"What responsibilities does a controller have when choosing a processor?”
When personal data is involved in an investigation, or the handling of a claim under delegated authority, GDPR compels insurers, as data controllers, to engage a service provider capable of securing the personal data of all living entities who form part of that investigation or claim.
Information Commissioner’s Guide
You have a responsibility to check that your processor is competent to process the personal data in accordance with all the requirements of the GDPR. Your assessment should take into account the nature of the processing and the risks to the data subjects. This is because Article 28.1 says that you must only use a processor that can provide 'sufficient guarantees' to implement appropriate technical and organisational measures, in order to comply with the GDPR and protect the rights of data subjects.
Robertson & Co are able to prove their competency in these areas, by being audited annually, by independent, external verifiers for the following certifications: ISO27001 Data Security, HM Government’s Cyber Essentials standard, ISO9001 Quality Management, BS10200, Code of Conduct for the Provision of Investigative Services, BS7858 Staff Vetting.