Hi I am just setting up a new CRM system for our small CIO. We are membership based and are mandated to maintain a list of members for I think 10 years after someone stops being a member of the CIO. I am trying to work out our legal basis for different types of processing for GDPR and our privacy policy. I've put everything to do with maintaining the CIO membership list and membership payments as - legal. 

I'm trying to understanding the legal basis for contacting members by email. I think anything for fundraising e.g. to solicit donations for a campaign should be consent. However, what would be an appropriate legal basis for other things like to inform members of an AGM, member related admin like their membership needs renewing, payment failure etc, should that all be consent, or could I do that under legitimate interests if I do a legitimate interests assessment?