• Mobility: The Do’s and Don’ts of Data Protection in RFPs!


    We live in a digital world and there is no turning back! Our reliance on data is unquestionable and ever more complex. The warp speed evolution of technology means that there are huge risks related to data privacy and security. Most countries have privacy laws that govern how businesses collect, store and use their data. In the field of global mobility, personal data is an integral element in any program management and all service providers must be on the same page with respect to compliance with any relevant legislation worldwide.

    As mentioned above, most countries have privacy laws. Canada’s private sector must comply with the Personal Information and Protection of Electronic Documents Act (PIPEDA) and the Privacy Act governs the personal information handling practices of federal institutions. In the US, it’s more complicated as they do not have one overarching piece of legislation at the federal level but state level and sector-specific legislation to navigate. The European Union, on the other hand, adopted the General Data Protection Regulation (GDPR) which became enforceable in 2018 and is widely viewed as the most robust privacy protection law in the world.

    In this new series, we will address how to achieve the correct balance between the need to collect data and the requirement that it be securely managed by all suppliers involved in the mobility program. This starts with the RFP process.

    Privacy and security departments have become key contributors in the RFP process and must be present at the very early stages. Their role is to oversee all aspects of the process that involve the collection and protection of data and comprises:

    – setting the RFP overall framework for privacy and data security,

    – reflecting the privacy and data security requirements within the scope of work, preparing the key questions to ask bidders,

    – attending presentations of suppliers’ portal demos,

    – scoring bidder responses to security questions and determining their weight in the overall evaluation of proposals,

    – determining the degree of risk associated with each of the bidder’s systems and protocol, and

    – drafting language in agreements.

    Without the expertise and participation of the security team, an organization places itself at great risk of non-compliance with legislation or worse, being embroiled in the legal, financial and reputational fallout resulting from a privacy or security breach.

    More blogs on this subject are being prepared. They will discuss how to obtain the right data security information from bidders and then how it should be scored. Stay tuned!