How to write an effective RFP for a Consent Management Platform

Many organizations are facing the happy problem of having successfully built the business need to license a consent management platform and obtain the necessary budget, but now must write the Request For Proposal (RFP) and select the right vendor.

Good RFPs are hard to write, and RFPs for a consent management platform seem especially daunting due to the inherent technical nature and cross functional dependencies involved.

However, an organized process and liberal use of the many fabulous resources available to help can ease the RFP process and result in the best possible result – a productive relationship with the right vendor and the best solution that meets the organization’s needs for reasonable cost.

It is useful to keep an RFPs end goal top of mind from the beginning of the RFP-creation process.

An RFP provides vendors with all the information they need to propose a solution (with pricing) that meets the organization’s needs.

Secondarily, but equally important, a strong RFP provides the requesting organization with a fair set of criteria and systematic process for evaluating vendor proposals.

A well written RFP takes some internal research with the right stakeholders, which is time well spent. This internal research helps ensure that the requesting organization deeply understands what success looks like for all its stakeholder groups. It also identifies any constraints that will impact the ‘what’ and ‘how’ of implementation – including the technical and cultural environment in which the system will operate, and, of course, the legal and operational requirements that the platform must meet.

So, starting with the end goal in mind, here are a few tips for writing an effective RFP for a Consent Management Platform.

1. Identify process and deadlines
2. Identify stakeholders and RACI
3. Identify requirements (and nice-to-haves)
4. Describe rules, criteria, and scoring
5. Select format/template and write RFP
6. Review, revise, approve

Identify process and deadlines

An organization that defines the RFP writing and review/selection process in advance will help ensure that it can meet any deadlines and there is enough time written into the process. Even a simple flow chart that describes high level steps, such as the steps above, with deadlines will be helpful. Remember that there is a multiplier effect on timing whenever numerous stakeholder groups are involved, as is likely with consent management platform selection.

Identify stakeholders and RACI

A consent management system must please a wide range of stakeholders and meet a wide range of requirements.

This means that a wide range of stakeholders will have parts of the information needed to develop a robust RFP. Stakeholder groups may include people who will use the system, be impacted by the system, deeply understand the technical requirements, deeply understand the legal requirements, are responsible for the risk the consent management system is intended to mitigate, are involved in the procurement and third-party management process, or are responsible for the budget.

This often means that Privacy, Legal, Marketing, Training/Communications, Sales, Web/App Development, Security, IT, relevant system owners, and Purchasing organizations are critical to the RFP development process.

Of course, the more stakeholders involved in the process, the more important it can be to clearly articulate who has what type of input. Who gets to make which decisions? Who provides what types of input? Who else needs to be informed?

In other words, a RACI that describes who is Responsible, Accountable, Contributes, and Informed in the RFP process can be immensely helpful. There are also quite a lot of good stakeholder management tips that can assist in managing multiple stakeholders with slightly different priorities.

When developing the RACI, it may be useful to consider which group should ‘own’ the consent management platform on an on-going basis. Though different organizations align ownership in diverse ways, many find it most practical to assign ownership to the group that is responsible for operationalizing requirements.

Though consent management may be an obligation coming from the privacy regulatory space, often Sales/Marketing is the function responsible for operationalizing consent requirements and so accepts ownership of the consent management platform.

Identify requirements (and nice-to-haves)

Once you have identified the stakeholders, the next step is to gather from stakeholders all must-haves and nice-to-haves. Though this step can be complicated and time-consuming, some organizations find success by first starting with a clear, concise description of the end goal.

Then, with that description in hand, the team reaches out to each stakeholder group to get input into what, from their perspective, will be either necessary or nice to have.

Often Legal and IT/IS and system owners contribute the first requirements, and then the requirements-gathering process can spiral out to other groups.

Procurement, IT/IS, and other relevant policies may also give valuable input into requirements. For example, if there is an IT/IS policy that requires all vendors to produce a certain security certificate, this information should go into the RFP as a requirement.

Specifically for consent management, some categories of requirements that an organization should consider include:

• Security: Reports, data breach responsibilities, encryption and other practices, availability, certifications
• Integrations: Internal and external systems that require integration with the platform and their integration requirements.
• Reporting: What types of real-time or regular reports are needed to verify the process is working and track efficiency, effectiveness, and compliance.
• Privacy: Data protection agreements, cooperation in building Data Protection Impact Assessments, confidentiality, transborder data flow/data hosting.
• Scope: Local, regional, or global considerations, such as language(s), ability to implement multiple consent regimes.
• Formats: Ability to handle consent across various media – apps, websites, online forms, manual entry, etc.
• Training: How much and what type of training will your stakeholder groups need, for how long, and in what languages.
• Support: How much of the integration, implementation and onboarding work will fall to the vendor to do versus internal teams’ responsibility, what kind of support will the organization receive after implementation (SLA, troubleshooting, onboarding of new users) and in what time zones/languages.

Describe rules, criteria, and scoring

Not all RFP processes require a complicated numbering and ranking system for vendor submission evaluation. However, consent management platform RFPs can involve enough different stakeholders and requirements that it can be effective to establish a scoring system for criteria.

Regardless, at a minimum an organization will find it useful to document in advance the rules it will use for selection. For example, it may decide to eliminate any vendors that cannot accommodate all firm requirements and use a scoring system to help select based on nice-to-have items.

Select format/template and write RFP

The good news is that there are many resources available to help write RFPs and, specifically, the RFP questions that drive the selection process. In fact, these resources can help the team identify questions they want to include but missed in the requirements-gathering phase.

Regardless, good RFP questions will provide information needed to learn which vendors can meet which requirements and nice-to-haves and make scoring and selection easier. Clear RFP descriptions of the end goal, limitations and constraints of the organization’s environment, and expectations for the vendor will help the vendor answer fully and honestly.

Review, revise, approve

According to the RACI designed in the first steps, a good multi-stakeholder RFP will need both content and cosmetic/grammar reviews. Vendors are less likely to submit careful and considered proposals in response to unprofessional-looking RFPs, or RFPs that are difficult to understand or do not have the appropriate level of detail.

Specifically for consent management platform RFPs, it may be useful to get stakeholder feedback and revisions, and then ask a smaller team (often Marketing, IT/IS, Privacy, and Legal) to wholistically consider the document, catch inconsistencies, and evaluate completeness.

It is also important to note that vendors may have additional questions that the requesting organization can learn from, answer, and send to all other vendors. This feedback loop can help address any essential information that the RFP team missed.