Most IT service providers are both a Data Controller and Data Processor. For example, web hosting companies control data about their customers, they store and control personal data such as their name, address, phone number, financial information etc... as a customer of theirs.

Under GDPR, in that side of their business they are fully responsible for and must obtain consent, handle SAR requests and meet all the GDPR requirements.   They are also data controllers for the personnel they hire.

They cannot be responsible for the content of websites they host, other than to keep them secure and take the sites down if they break the terms and conditions.  For the content of the websites they are the processor and the website owner is the data controller.

The first steps should be to write down all the types or personal data you handle and determine if you are a processor or controller, also decide why you handle this data, if you share the data with anyone, use third parties to process it, how long you retain it, and if a controller did you obtain consent.
Then you would move on to building policies and procedures around you business to ensure you are GDPR compliant.

To minimize your risk and ensure your compliance click here