We have only ever signed people up to membership, mailing list, or discourse separately, and we do not share that information either between the systems or externally,
Therefore the intention of each thing is clear, and I don’t think we need to send one of those lovely GDPR emails asking people to opt in to things they didn’t ask for.
From my understanding of GDPR, as long as we’re clear about the purposes for which we hold and process data (which I believe we are), and as long as we are not using it for other reasons (which we don’t), we’re good.
Obviously that could still change as understanding of the law changes, but I think that’s where we stand now. If anyone has other thoughts, do shout.