Yes, according to Article 28 GDPR – Processor, para 1, “the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation”. These requirements also include Data Protection by Design and by Default, as described in Article 25 GDPR - Data protection by design and by default. Also, any Data Processor is also a Data Controller for its own personal data processing operations, such as payroll, recruitment, reporting, etc. So data protection by design and by default should be embedded in the overall GDPR compliance efforts.
Please also consult these resources: