Ministry of Justice (MoJ)

GDPR Compliance Assessment - Analyst Team

Incomplete applications

Incomplete applications
8 SME, 6 large

Completed applications

Completed applications
16 SME, 14 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Thursday 8 February 2018
Deadline for asking questions Thursday 15 February 2018 at 11:59pm GMT
Closing date for applications Thursday 22 February 2018 at 11:59pm GMT


Opportunity attribute name Opportunity attribute value
Summary of the work The MoJ Digital and Technology team require a task force to assess the entire MoJ IT estate for GDPR compliance. The project will require a team of 3 analysts full time for a period of 17 weeks with the possibility of being extended by a further 3 weeks.
Latest start date Monday 2 April 2018
Expected contract length Estimated at approx 20 weeks maximum
Location London
Organisation the work is for Ministry of Justice (MoJ)
Budget range Maximum £200,000

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done The new Data Protection Bill, which includes GDPR, provides greater visibility and access to people who have their data stored and used by an organisation. The new laws ensure that the data is not only protected to the best of the organisations’ capabilities but that it is only used for the initial purposes for which it had been collected. GDPR will be enforced from the 25th May 2018. This specific analysis is being undertaken to assist ongoing assessments of the MoJ's GDPR compliance status for IT systems.
Problem to be solved The MoJ seek to understand the scale of GDPR non-compliance across the organisation, gather information to begin remediation efforts and fill the knowledge gap that currently exists.
Who the users are and what they need to do As a technology owner/information asset owner, I need to understand the level of compliance of IT with the new data protection laws, so that I can make appropriate investment and ensure the IT is compliant.
Early market engagement No
Any work that’s already been done Yes - We have undertaken a pilot assessment of 5 systems,
● Tariff System [CICA]
Existing team The team currently consists of 2 people, a Civil Servant and a Contractor. Working closely with a central GDPR team.
Current phase Discovery

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place Ministry of Justice, 102 Petty France, London, SW1H 9AJ
Working arrangements Working onsite for a minimum of 3 days a week for team meetings, catch ups and meetings with system owners.
Security clearance BPSS as a minimum

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions Standard Contract Terms

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Research and gather information from a range of sources.
  • Communicate and engage with stakeholders at all levels.
  • Utilise organisational skills to manage multiple work-streams.
  • Time efficient and able to deliver on time sensitive tasks.
  • Adaptable, responsive and able to work without close supervision.
  • Ability to follow approved methodology.
  • Pro-active in information gathering.
Nice-to-have skills and experience
  • Build relationships quickly with a range of stakeholders.
  • Interpret and analyse findings and identify data gap.
  • Understand requirements quickly.
  • Comfortable working in a team and as an individual.
  • Use a range of techniques to analyse situations, and quickly gain actionable insights into how to resolve problems.
  • Knowledge of GDPR.
  • Knowledge and experience of the MoJ.

