Q&A: GDPR

On Tuesday 27 March, we hosted an hour-long live GDPR Q&A session with Websand CEO and accredited IDM GDPR professional, Saul Gowens, in our race directors Facebook group.

Below follows a summary of the most important takeaways from that discussion. For the full hour-long Q&A video, visit and join our group on Facebook.

GDPR Q&A

Q: How long should we store participant data for?

Saul: The easy answer to that is you should hold data for the minimum amount of time possible. There are no specific rules around it and the rules are kind of down to you, but what I would say is, if you don't need that data, get rid of it. If you're going to use the data for marketing purposes, you will need to obtain consent first, but ultimately you'll have to store the data for the shortest time possible.

Q: We have a historical database of runners. Can we use it? Saul: Do you have consent? Do you know when people registered, why they registered and what privacy policy they signed up to? If you can't tell all that then the answer is probably "no".

If you've sold to these runners in the past (i.e. they've registered for your event) and you've had a soft opt-in to your communications in the past and when you communicate with them you have a clear unsubscribe option, then under PECR you may potentially be able to use the database to try to obtain consent from them for future communications. But if someone's already unsubscribed, you should not attempt to communicate with them again at all.

Q: How do we communicate vital event information to participants who have opted out of all forms of communication?

Saul: If I've signed up for your event and paid you money to do so, I would expect you to send me key information about the event - including, by the way, information about the event being cancelled. That's more of a service message rather than a marketing message and you should have the right to send that message through.

I would say your ability to send someone key event information would fall either under lawful basis - you have a contractual obligation with that person to give them the information they need to participate in the event - or legitimate interest - you are sending information that should be in that person's legitimate interest to receive.

Regardless, it's probably a good idea to include this in your T&Cs, so you give yourself the right to send participants just this kind of information as part of delivering the event. And if you want to use that information beyond legitimate interest, like in sending marketing communications, you should always look to get consent beforehand.

Q: We are sharing anonymised data with the council and other local authorities. Is that ok?

Saul: If you're sharing data, you should always explain to people what you're going to be doing with that data, why you need to collect it and always get consent before sharing.

Q: We ask participants to write personal and medical information at the back of their bib number on race day - and then dispose the bib themselves after the race. Is that ok?

Saul: When you're asking people to write personal data on something they own (the bib) you are not actually collecting any information at all. The onus is on each individual person to decide what information they do or do not want to share, so although you're asking them to do something and giving them a reason why, you're not actually collecting anything in the process.

In the case of that medical data being used, there is an obvious reason why this data needs to be used and be used as quickly as possible. So that is a very common-sense, straightforward case of legitimate interest for everyone concerned.

Q: Can we and our race photographer share participant race photos on social media and on the photographer's website?

Saul: Under current data protection law, you'd have to get the consent from all persons in a photograph to use and share that photograph anyway. And under GDPR nothing's going to change. If you are going to use that photograph you'd still need to get consent.

Q: Is it ok sharing volunteer personal information with other volunteers in the team to ensure better communication on race day?

Saul: Best practice would be to ask volunteers for their consent in sharing information with other volunteers on your volunteer signup form. Just make sure you explain to volunteers when they sign up why you are collecting information and how you're planning to use it and get them to opt in for that on the volunteer sign up form. You will also need to clarify how that data will be destroyed after the event. If you do all that, you shouldn't have any problems.

Q: What about contact information for landlords and other race suppliers we hold on file?

Saul: As long as that information is publicly available or you were given the information for the purpose of communicating with them, then it should be fine. There is  again a legitimate interest here in contacting them (it's in their interest for you to contact them) and this is very much a business-to-business kind of relationship.

Q: What about storing personal data and the threat of hacks?

Saul: There are always going to be hacks. You need to be comfortable you're using the right solutions to protect the information you are storing. And bear in mind - this is a key point - you are storing this information now on behalf of people. This is not your data. All you're doing is looking after people's information until they decide they want it back from you. That's a very different mindset you need to apply to data than before GDPR.

Q: This is all going to make out T&Cs quite lengthy...Do we need to have all this in our T&Cs document?

Saul: One of the key aspects of GDPR is that you will need to be transparent and communicate in plain English what it is that you're going to do with data, so actually your privacy document and your T&Cs related to data should be as short as possible and your granny should understand be able to understand them. Key point here is that you will need to move away from having a privacy policy and T&Cs in the same document - they need to be two entirely separate things.

Resources & further reading

• GDPR Readiness: Collecting and Recording Consent
• What are PECR (Privacy and Electronic Communications Regulations)?
• General Guide to GDPR
• GDPR Myth Busting Blogs

For more advice on GDPR and its impact on your events and organisation, you can email Saul at saul@websand.co.uk or contact him through the Websand website.