top of page

GDPR subcontractor risk analysis system for Data Controllers

The product is recommended for data controllers. 

G&M Tools' GDPR Risk Management System™ system determines from the data controller's point of view which of its subcontractors/data processors pose which GDPR risk based on the statements received.


The Data Processors participate in a GDPR "audit", where they undertake in a statement the veracity of the information provided during the risk analysis about their data management processes, the technical and regulatory protection measures implemented in their IT system. 


Most Data Controllers currently only control their subcontractor data processing obligations with the help of a legal contract, which all subcontractors (Data Processors) signed without question due to the dependency relationship in order to keep the orders. Regardless of the legal contract, the official fine will be imposed on the Data Controller even in the event of a mistake by its subcontractor. Unfortunately, incidents cannot be avoided by signing legal contracts, the introduction of appropriate information security control (regulatory and technical) is necessary to avoid them. 

We help you determine which Data Processor poses the greatest risk to YOUR organization. 

Based on the declaration of the contractor performing the test, the risk management system determines, on the basis of the implemented organizational and technical measures, the extent to which the Data Controller is exposed to a possible GDPR penalty due to mistakes made by its subcontractors. It proposes an action plan to deal with each of the identified problems. The GDPR regulation requires a regular review, but also due to the numerous changes in the law and the changes resulting from the natural development of the organization - it is advisable to regularly repeat and update the check every year.

Operation of the device

  • 100+ questions that the system asks based on their logical connections based on previous answers.

  • The Data Processor must answer several questions from different areas. Areas include GDPR documentation requirements, data backup, virus protection, human resource management, physical and logical data protection, the level of security solutions introduced, incident management, documentation, information security regulations, etc.

  • Based on the answers, the  G&M Tools GDPR Risk Management System™ determines the GDPR risk for which Data Processor.

Who do we recommend?


  • It releases the data of its customers to its service partners

  • The guest list is given to the event organizer

  • They have a contract with an IT operator or development partner

  • An external newsletter provider is used

  • You have assigned a call center or external customer service to support your customers

  • It uses an external service provider for recruitment

  • Etc...

Risk assessment

We created 4 categories: 

  • Acceptable risk Subcontractor

  • Low risk Subcontractor

  • High risk Subcontractor

  • High-risk Subcontractor


There are outstanding areas where even if you answer no to one question, the risk is particularly high, or an inadequate answer to several questions is associated with a particularly high risk.

New subcontractor selection

We recommend performing a risk analysis with all subcontractors to be entrusted with data processing before concluding the commission contract. 

We do not recommend concluding contracts with high or particularly high-risk subcontractors, or only with restrictions, for all Data Controllers.

Risks of current data processors

We recommend an annual review for all subcontractors entrusted with data processing. The analysis tool is regularly updated by Gill & Murry, so you can perform an up-to-date GDPR check on your subcontractors.

Results - Prices

  • The Data Controller learns which of its Data Processors, which GDPR and penalty risk it poses for it.

  • In which areas should individual Data Processors be controlled, or stronger protection and technical requirements be imposed on them.

  • It can reduce your exposure to GDPR penalties.

  • It brings data processing activities under control.

Up to 10 data processors

€7.90 / month / data processor

an evaluation workshop every quarter

*in case of annual billing

11-50 up to Data Processor

€7.40 / month / data processor

51-250 to Data Processor

€6.90 / month / data processor

Up to 251+ Data Processors

€6.40 / month / data processor

an evaluation workshop every quarter

an evaluation workshop every quarter

an evaluation workshop every quarter

*in case of annual billing

*in case of annual billing

*in case of annual billing

bottom of page