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 8
Proposal criteria
  • Value for money.
  • Estimated timeframes for the work.
  • How they’ve identified risks and dependencies and offered approaches to manage them.
  • Team structure.
  • Skills and experience of team members.
Cultural fit criteria
  • Work as a team with our organisation and other suppliers.
  • Be transparent and collaborative when making decisions.
  • Have a no-blame culture and encourage people to learn from their mistakes.
  • Take responsibility for their work.
  • Learn quickly and synthesize information effectively.
  • Share knowledge and experience with other team members.
  • Follow approved methodology and suggest improvements.
  • Can work with clients with low technical expertise or knowledge of GDPR.
  • Comfortable working with a range of stakeholders .
Payment approach Time and materials
Assessment methods
  • Written proposal
  • Case study
  • Work history
  • Reference
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Is the quoted budget to cover just the initial 17 weeks or the whole 20 weeks? The quoted budget is the maximum amount available whether it is completed in 17 weeks or 20 weeks. Please note that this includes internal resource costs as well as external resource costs.
2. This task covers an assessment of GDPR compliance yet knowledge of GDPR is only a "Nice to Have" skill or experience. Can the Authority clarify why knowledge of GDPR isn't essential? Training will be provided to ensure knowledge of GDPR and the methodology to be used in the assessment is standardised across the project team. It would be beneficial to already have this knowledge.
3. Can the engagement start on Tuesday the 3rd April, due to the 2nd April being a Public Holiday? Yes. This is the latest we plan to begin.
4. Can you confirm the budget is inclusive or exclusive of VAT? Exclusive of VAT.
5. Can you clarify the provision for T&S? We do not understand this question. Please expand further.
6. Can the Authority please confirm, whether they require 3 analysts in addition to the existing team of 2 people (5 total). Or, whether they require 3 Analysts in total (2 existing, plus 1 applicant)? The 3 analysts are in addition to the existing MoJ team of 2.
7. Can the Authority please confirm whether the budget of £200k is applicable to the existing team and applicants, or applicants only? The 200k is for to the existing team and applicants. (Total project budget).
8. Can you clarify the previous answer. Does the £200,000 budget include the cost of the existing civil servant and contractor? If so what is the budget available for the 3 new analysts to be supplied? The £200,000 budget includes the cost of the existing civil servant and contractor. The budget available for the 3 new analysts to be supplied is £150k.
9. Noting the answer to the previous clarification question that the £200k budget includes internal staff, could you please confirm what the budget is for the 3 external resources you expect to be deployed for this work? The Budget for the 3 external resources we expect to be deployed for this work is £150k.
10. Is the £150K budget inclusive of any travel expenses? Yes.
11. Is MOJ currently using specific methods or tools to support the assessment? If so, could you provide information on the tools being used? Yes. An approved methodology will be used that involves a series of question sets. This will be outlined in more detail at the kick-off meeting with the successful supplier.
12. Can suppliers propose specific tools and/ or methods to carry out the assessments? Suggestions are welcome, but an approved methodology will likely be utilised.
13. Is the provision of 3 full time analysts for 17 weeks mandatory, or can suppliers propose a different team composition and duration? We would like suppliers to respond based on the resource profile we have advertised but you can also offer an alternative profile.
14. How many systems does MOJ plan to assess as part of this project? This will need to be agreed at the kick off meeting with the successful supplier.
15. Your specification states that the budget of £200k includes internal resource costs. Can you please provide more information on what internal resource costs cover and the approximate internal resource cost? We note that the internal team includes 2 people, a civil servant and a contractor. The external costs have a budget of £150k and covers for 3 Analysts. The internal resource will be working alongside the external resource, coordinating the work and conducting additional analysis.
16. You state that 8 suppliers will be evaluated. Please can you confirm whether there will be a shortlisting of applicants - and if there will, can you please confirm when applicants will be told whether they are on the shortlist, when the written proposal will be due, and when a final choice of supplier is expected to be made? Yes - There will be a shortlisting of applicants followed by a proposal stage. The applicants will be notified within 2 weeks of the closing date. We are aiming to issue the proposal in early March with an award anticipated at the end of March.
17. With the use of a suitable GDPR review tool it may be possible to achieve a better (more thorough, in-depth) outcome with less people-power input. So, how wedded are you to the resource estimates you have stated? I.e. if we propose an approach which involves the use of a tool that has been developed to accelerate and improve the quality and impact of GDPR reviews but propose the use of less people-power than your estimates or than other bidders, will we suffer a reduced score per se? This is a recommended resource request based on the methodology we have developed and analysis undertaken internally. If an alternative proposal is made that produces greater value at a reduced cost and time-frame we would be open to reviewing it but you must also respond with an option for the resourcing profile we have outlined.
18. The £150k budget is for 3 external consultants. Is this for 17weeks or 20weeks? The budget is fixed at £150k whether it takes 17 weeks or 20 weeks. Therefore, we envisage that the total external resource costs would be lower if it is completed in 17 weeks than if it takes 20 weeks. We would suggest that you include some contingency in the budget. In this case we have estimated 3 weeks.
19. Can you confirm that you require the Analysts for the 5 days a week but only 3 days need to be onsite or do you just need them for 3 days only? We can confirm that we require the analysts 5 days a week but will only need to be on-site 3 days a week. This will need to be flexible dependent on meetings and project commitments.
20. Please would you clarify who many systems there are in total. This is still being assessed and established due to other compliance efforts underway within the MoJ and will be confirmed to the successful supplier at the kick-off meeting.
21. Could you please confirm the engagement is under the G-Cloud framework agreement? No - As advertised, this is under the DOS Framework Agreement for 'Outcomes'
22. Would you be willing to accept a joint bid? Yes, as long as:
- one of the supplier's acts as the prime and specifies this in the bid.
- Both suppliers are on the DOS 'Outcomes' Framework Agreement.
23. In the bid, you talk about, 'filling the knowledge gap that currently exists at the MoJ'. Can you please clarify what the requirement is here? The requirement is to understand the level of compliance of IT systems across the MoJ.