Consultant on Risk Assessment Methodology for the Office of Personal Data Protection Inspector


Location : Home based consultancy with two missions to Georgia, GEORGIA
Application Deadline :17-Apr-18 (Midnight New York, USA)
Type of Contract :Individual Contract
Post Level :International Consultant
Languages Required :
English  
Expected Duration of Assignment :Up to 20 working days during May – September 2018

Background

The project “EU/UN Human Rights for All” is a joint initiative of four UN agencies – United Nations Development Programme (UNDP), United Nations Children Fund (UNICEF), Office of High Commissionaire on Human Rights (OHCHR) and International Labour Organization (ILO) with UNDP.

This project is funded by the European Union based on the Financing Agreement on “Human Rights for All " signed between Georgia and the European Union in May 2015. 

This project responds to the objectives set out therein, and namely seeks to strengthen human-rights protection in areas prioritized by EU-Georgia agreements, including the rights of minorities and vulnerable groups, internal and external oversight of law enforcement, labour rights, protection of privacy, freedom of expression and information.  The project will mainly support the implementation and monitoring of the National Human Rights Strategy and Action Plan in selected areas prioritized by the EU-Georgia agreements.

Accordingly, the overall objective of this project is to enhance capacities of government institutions and Parliamentary Committees on Human Rights and Civil Integration and on Legal Issues and improve mechanisms for better protection of human rights in Georgia.

The specific objective is to enhance capacity for more effective government institutions, mechanisms and Parliamentary Committees (on Human Rights and Civil Integration and on Legal Issues) in implementing the National Human Rights Strategy (NHRS) and its Action Plan (AP), in areas prioritised by the EU-Georgia agreements.

This Joint Project (JP) will have the following results/outputs:

  • Developed capacities of the NHRSAP Inter-Agency Council and its Secretariat in policy making, implementation and monitoring of the NHRS and AP;
  • Increased public awareness on NHRSAP (including its implementation) and Georgia-European Union (EU) common values as well as promotion of a culture of human rights in Georgia in general;
  • Strengthened capacities of the Office of the Personal Data Protection Inspector to monitor protection of personal data;
  • Establishment and effective functioning of labour administration and industrial relations institutions and procedures;
  • Developed capacities of governmental stakeholders regarding the advancement of childcare and protection systems of poorest children;
  • Strengthened capacities of the Parliamentary Committees on Human Rights and Civil Integration and on Legal Issues;
  • More effective investigation mechanisms on violations committed by law-enforcement officers. 

To accomplish the above activities, the project will partner with the following institutions: NHRSAP Inter-Agency Council and its Secretariat, the Personal Data Protection Inspector, government institutions on labour and child care, Public Defender (Ombudsperson), the Parliamentary Committees on Human Rights and Civil Integration and on Legal Issues, and the Judiciary through the High School of Justice and law-enforcement authorities, as well as high education institutions and media.

Objectives

One of the objectives of the project is to support better protection of personal data in Georgia by enhancing capacities of Personal Data Protection Inspector’s (PDPI) office of Georgia.

At this stage, support is needed to develop relevant tools and guidelines that will facilitate PDPI’s more effective operations. This includes the development of internal regulations for PDPI, which are necessary for the office to implement its statutory obligations. The risk assessment methodology is one of such internal regulations, that will help the PDPI to better plan inspections of data controllers and processors.

Apart from supporting the PDPI to develop the risk assessment methodology, this activity also aims to build capacity of relevant PDPI staff as well as help increase the awareness of data controllers and data processors.

This call aims to hire an expert who, by implementing different activities prescribed below, will provide assistance to the PDPI in the elaboration of the risk assessment methodology, and also assist the relevant stakeholders in risk assessment capacity building.


Duties and Responsibilities

The overall goal of the assignment is to support better protection of personal data by enhancing relevant risk assessment systems in Georgia. Under the direct supervision of the Programme Coordinator and the PDPI, the Consultant is expected to:

  • Support the Office of the Personal Data Protection Inspector in the elaboration of the risk assessment methodology (taking into consideration, among others, the best practices of European countries) to better plan inspections of data controllers and processors;
  • Provide a two-day training for the representatives of the PDPI on risk assessment methodology as well as data protection impact assessments (privacy impact assessments);
  • Provide a two-day training for the representatives of public sector on data protection impact assessments (privacy impact assessments);
  • Meet with the representatives of private sector to speak about data protection impact assessments (privacy impact assessments);
  • Produce the final report of the activities with a brief summary of the work performed.

