifically, they must know who the Data Controller is (that will usually be the club - but if you are part of a group, you need to specify whether the branch, franchise or group is the Data Controller of record), why you will be processing that data (to send them email newsletters and to communicate with them about events, services, products and offers that may be of interest to them), and how you will process that data (by sending them emails/mailshots/text messages, potentially including specifying who will process the data on your behalf, i.e. us!). Much of this information should be on your club Privacy Notice, but it may need to be restated in your consent documents.
- It must require a positive action to opt-in; in other words, the contact must take an action to give consent, a "pre-ticked" box on an online form is specifically prohibited. The same applies to offline consent - the client must opt in, not opt out, of consent to marketing.
- It must be granular: a contact can consent to one type of processing without consenting to another. So, for example, a contact can give consent to be contacted by email, but not by telephone or post; or give consent to receive event reminders but not other marketing materials.
You will, of course, need to keep records of that consent, and provide people with an opt-out - they must be specifically informed that they can withdraw consent at any time. Once a Data Subject has withdrawn their consent, you must stop processing their data immediately, and unless you have to store that data under another legal basis, delete the data.
In addition, any mailing lists you already hold will cease to be valid on 25th May 2018 IF:
(a) They are based on consent, and
(b) That consent does not meet the new requirements.
As a result, consent may not be the most appropriate basis. If you wish to contact your existing contacts, you may find that Legitimate Interest is a more appropriate basis. This is the most flexible approach to data processing, and much less arduous for the contact (no consent forms for them to fill in!). However, it does place certain responsibilities on the Data Controller (i.e. you), and you will need to be able to defend your decision to use Legitimate Interest, if necessary.
In general, Legitimate Interest is appropriate if "you use people's data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing" (ICO, 2018b). In other words, it is a use of data that the contact would expect from you, and they're not likely to feel that you're invading their privacy by doing so. As an example, if a contact gives you their email address, it is reasonable to assume that they expect you to email them occasionally. Use of their name, boat and email address to communicate with an existing contact would not usually seem to put their privacy at increased risk, since you already hold that data for legitimate purposes.
However, Legitimate Interests processing does mean that you take on a certain degree of additional responsibility - you must be able to demonstrate that your processing passes the "three part test":
- You have a legitimate interest. This may be commercial, individual, or even a wider societal benefit. In this case, informing your contacts about events and club related or member welfare issues, or an opportunity to give you feedback on the service that you provide would be in your commercial interest. Emailing your contacts would therefore usually pass this test.
- That the processing is necessary to achieve it - if all of your members visit your club every week or so, emailing them is not necessary to meet the interest above. If, however (like in the real world!) many of your members are seen only infrequently, then processing would generally be seen as necessary, so would pass this test.
- That your interests have been balanced against the interests of the Data Subject. This is where you must compare the benefits to you against the benefits and potential harms to the Data Subject (the client). This is something you have to do based on your contacts and the exact purposes for sending emails; however, generally speaking, we would argue that sending newsletters about offers and services are in your commercial interests and the members's interest; emails about events and activities are in your commercial interests; and review-request emails would be in your interests. The potential harms - any invasion of privacy - can be minimised if you have suitable safeguards in place (e.g. data protection policies in the practice, and a suitable data processing contract or agreement with the data processor you use).
This Legitimate Interests Assessment (LIA) process must be documented and recorded, including all potential harms and benefits. This is a weighting process, where you must be able to demonstrate that you have considered the consequences of this processing, and should probably be recorded in your club's Data Protection Policy. However, once done, that process doesn't need to be repeated every time. It simply needs to be reviewed periodically - perhaps every year or two, or if you want to make significant changes to the content or type of marketing you're sending. If you agree that the original balance of harms and benefits remains unchanged, you just need to record that you have reviewed it.
Our opinion is that you "can rely on the legitimate interests processing condition to contact your own members with information about your own products and services and that you wouldn't necessarily have to ask for consent for this first... the relevant section of the GDPR is Article 6(1)f. Recital 47 which accompanies Art 6(1)f states that direct marketing is a legitimate interest" (Wakelam, 2018). However, this does not extend to third parties - in other words, you can only use this legal basis to market to existing members.
In addition, under Legitimate Interest, contacts retain all of their data rights, especially the Right to be Informed. As such, it is important to include your legitimate interests in your Privacy Notice (on your website), and also to inform contacts when you collect their email addresses that you may use it to contact them in relation to these. Finally, you must include an opt-out on all marketing emails.
As a result, we suggest that Legitimate Interests justifies the sending of marketing emails to members and contacts; however, to be legally compliant you must document the LIA within your club before doing so, inform contacts (on your Privacy Notice), and allow them an opt-out.
ICOa - Information Commissioner's Office (2018), Key Definitions in Guide to the GDPR for Organisations. Accessed on 20/04/2018, available at:
ICOb - Information Commissioner's Office (2018), Lawful Basis for Processing in Guide to the GDPR for Organisations. Accessed on 20/04/2018, available at:
Last updated 09:34 on 18 May 2018