Introduction

The Science for Africa Foundation (SFA Foundation) is a pan-African, non-profit, and public charity organisation that supports, strengthens, and promotes science and innovation in Africa. The SFA Foundation is committed to improving African people's quality of life and promoting research uptake in communities, industry, and the public sector. We serve the African research ecosystem by designing, funding, and managing programmes that support excellent science and innovation; and that build and reinforce environments that are conducive for scientists to thrive and produce quality research that impacts development. SFA Foundation is distinctive in that it focuses on the ecosystem surrounding research and the production of research itself. It also supports initiatives that directly influence the quantity, quality, and impact of research. SFA Foundation operations are hosted within the International Centre of Insect Physiology and Ecology (icipe) as a programme in the Republic of Kenya.

Overview

SFA Foundation is seeking a qualified data audit consultant or firm to streamline and optimise internal processes across various functions, such as Human Capital, Finance, and Procurement. This consultancy will support the organisation’s commitment to efficiency, scalability, and alignment with strategic goals.

DOWNLOAD THE FULL RFP

Objectives of the Assignment

The primary objective of the data protection and data privacy audit is to assess the SFA Foundation’s current data protection practices and ensure compliance with applicable data protection laws. The scope includes:

1. Evaluating the organisation’s legal status regarding registration as a data controller or processor,
2. Mapping data flows across departments, and
3. Reviewing and updating existing policies, guidelines and consent mechanisms.
4. Additionally, the audit aims to examine the accuracy, completeness, and security of personal data through a comprehensive system review, while also strengthening internal capacity through targeted staff training.
5. The overall goal is to identify gaps, mitigate risks, and provide clear recommendations for improving data governance and compliance.

Key Deliverables

The consultancy firm will be expected to deliver the following:

1. Inception report
2. Audit report highlighting findings and recommendations.
3. Updated data protection & privacy policies, guidelines, statements, and consent forms.
4. Staff training materials
5. Staff training

Proposal Submission Requirements

Consultants are requested to submit a proposal containing:

• Approach and Methodology: Description of the proposed methodology, project approach, and tools.
• Detailed work plan: Detailed timeline and plan with deliverables and timelines
• Team Composition: Names and roles of the project team members, including their qualifications and diversity in past projects. Experience working with diverse organisations, including non-profits, public sector entities, and private corporations.
• Budget: Detailed budget breakdown, including fees for each phase and any anticipated expenses.
• References: At least three references from past clients with similar projects: 
• Mandatory/ Statutory requirements/ Company Profile.
• A one-page cover letter with contact details.
• The proposal should not be more than five (5) pages (including the budget).
• A project plan that demonstrates a clear understanding of the assignment.
• An executive summary providing an overview of your methodology, project approach, tools and   detailed work plan: timeline and deliverables.
• References of similar clients where similar work was done, i.e. (submit at least three (3) reference letters or recommendations from similar clients).
• Qualification and experience:
  • Legal Expertise: Established technical legal training and understanding of legal frameworks and legislation governing data protection and privacy in Kenya.  Knowledge of and the European General Data Protection Regulation (GDPR) will be advantageous.
  • Firm Background: Proven track record in data protection and data privacy audits and assessments. This can be tied to specific team members with history of providing the services.
  • Experience: At least 7 years of relevant experience as a data protection and data privacy specialist with proven expertise in data process analysis, personal data mapping, documents review, design and trainings.
  • Team composition: A team with diverse expertise, including but not limited to process analysts, legal experts, audit specialists, and trainers.
  • Systems Thinking: The ability to document processes in a way that integrates seamlessly with enterprise-wide automation systems.
  • Skills: Strong analytical, project management, communications, drafting skills. Proficiency in process and data mapping tools and methodologies.
• Cost projections-        
  • Financial proposal shall clearly indicate the total cost disaggregated to enable partial payments and/or scaling of services. The Prices quoted should be inclusive of all taxes and delivery costs, must be in US Dollars ($) and shall remain valid for (120) days.
  • Cost-effectiveness and value for money based on the proposed budget, with a clear breakdown of fees by project phase.
  • Justification of costs, ensuring alignment with the scope of work and expected deliverables.
  • Competitive pricing that aligns with industry standards for data protection and privacy audit consulting services.

Proposal Submission Process

It should be noted that this document relates to a request for proposal only and not a commitment to enter into a contractual agreement. In addition, SFA Foundation will not be held responsible for any costs associated with the production of a response to this request for proposal. 

1. Proposal to be sent by email to: [email protected] on or before 9 September 2025 at 5.00 pm (EAT)
2. The proposal to be marked as follows on the subject line:

REQUEST FOR PROPOSAL (RFP) FOR CONSULTANCY SERVICES FOR DATA PROTECTION AND DATA PRIVACY AUDIT, ASSESSMENT, MAPPING & TRAINING RFP/022/2025

DOWNLOAD THE FULL RFP