PROVISION OF CONSULTANCY SERVICES ON DATA PROTECTION ACT (DPA) 2019
- INTRODUCTION
Micro-Enterprises Support Programme Trust (MESPT) is a Kenyan development organization established in 2002. MESPT’s overall objective is to promote economic growth, employment creation and poverty alleviation through enterprise development. This is achieved predominantly through support to the development of agricultural value chains whilst embracing and promoting the green growth and climate change agenda. Through its vision of building a more Prosperous Society, MESPT facilitates increased commercialization, decent employment and green transformation through targeted interventions in the selected value chains. The Trust is a multi-donor entity jointly founded by the Government of Kenya and the European Union who later relinquished their position to the Royal Danish Embassy in Kenya, Ministry of Foreign Affairs of Denmark (DANIDA). To learn more about MESPT, please visit www.mespt.org.
- BACKGROUND
MESPT collects personal information from various stakeholders while carrying out its mandate. MESPT is aware about the Data Protection Act and is cognizant of the importance of being compliant to this ACT. We are seeking consultants to help us ensure that we are compliant with the Data Protection Act.
- OBJECTIVE OF THE ASSIGNMENT
The objective is to facilitate the development of MESPT data Protection and Privacy Policy, carry out Data Protection Act Gap assessment and provide recommendations on the way forward to ensure MESPT is compliant with the Data Protection Act 2019.
Specific Objectives
- Creating Awareness on the Data Protection Act: this is to all MESPT staff and board members.
- Data Protection Impact Assessment: Identify personal data that is collected, the source of the data, reason for collecting, lawful basis for processing, is consent obtained, is data subject informed of collection and their rights? Is special category data collected? Are the right tools used to collect personal data?
- Subject Access Requests: help with defining and documenting business processes that will ensure that MESPT is able to respond to subject access requests within the required timelines.
- Data Protection Act Gap assessment
- Development of the Data protection and privacy policy
- Recommendation: provide a framework for closure of identified gaps to ensure MESPT is DPA compliant
- METHODOLOGY
It is recommended that for maximum value generation for this assignment, the consultant will adopt a participatory approach, this will be through creating awareness of the DPA to all MESPT staff and board, collating and reviewing documents, carrying out interviews with every unit/programme to identify the types of personal data collected, how consent is obtained etc. during the Data Protection Impact Assessment.
- SCOPE OF WORK
The consultant will be expected to carry out and deliver on the following tasks:
- Conduct a systematic review of the relevant literature including-Draft Data Protection Policy, MESPT Policiesto align them with the Data Protection Act, review the existing consent form and make recommendations.
- Hold consultations (face-to-face and/or virtual) with staff and relevant stakeholders on methodologies and approaches for engagement
- Based on the above, formulate and develop MESPT DPA Policy that ensures compliance of MESPT in all aspects of the DPA
- Organize consultations for reference group (Management, Staff and Board) review to critique the policy and validate key findings, approaches, and the proposed policy direction
- Make recommendations for appropriate orientation and capacity building on the policy
- Validation of the draft policy – Management and staff
- Presentation and approval to the Board
- EXPECTED DELIVERABLES
- Inception report for the assignment outlining approach/methodology.
- Report on Data Protection Gap Assessment
- Framework for closure of identified gaps
- Data Protection Policy, Consent form(s), Data Processing Agreement(s), Data mapping document, procedure for handling data subjects’ requests, privacy documents (board of trustees, job applicants, privacy notice for employees, workers and contractors, social media policy, website privacy policy), development of data protection clauses/agreement to be included in contracts and loan agreements, any other accompanying tools
- Assignment Timelines
The consultant should finish all the above within eight weeks.
-
Qualification and Competencies
-
The firms experience with provision of legal consultancy services (Minimum of 10 years).
-
The proposed consultant (s) must demonstrate experience in undertaking similar assignments with regards to Data Protection Act Consultancy by providing at least three references of such assignments in the last three years.
-
The Lead consultant should have;
- law degree from an accredited law school
- Hold at least one data protection and/or privacy certification
- 6 years’ experience within a compliance, legal, audit and/or risk function with experience in privacy compliance
- Experience with data privacy laws within the region and/or EU Data privacy laws
-
The list of proposed staff by specialty. Qualifications of team members evidenced by professional certifications and CVs.
- law degree from an accredited law school
- Hold at least one data protection and/or privacy certification
- 3 years’ experience within a compliance, legal, audit and/or risk function with experience in privacy compliance
- Experience with data privacy laws within the region and/or EU Data privacy laws
-
Proposed methodology work plan including timeframes. This entails the detailed project schedule that covers the project plan, schedule and resource allocation.
-
Any comments or suggestions on the terms of reference, a list of services to be provided by the client.
How to apply
Download tender document by clicking on the following link