UK GDPR & PECR Compliance
Every migration from Intelligent Golf to GHL LC Email is a data processing operation. The club is the data controller. Albatross Digital and Capture are processors. Both parties have obligations that must be satisfied before the first send from the new subdomain. This page defines them.
One principle across the whole SOP. Permission follows the member, not the platform. Historical suppressions from Intelligent Golf must be imported into GHL before the first contact import — not before the first send, before the first import. Failing to do so is a direct PECR breach with no technical workaround.
Service Messages vs Direct Marketing
UK law draws a hard line between service messages and direct marketing. The distinction determines whether PECR consent is required and governs every template you build during migration.
Service message (operational / transactional): A communication whose primary purpose is to inform the recipient of something they need to know as a member or customer — not to advertise or promote.
Direct marketing: Any electronic communication directed at an individual for the purpose of advertising or promoting products, services, or organisations. The ICO assesses "purpose" by what the message is primarily trying to achieve, not by what it is labelled.
Golf Club Examples
| Category | Service message | Direct marketing |
|---|---|---|
| Booking & access | Your tee time on Saturday 14 June is confirmed at 9:30am. | Book your tee time this weekend — twilight rates from £18. |
| Course & facility | The 7th fairway is closed until Wednesday due to maintenance works. | Upgrade your game — book a lesson with our PGA pro this week. |
| Membership admin | Your annual subscription renewal is due on 1 August. Amount: £950. | Renew early and receive a complimentary guest pass. |
| Governance | The AGM will be held on Tuesday 15 July at 7pm. Attendance is requested. | Buy tickets for the Captains' Dinner — tables available now. |
| Safety | The course is closed this morning due to ground frost. We expect to re-open at 11am. | Warm up in our golf simulator while the course dries out — book here. |
| Systems migration | Our member communication platform is changing. Future emails will come from a new address. No action is required from you. | (Add "…and here's what's new in our pro shop" = now direct marketing.) |
The Contamination Rule
A service message that contains even a single promotional element — a sale banner, a lesson-booking recommendation, a PS about a pro-shop offer — becomes direct marketing in its entirety. The PECR basis required changes accordingly.
Operational rule: During migration and warm-up, keep service messages entirely free of promotional content. Build separate templates. Never add "while you're here" upsells to renewal notices or AGM announcements.
Consent, Legitimate Interests, and Soft Opt-In
The PECR Baseline
PECR Regulation 22 requires prior consent before sending electronic mail marketing to an individual subscriber, unless the soft opt-in exemption applies. This is a rule about the channel — not about data protection in isolation.
Two points that practitioners regularly get wrong:
- Legitimate interests is not a PECR send permission. Legitimate interests (UK GDPR Article 6(1)(f)) may lawfully underpin certain data processing activities — retaining member data post-lapse, analysing engagement. It cannot substitute for PECR consent to send marketing emails. If you have a Legitimate Interests Assessment (LIA) on file but no PECR consent or soft opt-in basis, you may lawfully hold the data but you cannot lawfully market by email to that individual.
- Updating a CRM field is not creating permission. Setting a contact's "lawful basis" field to "legitimate interests" in GHL does not create a PECR right to market to them. Permission is created by what happened at the point of collection — it cannot be retrofitted by a field update today.
Express Consent
Express consent under UK GDPR must be freely given, specific, informed, and unambiguous. For electronic marketing, the ICO expects:
- An unticked opt-in checkbox at the point of collection (not pre-ticked, not bundled with terms acceptance).
- A clear statement of which channel the individual is consenting to and who will contact them.
- A record of who consented, when, how, and what they were told at the time.
Express consent gives the strongest and most portable PECR permission. It survives an ESP migration: if the club can produce the consent record, the permission travels to GHL with the contact.
Products & Services Soft Opt-In
The products and services soft opt-in (PECR Regulation 22(3)) is available to any organisation — commercial, charitable, or otherwise — provided all five conditions are met:
- The contact's email address was obtained in the course of a sale or negotiation for the sale of a product or service.
