Cybersecurity

How Websites Use Your Data - And What That Means for Your Business

20 June 2025

Your staff visit dozens of websites every working day. Booking a client meeting, researching a supplier, filling out a form, logging into a portal. Every one of those interactions involves data collection of some kind. Most of it is invisible, and most business owners have no idea how much information is flowing out of their business as a result.

The way websites gather information has become more sophisticated over time. When someone on your team visits a website, that site may record their IP address, their browser type, how long they spent on each page, and what they clicked. If they filled out a form, that information is stored - often on servers you have no visibility over. Some of that data stays with the website. Some of it gets shared with third parties, including advertising platforms, analytics providers, and data brokers. The website's privacy policy will usually explain this, but those documents are rarely read.

For most professional services businesses, the bigger concern is not what happens to your staff's browsing habits. It is what happens when your own website collects data about your clients. If your website has a contact form, a booking tool, or any kind of client login, you are collecting personal information. Under the NZ Privacy Act 2020, you have obligations around how that information is stored, used, and protected. A breach - even an accidental one - can require notification to the Office of the Privacy Commissioner, and the reputational damage in a small professional services market like Canterbury can be significant.

What good looks like is straightforward in principle. Your website should only collect information it genuinely needs. That information should be stored securely and not passed to third parties without a clear reason. Your privacy policy should be honest about what you collect and give clients a way to request their data or ask for it to be deleted. None of this requires a legal team to implement - it requires the right setup and someone keeping an eye on it. If you want a clearer picture of staying across data privacy rules without an IT background, that is a good place to start.

The same applies to the tools your staff use day to day. If your team is sharing documents through personal email accounts, using free file-sharing services, or storing client files on platforms with unclear privacy settings, that data is potentially accessible to parties outside your control. A managed IT environment with clear policies around approved tools and secure file sharing removes most of that risk before it becomes a problem. You can see how ITstuffed approaches this for professional services businesses at itstuffed.co.nz/it-support-professional-services.

The practical step is an honest look at what your business actually collects, where it goes, and whether your current setup reflects your obligations under the Privacy Act. Most businesses have not done this review recently, if ever. It does not need to be complicated - it just needs to happen. A good starting point is understanding where your business data actually ends up on any given day.

If you are not sure where your data gaps are, ITstuffed offers a 15-minute IT Fit Check that can help identify the obvious risks. Book one here.

Back to News