Request for Proposals (RFP)

Data Protection and Privacy SOW

Contract Title: Data Protection and Privacy SOW

Contract Manager Title: Information Manager

Location: Remote with travel to Charlotte, North Carolina

Type: External Consultancy

Career Category: Mid to Senior level personnel

Years of Experience: 10+

NB: This Request for Proposals is open solely to established and legally registered business entities (companies, firms, corporations, partnerships, or limited liability companies). Proposals submitted by individual, independent contractors will not be considered.

BACKGROUND:

Global Support and Development (GSD) is a humanitarian organization whose mission is to work with regional, national, and local authorities and key actors across the Caribbean, Central America, and the Pacific for resilience to crises through rapid response, disaster preparedness, and climate adaptation.

GSD began as an impromptu response to Cyclone Pam in Vanuatu in 2015. Since our founding, we have worked with regional, national and local communities and supported various International and US domestic disaster response and preparedness efforts. This first response defined the core of GSD’s DNA as an organization–to work with communities–led by their needs, filling the gaps they have identified while leveraging unique approaches and capabilities with an innovation mindset. By integrating our team’s diverse skill sets and resources into local responses, we can provide rapid response assistance to affected communities in coordination with regional, national, and local community partners. We also work to support and strengthen local capacity through disaster preparedness initiatives including innovation and climate adaptation. We engage with regional, national, and local communities to reduce the impact disasters and the climate crisis have on communities.

GSD’s holds three enablers we consider essential to our work as the standards to which we hold ourselves and our requirements for GSD action: being locally led, ensuring good stewardship of resources, and our values of humility, integrity and accountability.

STATEMENT OF WORK:

As GSD supports partners through its programs, the organization manages various types of programmatic data and information critical for effective humanitarian planning and operations. We play a vital role in the responsible collection, management, and sharing of data to support humanitarian efforts. To ensure the highest standards of data protection, privacy, and responsible data sharing, GSD is proactively seeking to strengthen its data governance framework. This is particularly important as the volume and sensitivity of data managed by GSD are anticipated to increase with the development of new programmatic initiatives.

Moreover, GSD operates across the Caribbean, Central America, and the Pacific regions, necessitating compliance with diverse national data protection legislations, in addition to international standards like the General Data Protection Regulation (GDPR). Adherence to these legal frameworks and international best practices for ethical data handling, as advocated by leading humanitarian organizations, is paramount for maintaining the trust of our partners and the wider humanitarian community, and for mitigating significant operational and reputational risks.

PURPOSE OF CONSULTANCY / OBJECTIVE:

GSD is seeking a firm to develop a comprehensive data governance framework, which will include specific policies, standard operating procedures (SOPs), and data responsibility guidance. This framework will be informed by a desk review of data protection, data privacy, and data sharing regulations across its Areas of Operation (AOO), and is intended to guide GSD’s operational practices, addressing the appropriate use and management of sensitive data while maintaining data control within the organization.

SPECIFIC OBJECTIVES:

The firm will achieve the following specific objectives:

• Map GSD's programmatic data types, uses, and flows to clarify current practices and identify areas for optimization.

• Analyze how relevant data protection, privacy, and data sharing regulations and international best practices intersect with GSD's activities, identifying compliance needs and potential risks.

• Create and refine essential documents, including a comprehensive Data Protection and Privacy Policy, harmonized program-specific procedures, revised Data Responsibility Guidance, and robust External Data Sharing Protocols.

• Propose an effective organizational structure, roles, and responsibilities to support data protection and governance within GSD.

• Lead the socialization, testing, and orientation efforts for the new/revised policies and procedures to ensure understanding and practical application across relevant departments.

SCOPE OF WORK:

The firm will undertake the following tasks, requiring a total of 100 working days, to be completed over a 9 month calendar period, commencing November 2025, and concluding by July 2026 to allow for necessary internal review and organizational scheduling.

1. Initial Review and Data Landscape Mapping:

   1. Review GSD’s current data protection, data privacy, and data sharing policies and procedures.

   2. Identify and map the types of programmatic data collected by relevant departments/programs, including their specific uses and data flows. This activity aims to clarify use cases, identify any redundant or unnecessary data collection, and inform the development of appropriate data protection and privacy measures.

2. Comprehensive Regulatory and Best Practice Review:

   1. Analyze how relevant data protection, privacy, and data sharing regulations and international best practices (including GDPR, those from International Non-Governmental Organizations (iNGOs) and United Nations (UN) Agencies) intersect with GSD's programmatic activities, ensuring compliance and identifying potential risks or gaps in current practices. This includes understanding their relevance to disaster management systems at regional, national, and sub-national levels, and identifying the key building blocks necessary for effective data sharing at all levels. This analysis and its findings will be documented in the Interim Consultancy Report.