- The marketing messages relate to the sender's own similar products and services.
- The individual was given a clear and simple opportunity to opt out at the time their data was collected.
- The individual was given a clear and simple opportunity to opt out in every subsequent message.
- The individual has not objected.
For a golf club: an individual who joined as a paying member, or who enquired about membership and whose data was collected during that negotiation, can receive email marketing about club membership, competitions, dining, events, and similar services — provided they were offered an opt-out when they joined and every email since has carried an unsubscribe mechanism they have not used.
This is the most commonly relied-upon PECR basis for current paying members. It requires evidence that conditions 1 and 3 were met at original collection.
Charitable Purposes Soft Opt-In — Charities Only
The Data (Use and Access) Act 2025 introduced a separate charitable purposes soft opt-in, in force from 5 February 2026. This allows qualifying charities to contact existing supporters about their charitable purposes without express marketing consent.
This applies to charities only. It does not extend to membership organisations, sports clubs, limited companies, or community interest companies simply because they serve a community purpose.
A golf club must not assume it qualifies without first establishing:
- Whether it is a registered charity under the Charities Act 2011 (or equivalent).
- Whether its communications fall within "charitable purposes" as the legislation defines them.
- Whether the individuals being contacted are "supporters" as the legislation envisages.
If a club asks whether DUAA 2025 changes things for them, the correct answer is: it depends on their legal status as a registered charity. Check first. Do not assume.
Summary Matrix
| Basis | Available for email marketing? | Condition | PECR covers it? |
|---|---|---|---|
| Express consent | Yes | Individual opted in clearly; record kept | Yes |
| Products/services soft opt-in | Yes — all organisations | All 5 conditions met; data collected in sale/negotiation | Yes |
| Charitable purposes soft opt-in | Charities only (in force 5 Feb 2026) | Registered charity; charitable-purposes communication | Yes, charities only |
| Legitimate interests | No for the PECR send permission | May support data processing; does not create email marketing permission | No |
| Contract | No for marketing | Performance of a contract supports service messages, not promotion | No |
Member-Type Risk Table
| Contact type | Typical permission status | Key risk | Safer position |
|---|---|---|---|
| Current paying member | Usually products/services soft opt-in; may have express consent if joined online with opt-in checkbox | Soft opt-in only valid if conditions 1 and 3 were met at collection; check original join flow | Mail if soft opt-in evidence is available; pause if join flow did not offer opt-out |
| Visitor / casual green-fee player | Weak — data often collected for booking purposes only | No membership = no "sale or negotiation for membership"; marketing about club products is harder to justify | Require express consent before marketing; service messages about their booking are fine |
| Society organiser | Variable — may have consent for event coordination, not ongoing marketing | Contact is often a third-party representative | Treat as express-consent-required; soft opt-in unlikely to apply unless they negotiated an ongoing commercial arrangement |
| Event / competition lead | Weak — captured at a one-off event | One-off purchase or registration is unlikely to meet "sale or negotiation" if there is no ongoing club relationship | Require express consent; a single competition entry does not establish soft opt-in |
| Lapsed member | Deteriorating — soft opt-in decays over time | The further from active membership, the harder to justify ongoing marketing; spamtrap exposure rises | Suppress from main warm-up; run a separate, clearly flagged re-permission campaign before including in any ramp segment |
| Staff / employee | B2B rules apply under PECR for corporate email addresses | Staff may have given consent for HR comms but not marketing | Verify whether the staff email is the individual's own address or a shared role address; obtain separate consent for marketing |
| SMS contacts (any type) | Requires specific PECR consent or products/services soft opt-in — see below | Higher perceived intrusiveness; separate consent journey usually needed | Do not send marketing SMS unless basis is clear and documented |
Role-based addresses: Generic addresses — info@, office@, admin@ — are typically shared and not personally opted in. Suppress them from marketing sends. Do not blindly suppress named-role addresses: captain@, secretary@, manager@ may be a named, opted-in individual. Verify before suppressing.
