Personal Services



DEADLINE: 28th March 2023



MTN is a leading telecommunication company offering voice, data communications, and mobile money products and services to individuals and businesses. MTN Rwanda controls and processes large volumes of Personal Information as part of its business operations. The Processing of Personal Information occurs across multiple systems and processes across MTN Rwanda. This exposes MTN Rwanda to Information Security and Privacy risks as well as Compliance risks. It is important that MTN Rwanda Directors, Employees, and Third Parties adopt responsible privacy practices in order to mitigate Privacy and Information security risks and comply with applicable Data Protection law Nº 058/2021 of 13/10/2021 relating to the Protection of Personal Data and Privacy.

In order to drive MTN’s Vision and Ambition 2025 strategy and an integral aspect of good corporate governance, MTN Rwanda conducts its business in accordance with the letter and spirit of the applicable regulatory requirements with the culture of protecting the Personal Information for which it is responsible, in the respective jurisdictions in which it carries out its operations. 

Therefore, MTN Rwanda is looking for Consultancy to facilitate in operationalizing of Data Protection law Nº 058/2021 of 13/10/2021 relating to the Protection of Personal Data and Privacy.


The scope of work for this contract shall include the following areas, targeted Programme minimal viable compliance.

Gap Assessment 

  1. Review on file Gap assessment performed for any new gaps per Business Area.
  2. Test against standard controls, agree RACI between business and Project team.

Consent and Notices

  1. Design, sign off and embed all disclosures (long and short forms), embed in all artefacts and interfaces.
  2. Design, build and implement marketing and any other consent in sales and service processes, systems. 
  3. Create Consent Database capability.

Privacy specific processes 

  1. Design and implement specific processes and systems to enforce key privacy controls.
  2. Design and implement Data subject request process, reports, and system requirements. 

Identity & Access Management 

  1. Design and implement joiner, mover, and leaver processes. Utilization of existing Access Management tools, or drive RFP.
  2. Drive clean-up, and attestation process. Ensure BAU embedment and handover.

Privacy office  

  1. Creation and review of Policies and standards for Privacy and input into other policies and standard privacy controls.
  2. Create and implement an operating model for Privacy Office.

Privacy Culture 

  1. Drive the behavioral changes required to achieve a Privacy Culture
  2. Deliver all people change deliverables for each Process/ System deliverable in the implementation themes.

Information Security

  1. Align with the Information Security Programme and roadmap, and ensure privacy controls are delivered.
  2. Establish a governance framework and forum representing Information Security and Privacy Office

Records Management 

  1. Scope and design a Programme of work that defines how records are created, processed, stored, and destroyed.
  2. Align with existing projects, and systems including DLP and Digitization

Deliverables will be agreed upon at the time of the contract, however, all the work should be guided by clear timelines of exceeding 20 weeks from the date of signing the contract.

All interested vendors are encouraged to submit their proposals to by 28th March 2023

For further details, please reach out to any of the below points of contact:


Call us on 3111

Share now