Threshold: Request for Tender - Data Protection Officer

Threshold logo

Request for Tender
Data Protection Officer (DPOaaS)

Background:

Threshold is a national Housing charity, founded in 1978, with regional advice centres in Dublin, Cork, Limerick and Galway. Threshold provides frontline advice, advocacy and support services to those facing housing problems in Ireland and operates the national Tenancy Protection Service. Threshold promotes policy and legal change in housing provision through research and evidence-based solutions.

Threshold is an organisation with over 70 staff in five office locations with staff working in a hybrid basis. Since 2017 we have been using a salesforce database, commencing with a client case management system and adding various modules (HR, donor management) in the interim. We use a separate accounting package. In late 2019 we moved our email system to Office 365, followed by moving files to the cloud in early 2020. We use a cloud-based phone system to run a national helpline and have just added drop-down menus / attribution codes to that system.

Request for Tender:

We are currently inviting Tenders for the provision of outsourced Data Protection Officer as a Service (DPOaaS) for the organisation. The duties and responsibilities of the successful tenderer, as DPO of Threshold, are as set out in the applicable data protection legislation, and will include, but are not limited to:

  1. General Advisory
  2. Breach Management
  3. Data Protection Impact Assessment (DPIA)
  4. Data mapping and updating the Records of Processing Activities
  5. Assisting with Subject Access Requests
  6. Risk Assessments as requested
  7. Reviewing DPIA and consent forms for various service functions
  8. Reviewing Data Protection Language in contracts and service level agreements
  9. Reviewing data processing agreements
  10. Assistance with Policy and Process development

Specific Actions:

The Successful Service Provider will:

  • Register as the site Data Protection Officer of Threshold with the Data Protection Commission and act as the point of contact for the supervisory authority for the site;
  • Inform and advise Threshold, and any staff members who process personal data, of the obligations pursuant to the GDPR and any other relevant Irish and EU data protection legislation;
  • Monitor Threshold`s compliance with the Data Protection Acts 1988-2003, Data Protection Act 2018, Health Research Regulations and GDPR and any other Irish or EU data protection law on an on-going basis and issue regular reports on compliance to management;
  • Assist and advise Threshold in maintaining appropriate data protection policies and documenting those policies;
  • Monitor Threshold`s compliance with data protection policies including the assignment of responsibilities, supporting the HR manager and Legal Officer with awareness training and training of staff involved in processing operations and the related audits;
  • Advise on what technical and organisational measures should be implemented to meet the requirements of the GDPR in mitigating the risk to data subjects’ personal data;
  • Provideadvice on the completion of data protection impact assessments and consulting with the supervisory authority;
  • Assist Threshold in creating appropriate data maps and inventories;
  • Assist the Threshold HR Manager and Legal Officer in providing on-going staff training in relation to its function as data controller and processor, as appropriate;
  • Act as the principal point of contact for Threshold for both data subjects, and the relevant supervisory authority on issues relating to data within the organisation;
  • Advise Threshold`s response in respect of Subject Access Requests that may be received;
  • Advise Threshold`s response to any data breaches that may occur, including liaising with the Data Protection Commission where required.

The DPO as appointed will liaise in the first instance with Chief Operating Officer in Threshold, and other relevant staff or Board Sub-Committees as appropriate.

Tender Submission

The submission structure should include a table of content, a summary of the consultant’s previous experience and qualifications, contact details of referees, a timeline for all work activities, the approximate number of monthly days to carry out the work, details of costs and relevant appendices.

The Tenderer must contain specific details regarding the followings:

Knowledge and Experience:

  • Demonstrated knowledge of data protection law and ability to address the requirements and experience of similar, relevant projects
  • Details of the account team who will manage this project
  • The ‘value-added’ that the bidder can deliver as part of the tender response

Proposed Plan and Methodology and Risks:

  • Initial work required to gain in-depth knowledge of Threshold, its services and organisational processes.
  • How they will work with management to ensure all Threshold policies and procedures are appropriately documented in line with best practice
  • On-going monitoring and review of the organisation’s processes and procedures in relation to its position as data controller and data processor, and reporting and advising on compliance on a regular basis.
  • On-going provision of advice to Threshold management and staff as required in relation to specific queries that may arise on an ad hoc basis.
  • Risks associated with delivery of the programme of work and how the bidder intends to mitigate against such risks;
  • Indicative availability and work flexibility

Communication of Service Provision:

  • A process for measuring the tenderers performance in the delivery of the service, communicated to Threshold on a regular basis during the lifetime of the project.

Costs and Related:

  • Proposed Cost Schedule
  • Invoices and other billing documentation must be accurate, i.e. correct contract prices including VAT, details of the services rendered in the period, credit notes and payments
  • Valid Tax Clearance Certificate
  • Evidence of relevant insurances

Documentation

Any further information required in relation to the Invitation to Tender document.

Tender assessment will be based on the following:

  • Applicant’s ability to demonstrate a clear understanding of the tender request.
  • Applicant’s understanding of the DPOaaS needs of a small to medium sized organisation such as Threshold, ideally in the not-for profit sector
  • Experience of having previously conducted similar projects.
  • Quality of the tender document submitted, including clarity, accessibility and simplicity of language.
  • The project’s value for money and price competitiveness

Timeline and budget

The deadline for receipt of applications is 5 pm, Friday, November 29th, 2024.
The DPOaaS provider will be in place from Feb 1st 2025 for an initial 2 year period, with built in reviews at 6 month intervals.
The fee will be inclusive of all costs (for example, administrative costs, VAT and travel)
Price increases during the term of contract will not be accepted.
Please include two references from a similar recently completed projects.

All enquiries should be directed to Cormac Lally, Chief Operating Officer at cormac.lally@threshold.ie

GDPR

All parties agree to hold confidential all information, documentation and other materials received, provided or obtained arising from their participation in this process.

All the information requested from you and collected by Threshold during this Tender application process is necessary and relevant to the performance of the process. Threshold will treat all information you supply with the utmost confidentiality and in line with current data protection law.

If you have any questions about the use of your data during the Tender process, or wish to know how your data will be treated during your service with Threshold, please contact our dpo@threshold.ie

Date Entered/Updated:
Expiry Date:
Region: Nationwide