Many small businesses outsource some or all of their data processing requirements to hosted (including cloud based) services.
There must be a written contract between you (the controller) and the service provider /processor (or other legal act). These contracts must include certain specific terms, as a minimum, including security standards.
As controller, you are liable for overall compliance with the UK GDPR and for demonstrating that compliance. However processors do have some direct responsibilities and liabilities of their own.
You must be satisfied that any processors you use treat the personal data they process for you securely, in line with the requirements of the UK GDPR.
You must choose a third party provider or processor that gives sufficient guarantees about its security measures. To make sure they have appropriate security arrangements in place, you might, for example, review copies of any security assessments and, where appropriate, visit their premises.
The contract with the processor must include a term requiring the processor either to delete or return (at your choice) all the personal data it has been processing for you. The contract must also ensure it deletes existing copies of the personal data unless EU or member state law require it to be stored.
If you use a third party service provider or processor to erase data and dispose of or recycle your ICT equipment, make sure they do it adequately. You will be held responsible if personal data collected by you is extracted from your old equipment if it is resold.