Many small businesses outsource some or all of their data processing requirements to hosted (including cloud based) services. You must be satisfied that these 'data processors' will treat your information securely as your business will remain responsible for ensuring the processing complies with the DPA.
You must choose a provider that gives sufficient guarantees about its security measures. For example, you might review copies of any security assessments and, where appropriate, visit their premises to make sure they have appropriate security arrangements in place.
You must also have a written contract setting out what the provider is allowed to do with the personal data and requiring them to take the same security measures you would have to take to comply with the DPA.
If you use a provider to erase data and dispose of or recycle your ICT equipment, make sure they do it adequately. You will be held responsible if personal data collected by you is extracted from your old equipment if it is resold.
* Information security, in ICO Guide to data protection
* Outsourcing, ICO
* IT asset disposal, ICO
* Model contract clauses: International transfers of personal data, ICO
* Model contracts for the transfer of personal data to third countries, European Commission website
* Data controllers and data processors: what the difference is and what the governance implications are, ICO