3. Development of Data Governance Framework Components:

   1. Organizational Data Protection and Privacy Policy: Draft an overarching Organizational Data Protection and Privacy Policy that consolidates data protection and privacy principles. This policy must ensure alignment with relevant legal, regulatory, and humanitarian requirements, and support compliance with national, regional, and international standards, including the GDPR.

   2. Guidance for Departmental Procedures: Develop comprehensive guidance and standardized templates for the adaptation and harmonization of department/program-specific data protection and privacy procedures. This will enable GSD to ensure coherence across all programs. The firm will provide guidance to GSD in applying these templates to develop their specific departmental procedures.

   3. Data Responsibility Guidance: Review and revise GSD's existing draft data responsibility guidance to ensure full alignment with global humanitarian standards, specifically referencing the Inter-Agency Standing Committee (IASC) Operational Guidance on Data Responsibility. This task includes adapting the guidance to GSD’s current business model and programmatic operations, ensuring compliance with the 'Do No Harm' principle and upholding ethical standards and accountability in all data collection, use, and sharing activities.

   4. External Data Sharing Protocols: Establish robust overarching external data sharing protocols and guidelines. This involves developing a framework of rules and processes for GSD's approach to external data sharing, providing overarching guidance for various scenarios. These protocols must ensure compliance with applicable legal and regulatory frameworks, and proactively identify and mitigate risks related to sensitive data handling when sharing information with external partners. This will also include reviewing existing data sharing agreements and developing a standardized, adaptable template for data sharing agreements.

4. Organizational Structure Recommendations: Present clear recommendations on the most effective organizational structure, roles, and responsibilities to establish and support data protection and data governance within GSD, including the development of a RACI (Responsible, Accountable, Consulted, Informed) chart..

5. Consolidated Data Governance Framework: Develop a comprehensive Data Governance Framework that integrates all developed policies, procedures, guidance, and protocols, tailored specifically to GSD’s operational practices and AOO. This framework should include updated governance, accountability mechanisms, and annexes to specific policies and procedures.

6. Socialization, Validation through Discussion, and Orientation Execution:

   1. Develop a detailed plan and comprehensive materials (e.g. presentations, guides, FAQs) for the socialization and orientation of the new/revised policies and procedures.

   2. Facilitate discussions with key departments to validate the practicality and usability of the policies and procedures, and update them accordingly based on feedback.

   3. Execute necessary orientation sessions for relevant GSD staff and departments to ensure understanding and adoption of the new data governance framework.

DELIVERABLES:

The firm will provide the following deliverables according to the agreed-upon timeline:

1. Inception Report:

Content: Detailed work plan, proposed methodology, refined scope of work, and updated timeline for the consultancy.

Target Date: Mid December 2025

1. Interim Report

Content: A comprehensive document that presents the preliminary findings from the firm's analysis of GSD's current practices and relevant regulations. This report will also include initial insights and recommendations.

Target Date: March 2026

1. Draft Data Governance Framework

Content: The draft versions of the Data Governance Framework components, including:

• Organizational Data Protection and Privacy Policy

• Guidance for Departmental Procedures

• Revised Data Responsibility Guidance

• External Data Sharing Protocols

• Preliminary recommendations on organizational structure, roles, and a draft RACI chart.

Target Date: May 2025

1. Socialization, Validation, and Orientation Execution:

Content: Execution of activities to socialize relevant departments to the new/revised policies and procedures, including facilitating discussions to validate practicality, gathering feedback, and updating the framework accordingly. This also includes conducting all necessary orientation sessions for staff.

Target Date: June 2026

1. Final Consultancy Report

Content: The definitive comprehensive report. This document will include the finalized Data Governance Framework, a summary of all findings and recommendations, and an overview of the socialization and orientation activities conducted. This is the final, official version of the project's output.

Target Date: July 2026

1. Follow up Briefings and Socialization and Project Close-Out Presentation:

Concise and practical orientations on updated/final key products to various stakeholder groups within GSD. This may need to include working with key stakeholders and departments on revised protocols and operational guidance specific to their unit and areas of responsibility.

Content: A 30-minute slide deck summarizing the key components of the Final Data Governance Framework including key products (e.g. data sharing protocols, guidance documents etc.) socialized to relevant GSD stakeholders.

