Take the simple and common case of a startup storing personal data on an AWS-hosted service. Can you account for who at Amazon has access to that AWS instance, how many physical copies of the data may exist in Amazon's data centers, how you can assure that deleted data is really deleted, and so on?
The company is the controller of the data, and Amazon is the processor.
Here's Amazon's declaration and stance, stating they are GDPR-compliant both as a company (when they are the controller - of their direct customers' data), as well as then they are a processor (infra for use by others who control private data): https://aws.amazon.com/compliance/gdpr-center/
There's generally no need for a controller who relays data to a processor to understand the intricacies of the implementation on the processor's side (is deleted data really deleted ?) - what's more important is the processor's self-declaration for GDPR compliance.
The above is my personal $0.02 as I've been spending quite some time getting into GDPR recently. IANAL
If you're using AWS for your business/startup to store customer information and you don't have good answers for this already, then you aren't doing your due diligence.
To be clear, many businesses may not have good answers right now. Their response should not be "this is too much of a burden" but instead "wow, we really need to find this out ASAP".
