top of page

GDPR audit service for data processors

Those subcontractors who handle a lot of personal data or continuously manage personal data on behalf of the Data Controller represent one of the biggest risks for the Data Controller.

If you are already aware of which of your subcontractors represent the greatest Data Management risk for your organization, all you have to do is decide what control you will apply to reduce the risks.  

If you are not yet aware of which subcontractors are at the highest risk, we recommend using the Gill & Murry Risk Management - Suplayer solution for this purpose.

One of the possible elements of risk reduction is that, after the on-site investigation, Gill & Murry makes consulting recommendations (regulations) to its subcontractor regarding organizational changes in information security, IT or the data management process in order to ensure that the subcontractor handles your data in an appropriate manner._cc781905-5cde -3194-bb3b-136bad5cf58d_


The proposals cover the use of human resources, the technical requirements of the IT elements, whether USB can be used, who can access the Data Controller's data, what controls must be implemented for this, what physical protection must be applied, who can use the IT devices where the Data Controller's data is stored and managed by the Data Processor. 

The service is compiled and applied based on ISO 27001, COBIT and industry standards. 

You only have to define our proposals to your partners as contractual expectations and you will be safe from GDPR penalties.

To whom do we recommend it? 

To whom

  • subcontractors handle a lot of personal data,

  • their customer traffic is high,

  • there may be a disgruntled employee or a disgruntled customer.

When should it be done?

In the case of subcontractors entrusted with priority data processing, we recommend performing the audit after the contract and the transfer of the data, but before the actual service starts. 

When to repeat 

We recommend an annual review for all subcontractors entrusted with priority data processing, because the natural development of companies results in internal workflow changes that significantly reduce the attention paid to data management in one year and increase the risk of penalties for the Data Controller.

Why Gill & Murry?

Auditing, like most activities, can be learned, and experience greatly improves the quality of the service. We have been auditing ISO operations for years. During the audit, it does not matter which system of expectations must be met and what knowledge the Auditor has. 


Data protection, legal, IT, information security and process organization knowledge is required for auditing GDPR compliance. 


In the case of Data Processors, knowledge of IT and process organization is mostly needed, as the legal obligations of the GDPR in most cases fall on the Data Controller and not the Data Processor. 

During the inspection, the Data Processors must focus on ensuring that they have appropriate information security regulations and technology, as well as a process that enables secure data management and is able to alert the Data Controller within the appropriate time frame in the event of an error. 

bottom of page