Target Date: July 2026

LOCATION:

This is a remote consultancy, with required travel to GSD Headquarters in Charlotte, North Carolina, on at least three occasions:

• At the start of the contract to conduct key informant interviews with GSD staff

• To present the final data governance framework

• To conduct final socialization activities of key policies and products

COORDINATION AND RENUMERATION:

The firm's personnel will report directly to GSD’s Information Manager. A dedicated member of the Information team will serve as the primary internal liaison, providing support as needed for scheduling, logistics, access to internal documents, and facilitating communication with relevant departments and stakeholders. This internal support is crucial for the efficient execution of the project, particularly during the socialization, validation through discussion, and orientation phases. The firm will also collaborate with other members of GSD’s team as required.

For the total work specified, GSD will provide a fixed fee. Payment will be made in installments, upon the successful submission and acceptance of the following key deliverables:

• Payment 1 (20% of total fee): Upon submission and acceptance of the Inception Report.

• Payment 2 (20% of total fee): Upon submission and acceptance of the Interim Report and the Draft Data Governance Framework.

• Payment 3: (30% of total fee): Upon submission and acceptance of the final Data Governance Framework

• Payment 4 (30% of total fee): Upon completion and acceptance of the Final Consultancy Report, and the associated socialization of staff to the deliverables along with the Project Close-Out Presentation.

QUALIFICATIONS AND EXPERIENCE:

The consulting firm proposed team members should have the following qualifications:

This Request for Proposals is open solely to established and legally registered business entities (companies, firms, corporations, partnerships, or limited liability companies). Proposals submitted by individual independent contractors will not be considered.

• Bachelor’s degree in the relevant field, including but not limited to law with focus on information technology / data protection / data privacy, computer science with a focus on data security / data privacy / information management, or related disciplines.

• Ten or more years of experience in emergency preparedness, disaster risk management/coordination, or a related field with a focus on international disaster risk management.

• Demonstrated experience in developing, implementing, and/or managing data and data policies for humanitarian organizations, with an international context.

• Demonstrated understanding of GSD’s areas of operation (AOO), with specific knowledge and working experience of the Caribbean being desired.

• Strong understanding of international standards and best practices related to data protection, data privacy, and data sharing, as well as relevant legal and ethical frameworks.

• Proven ability to synthesize extensive data sets, such as research papers, legislation, reports, and evaluations, into actionable steps, and to adapt and contextualize standards while maintaining quality and integrity of approach.

• Excellent written and oral communication and stakeholder engagement abilities in English. (Additional language skills in French and/or Spanish are a plus).

• Proven ability to work independently, in collaboration with a larger team.

• Experience in training and capacity strengthening on Data Protection, Data Privacy, and Data Sharing is desired.

DURATION & TIMELINE:

The consultancy is expected to commence in mid-November 2025 and conclude by the end of July 2026. A detailed schedule for key deliverables, including specific target dates for each, is provided in the "Deliverables" section of this Terms of Reference and will be mutually agreed upon at contract signing.

To Apply:

Submit detailed RFP to informationteam@gsd.ngo

Administrative and Submission Requirements

• Submission Deadline: October 17, 2025 but earlier submission is encouraged.

• Proposal Format:

• File type:

  • Electronic only

  • Word

  • No page limit is set but applicants are encouraged to be comprehensive and concise; visuals and graphics are appreciated.

• Submission Method: via email to: informationteam@gsd.ngo

Company and Personnel Information

• Company Introduction/Background: A brief overview of your company, history, mission, and what makes your company a good fit for the project.

• Relevant Experience: past projects and relevant experiences, and client references that demonstrate a proven track record of successfully completing similar projects.

• Key Personnel: Resumes and biographies of the specific individuals who will be working on the project, detailing their skills and experience.

• Licensing and Certifications: Proof of any necessary business licenses, certifications, or insurance.

Project-Specific Requirements

• Executive Summary: A high-level overview of the proposal, summarizing the key points and how your company will meet the objectives of this SOW.

• Project Understanding: Demonstrates your understanding of the project's goals, challenges, and desired outcomes.

• Proposed Approach/Methodology: A detailed plan outlining the steps your firm will take to complete the project, including the specific tools, technologies, and methods you will use. This will be further updated during the inception phase.

• Scope of Work (SOW): A clear and detailed breakdown of the work that will be performed and the specific deliverables that will be provided based on your understanding of the project.

• Proposed Timeline/Schedule: A schedule with key milestones and deadlines for the project's completion.

Financial Requirements

• Budget and Pricing: A detailed breakdown of all costs associated with the project. This should include itemized lists for labor, materials, and other expenses.

• Payment Terms: Demonstrate an understanding of proposed payment terms; if alternative terms are needed note this and the rationale.