General Data Protection Regulation (GDPR) compliance assessment

Introduction/background of Triggerise

Triggerise Stichting is a Dutch non-profit founded in 2014 that implements health and wellbeing programmes targeting adolescents primarily in Sub-Saharan Africa. The Organisation currently operates in Kenya, Ethiopia, Uganda, Burkina Faso, South Africa with additional offices and staff located in Portugal and the Netherlands.

Triggerise is a data-driven organisation relying heavily on the data collected in its digital platform (developed and maintained in-house) known as Tiko to make its programmes more relevant to users while prioritizing interventions that the data show as most effective. The Tiko platform is used to connect young people to health services and products, training opportunities and other wellbeing programmes. More information on our work can be found here: https://triggerise.org/.

Scope of work

When users use the Tiko platform, they trust us with their personal data. Triggerise understands that this is a big responsibility, and works hard to ensure the safe and responsible handling of all the data. The Organisation is seeking the services of a consultant to perform an independent compliance assessment of its existing data protection policies, controls and practices. While the General Data Protection Regulation (‘‘GDPR’’) compliance is a central focus of this assessment, it is essential to acknowledge that the privacy legal frameworks of the countries where we operate must also be considered.

The work is meant to cover the following: review of our existing policies, controls and practices, identification of gaps and remediation recommendations.

Location of services

Desk review of documentation as well as meetings are to take place remotely. The planning of meetings (depending on attendance required) may need to accommodate the following time zones: Kenya, Ethiopia, Uganda, Burkina Faso, South Africa, Portugal and the Netherlands.

Technical requirements

1. Technical experience

• Demonstrated experience and expertise in conducting data protection compliance audits/assessments for databases and/or mobile applications under the GDPR or similar data protection regimes
• Familiarity with the data protection legal framework when it comes to data transfers to and from the EU/EEA

2. Communication skills

• Ability to understand technical concepts and at the same time translate complex legal concepts to a layperson audience
• Ability to respond to comments and questions in a timely, appropriate manner

3. Linguistic skills

• Excellent verbal and written communication in English

Evaluation criteria

Proposals will be assessed against the following criteria:

1. Expertise, experience and composition:

• Expertise and experience in carrying out privacy compliance audits/assessments for entities that are data-driven and work across EU/EEA jurisdictions and non-EU/EEA jurisdictions. Experience with the privacy legal frameworks in the markets we operate will be considered as a plus

Weight: 30

• Background of the team members and experience in conducting similar work

Weight: 10

2. Strength of the technical proposal:

• Overall strength of proposed methodology, including the clarity and comprehensiveness of the proposed approach

Weight: 40

3. Budget:

• Value for money
• Detailed outline of the cost to conduct the assessment

Weight: 20

Quotation/Fees

Submit your quotation excluding the VAT. The budget for this project cannot exceed the range of 6.000 to 7.500 Euro.

Deliverables

The consultant is expected to:

• Submit a report along the following structure: Executive summary of findings, Compliance assessment per thematic area reviewed (including graphical representation), Identification of key compliance issues and risks, Recommendations and proposed next steps. The planning for the final delivery of the report needs to take into account one prior commenting round of its draft.
• Organise a follow-up call to present the key findings and address any questions we may have.

In terms of time commitment, we expect that 2 months from the date of contract award is an adequate time to complete both deliverables.