Deliverables

  • A draft of risk assessment methodology, which will help the PDPI to better plan inspections of data controllers and data processors and better define the scope of these inspections. Among others, the methodology should develop relevant classifiers to identify high-risk fields, high-risk processing operations and should provide an opportunity to better define the scope of the inspections of relevant data controllers and processors;
  • Two-day training for the representatives of the PDPI on risk assessment methodology as well as data protection impact assessments (privacy impact assessments);
  • Two-day training for the representatives of public sector on data protection impact assessments (privacy impact assessments);
  • A meeting with the representatives of private sector to speak about data protection impact assessments (privacy impact assessments);
  • Final report of the activities with a brief summary of the work performed.

Implementation Arrangements

Management arrangements: UNDP and PDPI will provide necessary information and facilitate organization of meetings that are necessary for implementation of the assignment under this TOR. UNDP will cover travel costs related to organization of meetings outside Tbilisi, Georgia.

Timeframe of Implementation of the Assignment: The entire assignment will be undertaken during May, 2018 – September, 2018; 20 working days with 9 days in Georgia. Payments will be made based upon output, i.e. upon delivery of the services specified in the TOR approved by the Programme Coordinator:

  • Deliverable 1: A draft of risk assessment methodology, which will help the PDPI to better plan inspections of data controllers and data processors and better define the scope of these inspections. Among others, the methodology should develop relevant classifiers to identify high-risk fields, high-risk processing operations and should provide an opportunity to better define the scope of the inspections of relevant data controllers and processors - 12 working days;
  • Deliverable 2: A draft of risk assessment methodology, which will help the PDPI to better plan inspections of data controllers and data processors and better define the scope of these inspections. Among others, the methodology should develop relevant classifiers to identify high-risk fields, high-risk processing operations and should provide an opportunity to better define the scope of the inspections of relevant data controllers and processors - 7 working days; Final report of the activities - 1 working day. 


Competencies

Core Competencies

  • Demonstrated commitment to UNDP’s mission, vision and values;
  • Sensitivity and adaptability to cultural, gender, religion, race, nationality and age;
  • Highest standards of integrity, discretion and loyalty.

Functional Competencies

  • Excellent analytical and research skills;
  • Excellent communication skills (spoken, written and presentational);
  • Good interpersonal skills and ability to work in and with teams;
  • Ability to set priorities and manage time effectively.


Required Skills and Experience

Education:

  • Master’s degree in Social Sciences, Business Administration or any relevant field (minimum qualification requirement: 5 points).

Experience: 

  • Strong expertise and at least five years of extensive experience in developing and/or implementing risk assessment methodologies (minimum qualification requirement: 5 years -10 points; more than 5 years – additional 5 points), preferably in the personal data protection field;
  • At least three years of experience in the field of personal data protection and a good understanding of the risks associated with personal data processing in different sectors (minimum qualification requirement: 3 years -10 points; more than 3 years – additional 5 points);
  • Established experience in working on the new EU data protection regulations (Regulation EU 2016/679, Directive EU 2016/680) and knowledge of the recent developments in the personal data protection field in Europe (minimum qualification requirement: 10 points);
  • Working as a consultant of a national government and/or international organization will be an asset (5 points).

Language Requirements:

  • Excellent English skills (both written and verbal).

Evaluation:

Individual Experts will be evaluated based on cumulative analysis method, against combination of technical and financial criteria. Maximum obtainable score is 100, out of which the total score for technical criteria equals to 70 (desk review 50 points and interview 20 points) and for financial criteria – to 30. Offerors not meeting any of minimum qualification requirements will be automatically disqualified. Only offerors obtaining minimum 35 points as a result of the desk review will be considered as qualified offerors and invited for the interview. Those offerors passing 70% threshold of maximum obtainable scores as a result of interview, i.e. obtain minimum 14 points, will be shortlisted and requested to provide financial proposal.

Financial Proposal:

The financial proposal shall specify a total lump sum amount, and payment terms around specific and measurable (qualitative and quantitative) deliverables (i.e. whether payments fall in instalments or upon completion of the entire contract). Payments are made based on delivery. The delivery has to be accepted and approved by the Project team prior to any payment. In order to assist the requesting unit in the comparison of financial proposals, the financial proposal will include a breakdown of this lump sum amount based on deliverables.  Maximum 30 points will be assigned to the lowest price offer. All other price offers will be scored using the formula (inverse proportion):  Financial score X = 30* the lowest price offer/suggested price offer.


UNDP is committed to achieving workforce diversity in terms of gender, nationality and culture. Individuals from minority groups, indigenous groups and persons with disabilities are equally encouraged to apply. All applications will be treated with the strictest confidence.

UNDP does not tolerate sexual exploitation and abuse, any kind of harassment, including sexual harassment, and discrimination. All selected candidates will, therefore, undergo rigorous reference and background checks.


If you are experiencing difficulties with online job applications, please contact erecruit.helpdesk@undp.org.

© 2016 United Nations Development Programme