Objective:

CGIAR seeks an individual or firm to work across its business units and make recommendations to ensure the CGIAR System Organization is fully aligned to the European Union’s General Data Protection Regulation (GDPR). The individual or the firm must have expertise in GDPR matters including approaches to privacy governance and employee training, GDPR data inventorying, GDPR third party risk management, GDPR privacy escalation policies & procedures.

Background/Context:

CGIAR is a global research partnership whose mission is to create a world with sustainable and resilient food, land, and water systems that deliver diverse, healthy, safe, sufficient, and affordable diets and ensure improved livelihoods and greater social equality within planetary and regional environmental boundaries. Our research is carried out in close collaboration with hundreds of partners, including national and regional research institutes, civil society organizations, academia, development organizations, and the private sector.

One CGIAR is a dynamic reformulation of CGIAR’s partnerships, knowledge, assets, and global presence, aiming for greater integration and impact in the face of the interdependent challenges facing today’s world and the need to deliver on the Sustainable Development Goals by 2030. As such, One CGIAR seeks operational integration, and the transition to such a system has provided the need to bring forward awareness of the CGIAR regulatory framework into its integrated operations.

The CGIAR System Organization is headquartered in Montpellier, France with approximately 60 staff and annual budget of USD 60 million. The System Organization is governed by the Charter of the CGIAR System Organization, and in collaboration with the CGIAR System Council, provides governance to the CGIAR System. The System Organization has an important role in facilitating and overseeing the development of effective and efficient implementation of the CGIAR Strategy and Results Framework. The System Organization enters into agreements with the trustee of the CGIAR Trust Fund, Funders, Centers and other relevant entities for funding CGIAR Research and other activities of the CGIAR System.

CGIAR System Organization recognizes that its operational alignment to the European Union’s General Data Protection Regulation (GDPR), despite the System Organization’s privileges and immunities, is an important component of its operations. The System Organization seeks a consultant or firm to work across its business units to make recommendations to support the System Organization’s alignment to GDPR.

Scope of Work:

The selected consultant will provide the following services:

1. Assessment of the Organization’s alignment to the GDPR, including mapping of its data landscape and gap analysis (current state, future state, gap description).
   • Investigation and audit of personal data being collected, stored, retained and used by and on behalf of the Organization, across its offices.
   • Conducting key informant interviews across business units (human resources, financial accounting, information technology, communications, resource mobilization, science groups, and other offices).
   • Review of Organization’s internal rules framework, business processes, contract templates.
   • Audit of the Organization’s contact relationship management (CRM) or equivalent system, monitoring and evaluation processes, marketing and communications protocols (including mass emailing practices, including the email signup/ subscription process), IT security and privacy processes, HR systems and processes, etc.
2. Developing a prioritized action plan with specific recommendations (including how to close the identified gaps), schedule, and human and financial resource estimates to ensure and manage ongoing GDPR alignment.
3. Subject to approval of the action plan by the Organization, implement the action plan, including, without limitation:
   1. revisions to, and introduction of new policies (internal rules) and business processes (with clearly defined roles and responsibilities);
   2. revisions to, and introduction of new, contract templates (e.g., data processing agreement, consent forms, non-disclosure agreements, flows and breaches templates, etc.), and
   3. a suite of tools and templates, both for internal use and for external auditing/diagnostic tools to understand compliance by partner organizations, and
   4. GDPR awareness presentation and training materials (and corresponding guidelines for internal and external use) for the Organization’s personnel and external partner organizations and other stakeholders

Deliverables and timeline:

• Assessment report of the Organization’s GDPR alignment status, including a thorough mapping of its data landscape and gap analysis and covering the results of item (1) above.
• Prioritized action plan, as described in item (2) above.
• Implementation of item (B) above, after approval by the Organization.

Contracting:

The firm should accept the CGIAR System Organization standard terms and conditions of contract in Annex 1.

If the firm requires amendment of specific clauses, the firm must submit those contract clauses or template for our review and consideration. Please submit in word format, as a separate document, along with the proposal.

CGIAR reserves the right to request additional information or clarification regarding the contract clauses or template during the evaluation process. Note that submitting suggested clauses or template does not guarantee the firm will be awarded the contract. Final contract negotiations will be conducted with the selected firm based on the evaluation results.

Required Proposal Content:

(A) Narrative proposal

A.1 General Information:

• Name of contractor/firm, contact person, title, mailing address, e-mail address, and telephone number.
• Brief company history, including years in business, number of employees, office locations.
• Vendor’s approach to and experience with international organization (IGO)/NGO/corporate GDPR compliance work.
• Particular areas of expertise including approaches to privacy governance and employee training, GDPR data inventorying, GDPR third party risk management, GDPR privacy escalation policies & procedures; GDPR policies & procedures; GDPR notice, choice, and fair processing statements, DPIA/PIA program development, GDPR incident response program development, GDPR platform development, GDPR-compliant email marketing practices, etc.

A.2 Proposed Work Plan and Timeline:

• Summary of the bidder’s understanding of the objectives and requirements of this RFP.
• Suggested approach and meaningful description of work products/deliverables.
• Outline of the key steps, responsibilities, level of effort (number of hours/days) and proposed timelines to complete each item.
• Proposed timeline, with deliverable dates and estimated number of hours (or days) required for each milestone/deliverable.

A.3 Qualifications:

• Qualifications, skills and experiences of the individual who would provide the services, and if applicable, experiences of the firm in relation to the project
• Examples of relevant and similar recent projects
• References from at least three (3) prior clients to which recent projects have been provided previously, including their contact details.

(B) Fee Proposal

• Proposed fees should be itemized and presented in the proposal in US$.
• The proposal should indicate clearly on what basis the service is priced, i.e., hourly rate, daily rate or lump-sum or milestone payment for all services.

Travel: None anticipated, but the parties will discuss if it is deemed necessary after contract is signed.

Evaluation criteria: Proposals will be evaluated based on the following criteria:

• Contractor or firm profile: 15%
• Qualifications and experiences of the bidder: 25%
• Work Plan and timelines: 25%
• References: 10%
• Cost: 25% Bid Schedule and Dates

Bid Schedule and Dates:

The following schedule includes key milestones and their associated completion dates and is provided primarily for planning purposes. CGIAR System Organization may modify the project timeline at its discretion.

Dates	Milestones
2 February 2024	Issuance of Request for Proposals
9 February 2024	Last date for request for clarification(s) on the RFP
16 February 2024	Last date to reply to questions received/late date for amendment
26 February 2024	Deadline for the submission of proposals. Late proposals will not considered.
6-8 March 2024	Oral presentation to the selection panel (Any changes will becommunicated in advance)
22 March 2024	Notification and selection of the successful bidder
1 April 2024	Contract start date

How to submit a proposal:

Please submit a Narrative Proposal (max 5 pages) and a Fee Proposal as two separate documents to smo-bidding@cgiar.org. Both documents can be attached to the same email.

All proposals must be received no later than midnight (Paris time) on 26 February 2024. Only electronically submitted proposals will be considered.