General Data Protection Regulation (GDPR )

RunTogether take the protection of runner and run leader data seriously and want to ensure you are clear as to how the data we collect is processed. New data protection legislation has meant that we have had to make a few changes to the website and update our privacy notice.

At this point we felt it was important to remind you of the key benefits of RunTogether to ensure data that is collected is processed in the correct way and to remind you of some of the responsibilities as RunTogether leaders.

What is GDPR?

GDPR is an important change in government legislation regarding data protection and stands for the General Data Protection Regulation. It effectively provides an update to the Data Protection Act, bringing in new requirements. Any organisation that is required by law to comply with GDPR must do so by the 25th May 2018 at the latest.

Does this apply to our RunTogether group?

The GDPR applies to any “data controllers” or “data processors”. Those are technical terms but in essence if you collect any personal data in running your group (which you will do if you have any group members) then GDPR will apply to you.

I only use the RunTogether website to manage my group, is everything covered?

In short, yes- if you are using the full functionality of the website.

As a group leader/ run leader who has access to personal data you will need to be mindful of how you manage and process it as you will be responsible for protecting personal data.

The RunTogether programme was designed to help run leaders administer their running groups. A key part of the programme is to provide a facility for runners to register online and to remove any paper-based data collection and processing. This helps to reduce the risk of breaching any data protection regulations in addition to hopefully making your life easier as a volunteer.

Therefore, we recommend that:

  1. All runners register for RunTogether and book any group runs online so they can:
    • Confirm that they have read a GDPR compliant privacy notice and therefore know how their data will be  used by RunTogether and Group LeadersR
    • RunTogether Privacy Notice (for runners and Run Leaders)
    • Provide additional consent for processing data where required e.g. to receive direct marketing emails
    • Access a MyRunTogether profile page where personal details and privacy preferences can be updated at any time.
  2. All Group Leaders use the RunTogether system to manage their group activity. This allows you to:
    • Only collect data you need for the purposes of managing your group
    • Store runner data in one place
    • Send information to runners about your group runs e.g. welcome, confirmations, cancellations, congratulations etc
    • Use an application and administration portal to remove the need for paper-based data collection
    • Ensure that data is secure in a database supported by the Microsoft Azure platform
    • Only export data that is necessary and of only of users that have confirmed they have read a privacy notice
    • Remove people from the database if required

RunTogether Leader Terms and Conditions

The following terms apply for your use of access information (login details and passwords) and personal data:

When setting up your group you have the option of including your own terms and conditions/ privacy notice and any additional marketing consents you have.

We have developed a template privacy notice that you may want to use as your terms and conditions

How to add terms and conditions

A Privacy Notice Template can be accessed via the Run Leader Support area of the website.

Depending on the type of marketing you do to your group (and you may not do any) we would suggest that you may choose to send promotions and offers by post, phone, or by email for similar activities, merchandise and services the runner has already bought. This is included in the privacy notice template.

If you do other marketing or campaigning such as provide information or offers from sponsors you should think about adding addition consents to your group website.

What else do I need to do?

You need to think about what other processes (if any) you undertake that involve processing personal data outside of the RunTogether system, make people aware via a privacy notice and consent (if required)

The fundamental principle of GDPR is that when collecting data, the individual understands how and what you do with their data at the point it is collected.

All Group Leaders and Run Leaders need to be aware of the following:

For example, a runner may not have been on a run for four years - how likely is it that they will return? If the answer, is ‘unlikely’ then their core data should be deleted, or their record anonymised after that time so the person can’t be identified. There will be a full data cleansing process put in place on the RunTogether database to ensure we are compliant with data retention so you only need to worry about this if you are storing data outside of the RunTogether website. This applies to hard copy and electronic data.

To ensure data is only kept for as long as necessary the following data retention rules will apply automatically:

At the time of becoming a Group Leader, Run Leader or group administrator of the group you would have agreed to the following terms that include specifics in relation to data protection. (Note these have recently been updated) and that you have procedures in place to make sure you are processing data how you have told people you will:

What happens if I think there has been a breach?

You will only have 72 hours from being aware of a breach to report it to the ICO. Under the Data Protection Act there are no obligations to report breaches. For example, if a group leader holds group data on their laptop outside of the RunTogether website and it is not encrypted and gets stolen - the data is now at risk and a breach would have to be reported. You need to make sure that personal data is held securely, i.e. that electronic documents are encrypted, and password protected and that they are backed up on a regular basis. You also need to make sure that your volunteers can identify when a breach has happened and that they know what they should do and who they should talk to. To try and avoid any such breaches we would recommend that you use the RunTogether website to administer and manage all of your group member’s personal data.

Does all this only apply to data that is held digitally, e.g. on a computer, or does it cover paper records?

This may be a good opportunity to review filing systems and to limit the amount of paperwork you have to manage. Personal data collected manually and stored in files as a hard copy still has to be managed in accordance with the data protection regulations. As you can imagine, some of the legislation is more difficult to implement in relation to paper copies. For example, Privacy of data is key to the GDPR. Paper documents can get into the wrong hands easily and this could easily become a data breach. Transportation of data in any format (including paper) should be seen as a threat to information security. One small slip and it’s too late – an individual leaves sensitive paperwork on a train, a courier loses an archive box full of payment records, a member of committee has files stolen from their car. These are all real-world situations where paper documents can get into the wrong hands. To minimise the risk we suggest that you use the RunTogether website to administer and manage all of your group’s personal data.

My group keeps a record of its members “in the Cloud” (e.g. via shared files on DropBox or Google Drive, or via a bespoke or commercially available membership system): what should I do about that data?

Data security is key and when storing anything online you need to ensure that you protect yourself by ensuring you keep passwords safe and ensure that files that contain personal data are encrypted. The likes of Dropbox, OneDrive and Google Drive have built in security measures for the protection of files whilst in storage or in the process of being shared. When using third party software you need to ask for assurances over the security of the system. For example, ask the provider for an explanation of how data security is managed or ask if a Privacy Impact Assessment has been undertaken.

ICO guidance – take a look at the 12 steps to take now and the Getting ready for the GDPR self-assessment tools.  The ICO also now offer a helpline. Representatives of small organisations should dial 0303 123 1113 and select option 4 to be diverted to staff who can offer support.

Sport and recreation alliance – Further guidance is available on the SRA website

For any further enquires, as usual please contact

The guidance given here is aimed at assisting RunTogether groups with identifying the key areas that they should be addressing as a result of the additional requirements arising from the upcoming introduction of GDPR. RunTogether groups may have already considered these requirements - and where appropriate have taken specialist advice – regarding the impact of existing UK Data Protection legislation insofar as that may impact their activities.