Request for Proposals: GDPR Compliance

INTRODUCTION
The International Youth Foundation® (IYF®) stands by, for, and with young people. Founded in 1990 through a generous grant from the W.K. Kellogg Foundation, IYF is a global nonprofit with programs directly benefiting 7.7 million young people and operations spanning 100 countries so far. Together with local community-based organizations and a network of corporate, foundation, and multilateral partners, we connect young people with opportunities to transform their lives. We believe that educated, employed, engaged young people possess the power to solve the world’s toughest problems, and we focus our youth development efforts on three linked objectives: unlocking agency, driving economic opportunity, and making systems more inclusive. Our vision is to see young people inspired and equipped to realize the future they want.

IYF has recently launched a new institutional strategic plan to guide organizational programming and business development thru 2019-2021 to achieve maximum mission impact and effectiveness. Bringing the organization into General Data Protection Regulation (GDPR) compliance is a critical component of this new strategy. IYF seeks a consultant or firm to work across IYF—including its home office in Baltimore and its Country Offices in Morocco, Jordan, Mexico, Mozambique, Zimbabwe, Kazakhstan, South Africa, and Tanzania—business units to create a roadmap with clearly defined processes and templates that will enable IYF to become GDPR compliant.

SCOPE OF WORK

  • Review and validate findings from an external IT audit conducted in 2018, which recommended that IYF increase controls and protections for all information collection, update operational processes to industry best practices and in compliance with the GDPR, and ensure that existing technology is optimized and designed to follow GDPR protocols.
  • Investigate and audit what personal data is being collected, stored, retained and used by and on behalf of IYF, including its home office in Baltimore and its country offices.
    • Conduct key informant interviews across IYF’s business units (Human Resources, Financial Accounting, Information Technology, Marketing and Communications, Business Development and Programs, and Field Offices).
    • Review IYF’s procedures and business process to ensure that they cover all rights individuals have and provide recommendations on how to revise and update policies to bring them into compliance.
    • Audit IYF’s contact relationship management (CRM) system, monitoring & evaluation processes, marketing and communications protocols, IT security and privacy processes, HR systems and processes, etc.
  • Assess IYF’s mass emailing practices, including the email signup/subscription process, for compliance and provide detailed steps to address compliance failures as needed.
  • Review IYF’s privacy policy, use of cookies, terms and use agreement, grant agreement and standard contract templates and make recommendations to ensure GDPR compliance.
  • Provide recommendations to manage data, with clearly defined roles and responsibilities for how data is documented, stored, accessed, used, and deleted.
  • Develop a prioritized action plan with specific remediation recommendations, schedule, and human and financial resource estimates to bring IYF, into, and manage ongoing, compliance.
  • Recommend processes and build tools to address compliance requirements.
  • Develop, in consultation with IYF project lead, GDPR Awareness presentation and trainings for internal staff and IYF’s external partner organizations.
    • Training-of-trainer approach, so IYF can facilitate with internal teams and external partners.

DELIVERABLES

Assessment report of IYF’s GDPR compliance status, including a thorough mapping of IYF’s data landscape and gaps

Prioritized action plan. Action plan should include recommendations to manage data, with clearly defined roles and responsibilities for how data is documented, stored, accessed, used, and deleted.

In consultation with IYF lead, develop a suite of tools to address GDPR compliance requirements.

  • Internal tools and templates for IYF
  • External auditing/diagnostic tools for IYF to use to understand compliance of partner organizations

Provide recommended language to update IYF’s privacy policy, cookies, and terms and use agreement, grant agreement and standard contract templates and advise on placement on IYF websites to ensure compliance.​​

Develop a GDPR Awareness presentation and training (along with training materials and guidelines for internal and external use).

FORMAT FOR PROPOSALS

Company Overview

  • Contact information for the key contact(s).
  • Brief company history, including years in business, number of employees, office locations.
  • Vendor’s approach to and experience with NGO/ corporate GDPR compliance work.
  • Particular areas of expertise including approaches to privacy governance and employee training, GDPR data inventorying, GDPR third party risk management, GDPR privacy escalation policies & procedures; GDPR policies & procedures; GDPR notice, choice, and fair processing statements, DPIA/PIA program development, GDPR incident response program development, GDPR platform development, GDPR-compliant email marketing practices, etc.
  • Key staff and bios for any team leads who will work on this project.

Narrative (Max 5 pages) highlighting the following:

  • Suggested approach and meaningful descriptions of work products that would result from working together.

Project Timeline

  • Proposed timeline, with deliverable dates and estimated number of hours (or days) required for each milestone/deliverable.

Budget

  • Budget narrative
  • Itemized budget
  • Payment schedule

Client References (2)

 

TIMELINE

Firms and individuals interested in this opportunity should submit the proposed approach in the request format to Shannon McGarry, Director, Americas, at s.mcgarry@iyfnet.org.

