top of page

GDPR subcontractor risk analysis system for Data Processors

The simplest solution is to get ahead of your customers and check your GDPR and other information security preparedness yourself. As a Data Processor, you have minimal control over the subcontractor's data processing process. Audit your subcontractors and data processors' GDPR preparedness and avoid penalties arising from subcontractor errors!


Most Data Controllers currently only control their subcontractor data processing obligations with the help of a legal contract, which all subcontractors (Data Processors) signed without question due to the dependency relationship in order to keep the orders. Regardless of the legal contract, the official fine will be imposed on the Data Controller even in the event of a mistake by its subcontractor. Unfortunately, incidents cannot be avoided by signing legal contracts, the introduction of appropriate information security control (regulatory and technical) is necessary to avoid them. 

We help you determine which Data Processor poses the greatest risk to YOUR organization. 

Based on the declaration of the contractor performing the test, the risk management system determines, on the basis of the implemented organizational and technical measures, the extent to which the Data Controller is exposed to a possible GDPR penalty due to mistakes made by its subcontractors. It proposes an action plan to deal with each of the identified problems. The GDPR regulation requires a regular review, but also due to the countless changes in the law and the changes resulting from the natural development of the organization - it is advisable to regularly repeat and update the check every year.

Képernyőfotó 2022-07-19 - 12.25_edited.png

Secure Data Processor

GDPR certificate

Operation of the device

  • 100+ questions that the system asks based on their logical connections based on previous answers.

  • The Data Processor must answer several questions from different areas. Areas include GDPR documentation requirements, data backup, virus protection, human resource management, physical and logical data protection, the level of security solutions implemented, incident management, documentation, information security regulations, etc.

  • Based on the answers, the G&M Tools GDPR Risk Management System™ system determines the customer-side risk of your organization.  

Who do we recommend?
  • For SMEs who manage the data of large companies.

  • For service providers, event organizers, IT operators and developers, call centers, HR service providers who manage their customers' data.

Risk assessment

We created 4 categories: 

  • Acceptable risk Subcontractor

  • Low risk Subcontractor

  • High risk Subcontractor

  • High-risk Subcontractor


There are outstanding areas where even if you answer no to one question, the risk is particularly high, or an inadequate answer to several questions is associated with a particularly high risk.

Use of additional subcontractors

If your organization also employs subcontractors for the services you provide to your customers, i.e. not everyone is an employee of the company. - You are responsible for the subcontractors. – In this case, your company is responsible for subcontractors' data management. You should also expect all your subcontractors to have a Secure GDPR Data Processing Certificate. 

Regularity - risks of data processors

Within the framework of the license, you can perform an unlimited number of new risk analyses. We recommend an annual review both in the case of your own data management and in the case of a subcontractor entrusted with data processing. The analysis tool is regularly updated by Gill & Murry, so you can perform an up-to-date GDPR check on your subcontractors.

Results - Prices

  • Your organization learns what GDPR and penalty risk it poses to its customers based on its data management obligations.

  • Which data management and information security areas should your organization review and apply or introduce stronger security measures. 

  • It increases the confidence of customers.

  • It brings data processing activities under control.


  • GDPR RISK Management System™ - Data Processor module 1 license: €100 / year 

*Invoicing is done in Hungarian forints.

bottom of page