You will already have contracts (verbal or written) with any data processors you use. These need to be enhanced by the responsibilities inferred by GDPR legislation. To this end a written contract is necessary to make clear responsibilities and liabilities.
It is your responsibility to comply with GDPR and to show that you are – this may involve being clear that your processors do their role, but it is your responsibility to ensure they do. Without such controls you open yourself up to prosecution.
Thus processors appointed must provide sufficient guarantees that they will meet the GDPR requirements and the data rights of individuals will be protected – the full meaning of this requirement is being developed.
Processors must only operate on the basis of your documented instructions (not verbal instructions). While they have direct obligations and responsibilities under GDPR, you are concerned with how they comply with those aspects that you are responsible for.
The controls required will depend on circumstances, but the Information Audits and Data Processing Impact Assessments are both key tools to identify the risks involved and the consequent mitigation and best practices to put in place.
It is expected that future codes of conduct or certification schemes may be created by which processors can prove their adherence to the GDPR obligations on your behalf.
It is also expected that the European Commission or ICO may provide appropriate contractual clauses in the future which may form part of such code or scheme.