  • Kindly submit any questions no later than 5:00PM ET on January 29, 2020. Update: please see responses to questions below.
  • All proposals must be received by 5:00PM ET on February 17, 2020 in order to be considered.
  • Finalists will be invited for interviews by February 21, 2020.
    • Interviews tentatively scheduled for March 2 and 3, 2020.
  • Selected vendor will be notified by March 6, 2020.
  • Contract start date, March 23, 2020

QUESTIONS AND ANSWERS

QUESTION 1: Should it be tailored to only Kazakhstan or to all countries listed in your email through PwC Kazakhstan?
ANSWER 1: No, responses should not be tailored to one specific IYF office. IYF seeks a consultant or firm to work across IYF—including its home office in Baltimore and its Country Offices in Morocco, Jordan, Mexico, Mozambique, Zimbabwe, Kazakhstan, South Africa, and Tanzania—business units to create a roadmap with clearly defined processes and templates that will enable IYF to become GDPR compliant.

QUESTION 2: Is our review limited to the GDPR compliance only and not the local legislation?
ANSWER 2: Yes, at this time we are specifically and solely focused on GDPR compliance.

QUESTION 3: Do we understand correctly that we will review IYF’s privacy policy, use of cookies, terms and use agreement etc. for compliance only with GDPR, and not with other EU directives (eg. The ePrivacy Regulation)?
ANSWER 3: Correct, the scope of the work will include a review of IYF's privacy policy, use of cookies, terms and use agreement, etc. for compliance only with the GDPR.

QUESTION 4: Does IYF have a designated person responsible for GDPR (CDO, Legal, Compliance)?
ANSWER 4: No, IYF does not have a designated Data Protection Officer (DPO). IYF has appointed an internal staff person who will work across IYF's business units and with the consultant to bring the organization into GDPR compliance.

QUESTION 5: Who will be the project supervisor / manager, with whom we will cooperate?
ANSWER 5: Shannon McGarry, an IYF Program Director, and Knowledge Management Advisor, will manage the relationship with the procured GDPR compliance vendor.

QUESTION 6: Do you have defined process maps (detalization of the processes)?
ANSWER 6: While IYF has defined process maps for many of its business functions, defined process maps for IT, data, or privacy do not exist and would need to be created in partnership with IYF/ input from IYF staff.

QUESTION 7: Have you defined the detailed scope of the project (entities, departments, processes)? If yes, can you please share it. Should we perform the assessment of the project scope? If yes, please provide us the list of all departments and processes within IYF.
ANSWER 7: The consultancy should include an assessment of the project scope. An audit of what personal data is being collected, stored, retained and used by and on behalf of IYF, including its home office in Baltimore and its country offices is required. This will include reviewing processes and policies across Human Resources, Financial Accounting, Information Technology, Marketing and Communications, Business Development and Programs, and Field Offices.

QUESTION 8: Are there any processes that are centralized within one entity/location?
ANSWER 8: All IYF policies, procedures, and processes are centralized through IYF's headquarters in Baltimore, Maryland, United States. They are adapted for local offices as needed.

QUESTION 9: Are the processes among the different offices of the IYF identical?
ANSWER 9: See question #8 above.

QUESTION 10: Are data controllers and data processors defined?
ANSWER 10: Data controllers and data processors have not yet been defined. This will need to be addressed as part of the scope of the consultancy.

QUESTION 11: Have IYF developed and maintained Data Protection Impact Assessment?
ANSWER 11: No, this would need to be included as part of the scope of this consultancy.

QUESTION 12: Who will be responsible for delivering the training to end users and external partners? Could you please provide some background information on recipients of the training and potential facilitators from IYF (total number of people, areas of responsibility, level of competence in GDPR etc.)?
ANSWER 12: IYF is seeking a consultant that can develop a GDPR training of trainers for a small number of IYF staff who will then be equipped to train other staff in the organization and external partners. IYF trained facilitators are yet to be determined, though are likely to include staff from HR/IT, Programs, Marketing and Communications, and Monitoring and Evaluation. Trained facilitators will have some knowledge of GDPR.

QUESTION 13: Do you envision any visits to your country offices or would the work all be remote?
ANSWER 13: IYF anticipates most of the work being done remotely and through meetings at IYF headquarters in Baltimore, MD. At this time, IYF does not anticipate any visits to country offices.

QUESTION 14: Would you want to be compliant with the California Consumer Privacy Act (CCPA) as well as GDPR?
ANSWER 14: At this time, we are only looking at GDPR compliance.

QUESTION 15: Where it says: “build tools to address compliance requirements” - can you confirm that you mean tools such as toolkits, guidelines, check lists, online training, etc. or whether you mean technological tools/apps to address compliance?
ANSWER 15: Correct, by "tools to address compliance requirements," IYF means toolkits, guidelines, check lists, online training, etc.

Thank you for your interest in the International Youth Foundation.