What Your Practice Actually Needs to Know About Data Protection in the Cloud

Your team is working across Microsoft 365 - emails, shared documents, client files stored online. Most of it runs smoothly. But at some point, someone in your practice will ask: what happens to all this data? Who can see it? And if something goes wrong, are we covered?

These are not paranoid questions. They are the right questions, especially for practices handling sensitive client information. Under the NZ Privacy Act 2020, you have real obligations around how personal information is collected, stored, and protected. A breach - even an accidental one - can trigger a mandatory notification to the Office of the Privacy Commissioner and create serious reputational damage. The cloud makes a lot of things easier, but it does not automatically make your data safe or compliant.

The risk is not usually a dramatic external attack. More often it is something quieter: a staff member sharing a file with the wrong person, sensitive documents sitting in a folder with no access controls, or a former employee whose account was never properly closed. These are insider risks, and they are more common than most practice managers realise. Understanding how files should be stored and shared securely is a practical starting point for any practice looking to close these gaps.

What good looks like is a practice where data access is controlled by role - people can see what they need to do their job, and nothing more. Where sensitive files are tracked and flagged if they start moving in unusual ways. Where leaving staff are properly offboarded so their access ends the same day they do. Microsoft 365 has tools built in to help with all of this, but they need to be configured correctly. Out of the box, they are not set up for a healthcare or legal environment. They are set up for everyone, which means they are set up for no one in particular.

When these tools are configured properly for your practice, compliance becomes part of the background rather than a recurring source of stress. Your data stays where it should be. Your team works without friction. And if you ever need to demonstrate to a client, an insurer, or a regulator that you take data protection seriously, you have something to point to. It is also worth knowing how to stay across data privacy rules without needing to become an expert yourself.

Getting there does not require your practice manager to become an IT expert. It requires an engineer who understands both the Microsoft 365 environment and the compliance pressures facing professional services businesses in New Zealand. If your current IT support for professional services has not had a conversation with you about data governance or insider risk controls, that is worth noting. Most practices we speak with have never had that conversation with anyone.

ITstuffed works with professional services businesses across Canterbury on exactly this kind of setup. If you want a clear picture of where your practice stands, a 15-minute IT Fit Check at /booking is a good place to start.