The GDPR applies to any organisation that processes the personal data of EU citizens, regardless of whether the organisation is based inside or outside the EU. If your organisation processes the personal data of EU citizens, you must comply with the GDPR unless you can demonstrate that you meet certain conditions.
The GDPR requires organisations to take a risk-based approach to data protection. This means that you must assess the risks to the personal data that you process, and put in place appropriate measures to mitigate those risks.
One of the key risks that you need to consider is the risk of sending emails to people who have not given their consent to receive them. This is a particular problem for charities, as many people donate to charities without explicitly consenting to receive marketing emails from them.
The GDPR prohibits the sending of unsolicited emails, unless the recipient has expressly consented to receive them. This means that if you want to send marketing emails to people who have not previously given their consent, you must first obtain their explicit consent.
There are a number of ways in which you can obtain explicit consent from individuals. For example, you could include a checkbox on your website that people can tick to indicate that they consent to receive marketing emails from you.
If you want to send marketing emails to people who have already given their consent to receive them, you must still ensure that you have a valid and up-to-date email list. This is because individuals can change their mind about consenting to receive marketing emails at any time.
If you don't have a valid and up-to-date email list, you could be in breach of the GDPR. This is because you would be sending emails to people who may no longer want to receive them, and who may have already withdrawn their consent.
There are a number of ways in which you can keep your email list up to date. For example, you could include an unsubscribe link in every email that you send. This would enable people to easily unsubscribe from your emails if they no longer want to receive them.
Another way to keep your email list up to date is to periodically send out a campaign to people on your list, asking them to confirm that they still want to receive emails from you. This is known as a re-engagement campaign.
If you don't have a valid and up-to-date email list, or you don't take steps to keep your list up to date, you could face a number of risks under the GDPR.
The first risk is that you could be fined up to 4% of your annual global turnover, or €20 million (whichever is greater), for breaching the GDPR.
The second risk is that individuals could take legal action against you for sending them unsolicited emails. This could lead to you incurring significant legal costs, and damage to your reputation.
The third risk is that the Information Commissioner's Office (ICO) could take enforcement action against you, including ordering you to stop sending unsolicited emails, and issuing a public notice of their decision.
The fourth risk is that the ICO could impose a monetary penalty on you of up to €20 million, or 4% of your annual global turnover (whichever is greater), for breaching the GDPR.
The fifth and final risk is that you could be blacklisted by email service providers, making it difficult or impossible for you to send emails to your supporters.
To avoid these risks, you should take steps to ensure that you have a valid and up-to-date email list, and that you only send marketing emails to people who have given their explicit consent to receive them.