The One-Off Transition SMS — Why "No STOP" Is the Compliant Choice
SMS Is PECR "Electronic Mail"
Under PECR, SMS is classed as "electronic mail" alongside email. The same consent and soft opt-in rules apply. Email consent does not automatically cover SMS marketing — a member who is covered by the products/services soft opt-in for email has not thereby given permission for marketing texts.
The Transition SMS Is a Service Message — and Must Stay One
A single, factual, non-promotional SMS is permitted during migration to notify members that emails will now arrive from a new address. It is lawful as a service/administrative message provided:
- It contains no promotional content whatsoever — no offers, no "what's new", no calls to action beyond checking an inbox.
- It is a genuine one-off notification, not repeated.
- The club has a legitimate reason to contact the member by SMS (the number was given to the club for communication purposes).
Compliant wording:
"Highgate Golf Club: We now email you from [name] at mail.highgategc.co.uk. Please check your inbox and junk folder and mark us as safe. Queries: 020 xxxx xxxx."
Why There Is No STOP Line
Adding "Reply STOP to unsubscribe" — or any promotional content — reframes the message as direct marketing. Once it is direct marketing, PECR requires a valid consent or soft opt-in basis for that specific SMS channel, and the fines change entirely.
The Data (Use and Access) Act 2025 raised the ICO's maximum fine to £17.5 million (or 4% of global annual turnover, whichever is higher) for serious PECR breaches. Mislabelling a marketing SMS as a service message is a textbook example of the kind of breach enforcement action targets.
A service message with no promotional content and no STOP line is clean. A message with a STOP line signals "we know this is marketing" — and changes which legal regime applies.
What Is Not Permitted
- An automated workflow that texts every contact who "did not open" an email, each time a campaign is sent — direct marketing by SMS; requires PECR basis
- Framing the SMS as "you didn't open our email" — opens are unreliable due to Apple MPP; texting contacts on this premise is likely to generate complaints
- Using a GHL custom field labelled "allow SMS" as a shortcut for PECR permission — a CRM field is not a consent record; it is only valid if it records an actual consent event (who, when, how, what they were told)
- Sending marketing SMS to any contact whose SMS permission basis is absent or unclear
SMS and Email Deliverability
SMS has no direct effect on mailbox provider reputation signals. Its only deliverability value is indirect: if a member receives the compliant service SMS, finds the email, and marks it not-spam or adds the sender to contacts, that creates a genuine positive engagement signal. That value flows from real member action, not from the SMS itself.
Controller and Processor Duties
The club is the data controller: it determines the purposes and means of processing member data. Albatross Digital and Capture are data processors: they act only on the club's documented instructions.
This distinction has practical obligations:
| Party | Obligation |
|---|---|
| Club (controller) | Maintain PECR permission records; update privacy notice; respond to member rights requests; instruct Albatross Digital in writing on scope and purposes |
| Albatross Digital / Capture (processor) | Process data only on controller's instructions; maintain confidentiality; assist with rights requests; delete or return data at end of engagement |
| GHL / Mailgun (sub-processor) | Named in DPA; club must confirm it accepts sub-processor arrangements; Albatross Digital remains responsible for sub-processor conduct |
A written Data Processing Agreement (DPA) between the club and Albatross Digital must be in place before any data is imported into GHL. It must cover scope, purposes, sub-processors, retention, and deletion obligations.
Suppression Migration — Import Order Matters
Import suppression lists before contacts. If you import contacts first, GHL may process them before the suppression rules are in place. This is the single most common compliance error in rushed migrations.
The correct sequence:
- Export the full historical unsubscribe/suppression list from Intelligent Golf
- Export all hard bounces from Intelligent Golf
- Export historical spam complaints where available
- Import all three lists into GHL's suppression list first
- Verify a sample in GHL to confirm suppressions are active
- Only then import the mailable contact list
- Segment contacts into Tiers A–E using clicks, replies, bookings, and purchases — not opens
Suppressed contacts remain in the system for service message purposes only, where a separate lawful basis exists. They must never re-enter a marketing segment.
