I an starting to advertise with the aim of taking on new clients (new practice) but am wondering about software solutions given the GDPR rules that come in next year. I would like to use Xero and get clients focussed on that as their solution. However, the Xero servers are hosted outside the EU (in USA.) The Information Commissioner's Office (ICO) recommends that data should be anonymized before uploading to the cloud.
With Xero and other cloud solutions, data is secure when being transferred between my PC and their servers but once there we have no control over what happens to it. Remembering that the Patriot Act in the USA allows the Fedral Government and it's agencies full access to data stored on servers in USA and US Territories AND held by US companies. Whilst "Joe Bloggs Decorators" probably has nothing to fear from foreign governments being nosey, I am more concerned that a breach as we have seen too many times in recent months could leave my practice open to prosecution.
How does your practice handle this? Do you just include a disclaimer on your letters' of engagement along the lines of "your data may be held outside EU" or something else. Do you use a workable anonymizer system.
This is more likely to be an issue with payroll data of course which doesn't affect me at the moment. But you may still be storing Supplier and customer details for a client offshore as well as client details themselves.
I should also say that I currently use Sage 50c for my own accounts but that could work out as a very expensive option in the long term. The data files are stored on an encrypted external hard drive which automatically wipes itself if the 12 digit pin is not entered correctly four times in a row.
Thanks for any feedback