GDPR Compliant booking systems for Bikeability

Our current online booking supplier is withdrawing our system on 25 May 18 as they aren't able to make the necessary changes to ensure it would comply with the new GDPR regulations coming into force on that date. This leaves us desperately seeking an alternative online booking system.

1. What booking systems work well for Bikeability for customer bookings & staff scheduling?
   
2. Are these systems GDPR compliant?
   
3. What actions are schemes taking to ensure they comply with the new regulations?
   
   

All advice gratefully received.
Many thanks
Emma

Hi - what information do you collect that does not comply?

Trainee names, parents names, carer names, teacher names, contact details, health info. We will need to redesign our permission forms with opt in for all of this. The main issue could be finding the info if an individual requests it at a later stage.

Don't know if the following is of any help at all - I'm sure I've still got things to learn on GDPR and different schools seem to have different ideas about it.

We have built our own online booking and admin but currently our parental consent forms (that include the privacy statement) are not part of it - that is, schools download them from our system and email them out to parents, who send them to the school office. Instructors check them over and then hand them back to the office. Our non-school booking does have online details, but depersonalises it after the training date has finished.

Our information governance team agreed the following wording on our consent forms if it's of any help to you, I am currently double-checking if it is still robust enough for GDPR:
"Use of your personal information: the school looks after this consent form. When our Instructors arrive at the school, they will ask to see the consent forms and hand them back to the school staff after having looked at them and before starting their teaching. We use course registers that contain each trainee’s name and the outcomes achieved. We keep completed registers in our office for two years and then dispose of them securely. We never pass personal information on to third parties."

Thanks, that permission form wording sounds good and we were thinking that we would also give them back to schools once we had checked them to avoid storing them. How about the contact info you may have for school staff? We have a slightly different issue at our cycling centre where we have many repeat visitors who are vulnerable adults and children with complex health needs. This info is important to the instructors in planning appropriate activities and selecting the most suitable cycles but we will have to work out if and how it should be stored.

Hi - the info we store for school staff is their name and the school email and phone, so my understanding is that this would not require their permission to store - I stand to be corrected though! I'd be surprised though as that information is always available on a school website.

The cycling centre situation sounds challenging, we aren't in that situation - I guess that's health data so 'special category'?

Often our teachers use their own email addresses. Pretty sure that to store any personal info requires permission. Perhaps the way round it is to only ever use the main school email address or to ask teachers for opt in permission to contact them about booking bikeability/cycling activities.