Data Protection Impact Assessment (DPIA)

SCOPE OF WORK (SOW)
The firm or consultant will undertake the following scope of work:

Understand thoroughly how Triggerise Kenya Limited collects and processes data;
Conduct a Data Protection Impact Assessment (DPIA) which will include a full analysis of the Kenya Data Protection Act (2019) against Triggerise’s processes and operations to help identify data protection risks. The impact assessment will contain the following key elements –

A systematic description of our current processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by Triggerise in processing;
An assessment of the necessity and proportionality of the processing operations in relation to the purposes; and
An assessment of the risks to the rights and freedoms of data subjects

Develop a plan of action to mitigate the identified risks to the rights and freedoms of data subjects as articulated in the Kenya Data Protection Act as well as to address any other issue relating to our obligations identified in the Kenya Data Protection Act
Develop a Data Protection Policy and associated standard operating procedures (SOPs) for Triggerise Kenya Limited that ensures compliance with the Kenya Data Protection Act (2019).

DELIVERABLES

Complete DPIA report which outlines both data and compliance risks within the organization and proposed measures (the plan of action) to address or mitigate risks;
Comprehensive Data Protection Policy (DPP); and
SOPs which ensures compliance across Triggerise’s operations and processes to ensure compliance with both the Act and the DPP.

REQUIREMENTS
The qualified firm should exhibit the following:

Demonstration of experience and expertise of similar assignment with on-Governmental Organizations (NGOs);
Providing an activity plan (project plan) of actions to achieve the objectives of the assignment, specifying budgeted hours, timelines and sequence for its consultancy procedure and level of staff to be assigned;
Incorporating CV’s of the proposed professional staff of the core management team and the authorized representative submitting the proposal. CVs should demonstrate relevant experience of dealing with data protection matters within organisations similar to Triggerise (if possible);
List of current and past clients where the bidder has conducted data protection analysis and developed data protection policies or similar, along with the name of the organization, contact person, designation, and a contact number, nature of services and length of the appointment for at least three (3) INGOS;
Registration Certificate;
And other relevant certificates

EVALUATION CRITERIA
Proposals will be evaluated in two parts. The experience, technical proposal and financial quotation shall bear 70% of the total marks while the references and financial capacity shall bear 30% of the total marks.

Proposals should make clear about the relevant skills, experience and capacity of the participant, in respect of this particular TOR.
Proposals must contain the details of the proposed approach to be adopted in order to deliver the service in accordance with the TOR.
Proposals should clearly indicate whether or not bid participants have the capacity to meet the requirements of the TOR.
The proposal should clearly indicate compliance with the appropriate data protection, privacy, legal, social, tax and ethical issues applicable to the country.

Functionality evaluation criteria

Experience, Skills and Ability of Service Provider

Bidders’ track record which includes

Past experience in similar work of this nature.

Team member experience (accompanied by brief CV’s).

The ability of the bidder to fulfil Triggerise’s requirements

Weight: 30

Technical Approach and Execution Plan

Proposals must contain the details of the proposed approach to be adopted in order to deliver the service in accordance with the TOR.

Weight: 30

Financial quotation

Proposals should clearly indicate whether or not bid participants have the financial capacity to meet the requirements of the TOR based on the previous value of similar works done e.g. by sharing copies of recent audited financial statements.

Weight: 10

References

Did the bidder submit at least three relevant and contactable clients that were serviced in the past 36 months.

Weight: 10

Capacity

Proposals should clearly indicate whether or not bid participants have the capacity to meet the requirements of the TOR.

Weight: 20
Totals Weight: 100