Objection to Direct Marketing — Absolute Right
The right to object to direct marketing under UK GDPR Article 21 is absolute. Unlike most data subject rights, it cannot be weighed against a balancing test, overridden by business considerations, or re-assessed at a later date.
Practical requirements:
- Any objection to marketing must have all marketing stopped immediately and permanently
- GHL suppresses an unsubscribed contact straight away — verify this is working on import
- RFC 8058 one-click unsubscribes must be honoured within 2 days (Google/Yahoo bulk-sender requirement); GHL handles this automatically
- Objection records must be retained so the contact is never accidentally re-added to a marketing segment
- Contacts who object to marketing remain in the system for service messages only, where a separate lawful basis exists (e.g. renewing their tee-time booking confirmation)
- Do not re-permission a contact who has objected without a new, independently evidenced consent event — "but they're still a member" is not sufficient
The SLA across the whole programme is one principle: opt-outs are actioned without undue delay — in practice immediately. There is no 10-day allowance. The 2-day maximum referenced in the Google/Yahoo rules is a ceiling, not a target.
Legitimate Interests Assessment (LIA) — What It Does and Does Not Do
What an LIA Actually Does
An LIA documents the three-part test for UK GDPR Article 6(1)(f):
- Purpose test: Is there a genuine, legitimate interest — commercial, operational, or organisational?
- Necessity test: Is the processing necessary for that purpose, or could it be achieved less intrusively?
- Balancing test: Do the individual's interests or fundamental rights override the controller's interest?
A completed LIA may support the processing of personal data — retaining member data post-lapse, profiling engagement, identifying non-renewals. It does not create a PECR permission to send marketing emails or texts to those contacts.
Lapsed-Member LIA — Worked Example
| LIA stage | Typical conclusion for a lapsed golf club member |
|---|---|
| Purpose test | Legitimate: genuine commercial interest in offering the lapsed member the opportunity to rejoin. |
| Necessity test | Passed: a single re-engagement email is proportionate; no need for third-party data. |
| Balancing test | Generally passes if the lapse is recent (within 12–18 months), the original collection met soft opt-in conditions, and the individual has not previously objected or unsubscribed. Tips against the club if lapse is 2+ years, individual previously complained, or original collection was unclear. |
| PECR conclusion | Even where the balancing test passes, the PECR basis must be checked separately. If the soft opt-in is still arguable (recent lapse, original conditions met, opt-out offered throughout), you may proceed. If not, the LIA alone does not give PECR permission to market by email. |
Compliance Checklist
Use this checklist for every club migration before the first send from the new GHL subdomain. Every item must be confirmed.
Controller and Processor Identification
- The club is identified as the data controller in the privacy notice and in the DPA with Albatross Digital
- Albatross Digital is identified as a data processor, acting only on the club's documented instructions
- A written DPA is in place covering scope, purposes, sub-processors (GHL/Mailgun), retention, and deletion obligations
- GHL and Mailgun are named as sub-processors; the club has confirmed it accepts this
- The club's privacy notice names Albatross Digital's role and references GHL as the sending platform
Lawful Basis
- The PECR basis for each contact segment is documented (express consent or products/services soft opt-in)
- No segment relies solely on legitimate interests as its PECR email marketing permission
- For any club claiming the charitable purposes soft opt-in (post 5 Feb 2026), charity registration has been verified
- The UK GDPR lawful basis for processing is documented separately from the PECR send permission
Consent and Soft Opt-In Records
For every contact included in a marketing send, the club must be able to evidence:
- Who gave permission (identifiable individual)
- When permission was given (date)
- How it was given (web form, paper join form, verbal at point of sale, etc.)
- What they were told at the time (the specific opt-in language or the opt-out offered for soft opt-in)
- Any subsequent opt-out or objection and that it has been honoured
If this evidence cannot be produced for a contact, that contact must not be included in the marketing send.
