"And yes, formal certifications do demonstrate that a provider has a certain level of process and procedure and has given due consideration to security and data protection."
Just because they can pass an accreditation and audits doesn't mean much in my eyes:
back in the early part of this century I worked for a company based on the south coast that gained both iso 27001 and iso 9001 whilst I was working there. The processes for staff to follow were written down/made up about a week before the accreditation, and were never followed post that (each time an audit was due, the paperwork was fudged and lies were given as answers to the auditors questions, which they believed). The server rack was installed in an non-airconditioned, ground floor store room with large windows on 2 walls, it was also close to a fairly large town, but far enough away from other buildings that everyone knew it was there but no one could actually see it, meaning anyone breaking in would have had plenty of time to do so (not that it would be needed as the windows were not even double glazed and led directly out to the car park to make thievery all the easier).
Oh and the door was never locked (except when the auditors were in), everyone used the admin account for every machine, server and RDP session and generally I couldn't trust that setup to securely store my mothers recipe for serving corn flakes, let alone the corporate banking and chemical production companies that entrusted their employee data to that shocker of a setup.
The kicker...the reason for not choosing a professional, secure and reliable data center was that the customers wanted to know that their data was held securely and not by a 3rd party...(I face palmed so hard when I was told this that I think I did some permanent damage)