Terms of Reference: Data Security Consultant for CIVICUS


Introduction to CIVICUS

CIVICUS exists to defend people power. As a growing global alliance of more than 10,000 members in 175 countries, we work together to monitor violations of basic civic freedoms, call out the perpetrators of violations and strengthen the power of people to organise by supporting a more accountable, effective and innovative civil society. We strive to promote excluded voices, especially from the Global South. Our staff is based in more than 20 countries across 5 continents, with offices in Johannesburg (headquarters), New York and Geneva.


CIVICUS seeks a Data Security Consultant who will support the development and implementation of CIVICUS’ data protection strategy, as well as its compliance with data security regulations, such as the General Data Protection Regulation. The consultancy will run over a 6-month period and the consultant will be responsible for identifying vulnerabilities and working with our IT department to resolve them, ensuring that our network and data remains secure.

Scope and Deliverables:

Service Required


Data management

· Create an inventory of all data processing activities conducted by the organisation.

· Propose an internal security policy in consultation with the CIVICUS Data and Digital Security Group.

· Create a list of cybersecurity measures we have in place, as well as potential gaps.

· Advise on data migrations and data deletions.

· Identify areas of non-compliance with GDPR, POPI and other data security requirements.

· Help to assess damage and determine responses to documented data security breaches.

Capacity development

· Support skills-sharing and training with CIVICUS employees on important data compliance practices.

· Assess department and staff adoption of mandated data policies and practices.

· Support the creation of a programme for onboarding new employees with CIVICUS data and digital security practices and policies.

· Attend bi-weekly data and digital security calls with the CIVICUS Data and Digital Security Group.

Reporting protocols

· Create a protocol for how to report data breaches to data regulatory authorities.

· Create a protocol for how to report a data breach to our members and other contacts for whom we store data.

· Produce a protocol for how to action data requests from our contacts who might want to change or erase their data.

IT operations

· Collaborate with IT cluster to update IT policy as it relates to data security.

· Provide advice on good practice in IT infrastructure management (Microsoft ecosystem, Website Content Management Systems, Content Relationship Management systems, Sage Finance Software)

· Identify potential areas of IT integration and create roadmap for implementation.

· Review the security settings for all IT platforms that process and store personal data and make recommendations on how to enhance security.

· Support implementation of organisational wide password manager

Person Specification

Education, Language & Qualifications

· Law degree or Degree in Computer Science or a technology related field, or equivalent experience

· Hold at least one Data Protection and or Privacy Certification

Essential Knowledge, skills and Experience

· Expert knowledge of data protection law and practices

· Expert knowledge of IT and data management systems (including the configuration of firewalls, network load balancers, network routers and switches and other major components of IT systems

· Experience in developing compliance training

Desirable Knowledge, skills and Experience

· Excellent problem solving and analytical skills

· Ability to educate non-technical staff about security measures

· Effective verbal and written communication skills

· Programming skills in C/C+ and Python

Terms and conditions

The CIVICUS Code of Conduct (CoC) sets out the standards which all staff members must adhere to. The consultant will be expected to adhere to the CoC. Additional terms and conditions of service shall be spelt out in the contract.


Leave a Reply

Your email address will not be published. Required fields are marked *