Privacy Notice
- The club's privacy notice accurately describes how member data is used for marketing, which channels, and by whom
- The notice names Albatross Digital as a processor and GHL as a sub-processor
- The notice explains the right to withdraw consent and to object to direct marketing
- Members whose data was collected before the current notice was in place have been informed of relevant changes, or are only contacted under bases that pre-date the current notice
Unsubscribe and Opt-Out
- Every marketing email includes a working RFC 8058 one-click unsubscribe mechanism (configured in GHL LC Email settings)
- A visible body link to unsubscribe or manage preferences is present in every marketing email
- Opt-outs are actioned without undue delay — in practice immediately; one-click unsubscribes within 2 days maximum
- Unsubscribed contacts are moved to the GHL suppression list immediately and do not re-enter any active marketing segment
- Contacts who opt out of marketing remain in the system for service messages only, where a separate lawful basis exists
Suppression Migration
- Full historical suppression/unsubscribe list exported from Intelligent Golf
- All hard bounces from Intelligent Golf exported
- All historical spam complaints exported (where available)
- All three lists imported into GHL's suppression list before the first contact import
- Suppression list verified in GHL (sample check) before any send goes out
Service Message Integrity
- Service message templates reviewed and confirmed to contain no promotional content
- The Step 0 pre-announcement email (sent via Intelligent Golf before cutover) reviewed — it introduces the new sender address and asks members to check junk and add the new address to contacts; it contains no offers, promotions, or upsells
- The one-off transition SMS reviewed — factual, non-promotional, no STOP line, one-off
- A documented process exists to route service messages through a separate GHL workflow from marketing campaigns
Key Thresholds
These are the operational thresholds that apply to every club. Full definitions, monitoring procedures, and recovery steps are in Deliverability Monitoring.
| Metric | Green | Review / hold | Urgent | Hard stop |
|---|---|---|---|---|
| Gmail spam complaint rate | <0.10% | 0.10–0.20% | >0.20% | ≥0.30% (Google rejects mail) |
| Hard bounce rate | <0.50% | 0.50–2.00% | >2.00% (pause new volume) | >3.00% (stop; revalidate entire list) |
| Unsubscribe rate | <0.30% | 0.30–1.00% | >1.00% (review content and frequency) | — |
| Auth pass rate (SPF/DKIM/DMARC) | ~100% | Any unexplained drop | — | Any meaningful failure trend |
Note on Gmail Postmaster Tools: Google retired its domain/IP reputation dashboard on 30 September 2025. It no longer surfaces reputation scores for third-party monitoring. Google Postmaster Tools remains the authoritative source for spam rate data and authentication pass rates. Rely on the spam-rate Pass/Fail signal and Mailgun analytics for delivery diagnostics — not on any "reputation score" view.
See Also
| Topic | Page |
|---|---|
| Authentication setup (SPF, DKIM, DMARC, CNAME) | Setup Runbook |
| Data hygiene and pre-migration list cleaning | Data Preparation Checklist |
| Ramp schedule and advancement gates | Ramp Schedule |
| Monitoring dashboard, stop/pause rules, Postmaster setup | Deliverability Monitoring |
| Step 0 pre-announcement via Intelligent Golf | Step 0 — Pre-Announce |
| How warm-up works (shared IP, domain reputation, metrics) | How Warm-up Works |
Document owner: Albatross Digital. Review cycle: annually, or immediately following any ICO guidance update, PECR legislative change (including any DUAA 2025 commencement orders), or significant compliance incident.
Seed Panel (Diagnostic)
How to use James's real aged inboxes as a pre-launch placement diagnostic and a light one-time reputation nudge — and exactly where the hard line sits between legitimate use and manufactured engagement.
Per-Club Runbook
The operational spine for one club's migration from Intelligent Golf to GHL LC Email — fill the club-facts block, work through the master checklist in sequence, and log every sending day.