Request for Proposals: GDPR Compliance
The International Youth Foundation® (IYF®) stands by, for, and with young people. Founded in 1990 through a generous grant from the W.K. Kellogg Foundation, IYF is a global nonprofit with programs directly benefiting 7.7 million young people and operations spanning 100 countries so far. Together with local community-based organizations and a network of corporate, foundation, and multilateral partners, we connect young people with opportunities to transform their lives. We believe that educated, employed, engaged young people possess the power to solve the world’s toughest problems, and we focus our youth development efforts on three linked objectives: unlocking agency, driving economic opportunity, and making systems more inclusive. Our vision is to see young people inspired and equipped to realize the future they want.
IYF has recently launched a new institutional strategic plan to guide organizational programming and business development thru 2019-2021 to achieve maximum mission impact and effectiveness. Bringing the organization into General Data Protection Regulation (GDPR) compliance is a critical component of this new strategy. IYF seeks a consultant or firm to work across IYF—including its home office in Baltimore and its Country Offices in Morocco, Jordan, Mexico, Mozambique, Zimbabwe, Kazakhstan, South Africa, and Tanzania—business units to create a roadmap with clearly defined processes and templates that will enable IYF to become GDPR compliant.
SCOPE OF WORK
- Review and validate findings from an external IT audit conducted in 2018, which recommended that IYF increase controls and protections for all information collection, update operational processes to industry best practices and in compliance with the GDPR, and ensure that existing technology is optimized and designed to follow GDPR protocols.
- Investigate and audit what personal data is being collected, stored, retained and used by and on behalf of IYF, including its home office in Baltimore and its country offices.
- Conduct key informant interviews across IYF’s business units (Human Resources, Financial Accounting, Information Technology, Marketing and Communications, Business Development and Programs, and Field Offices).
- Review IYF’s procedures and business process to ensure that they cover all rights individuals have and provide recommendations on how to revise and update policies to bring them into compliance.
- Audit IYF’s contact relationship management (CRM) system, monitoring & evaluation processes, marketing and communications protocols, IT security and privacy processes, HR systems and processes, etc.
- Assess IYF’s mass emailing practices, including the email signup/subscription process, for compliance and provide detailed steps to address compliance failures as needed.
- Provide recommendations to manage data, with clearly defined roles and responsibilities for how data is documented, stored, accessed, used, and deleted.
- Develop a prioritized action plan with specific remediation recommendations, schedule, and human and financial resource estimates to bring IYF, into, and manage ongoing, compliance.
- Recommend processes and build tools to address compliance requirements.
- Develop, in consultation with IYF project lead, GDPR Awareness presentation and trainings for internal staff and IYF’s external partner organizations.
- Training-of-trainer approach, so IYF can facilitate with internal teams and external partners.
Assessment report of IYF’s GDPR compliance status, including a thorough mapping of IYF’s data landscape and gaps
Prioritized action plan. Action plan should include recommendations to manage data, with clearly defined roles and responsibilities for how data is documented, stored, accessed, used, and deleted.
In consultation with IYF lead, develop a suite of tools to address GDPR compliance requirements.
Develop a GDPR Awareness presentation and training (along with training materials and guidelines for internal and external use).
FORMAT FOR PROPOSALS
- Contact information for the key contact(s).
- Brief company history, including years in business, number of employees, office locations.
- Vendor’s approach to and experience with NGO/ corporate GDPR compliance work.
- Particular areas of expertise including approaches to privacy governance and employee training, GDPR data inventorying, GDPR third party risk management, GDPR privacy escalation policies & procedures; GDPR policies & procedures; GDPR notice, choice, and fair processing statements, DPIA/PIA program development, GDPR incident response program development, GDPR platform development, GDPR-compliant email marketing practices, etc.
- Key staff and bios for any team leads who will work on this project.
Narrative (Max 5 pages) highlighting the following:
- Suggested approach and meaningful descriptions of work products that would result from working together.
- Proposed timeline, with deliverable dates and estimated number of hours (or days) required for each milestone/deliverable.
- Budget narrative
- Itemized budget
- Payment schedule
Client References (2)
Firms and individuals interested in this opportunity should submit the proposed approach in the request format to Shannon McGarry, Director, Americas, at email@example.com.
- Kindly submit any questions no later than 5:00PM ET on December 16, 2019.
- Responses to questions will be shared by 5:00PM ET on December 19, 2019.
- All proposals must be received by 5:00PM ET on December 31, 2019 in order to be considered.
- Finalists will be invited for interviews by January 8, 2020.
- Interviews tentatively scheduled for January 13 and 14, 2020.
- Selected vendor will be notified by January 17, 2020.
- Contract start date, January 27, 2020
Thank you for your interest in the International Youth Foundation.