When an employee leaves, most businesses know how to handle the paperwork. Final pay is calculated, the P45 goes out, and the leaving card is organised. What happens to their accounts, devices and access rights is usually less organised, and it is the part that creates the most risk.

The window between a resignation date and a fully closed-out account is where former employees, lost devices and forgotten logins can still reach business data. For SMEs in Bishop’s Stortford and across Hertfordshire, where IT teams are often small or outsourced, employee IT offboarding can stretch out longer than anyone intends. The Information Commissioner’s Office expects employers to “document the leavers’ process and regularly check to confirm compliance” as part of basic data protection accountability. In practice, very few small businesses can show what good looks like.

The checklist below sets out the IT steps worth getting right every time someone leaves.

Remove access to business systems on day one

The single most important step is also the most delayed. Every system the leaver touched needs its access revoked on or before their final day – email, Microsoft 365, cloud platforms, CRMs, shared drives, VPNs, accounting tools and any line-of-business applications. That includes the smaller subscriptions as well as the obvious central accounts: design tools, marketing platforms, and anything where someone signed up using their work email.

ICO guidance on access control puts this in straightforward terms: businesses should keep records to demonstrate they “remove access rights in a timely fashion”. The UK government’s Cyber Security Breaches Survey 2024 shows that half of UK businesses experienced a breach or attack in the previous twelve months, and the most disruptive ones tend to involve credentials being misused rather than systems being broken into. Closing accounts promptly is one of the few entirely free controls a business has.

A useful practice is to disable accounts on the last day rather than deleting them immediately. That gives IT time to forward email, archive files and assign ownership of anything that needs to move on, without leaving access open.

Recover devices and equipment before they walk out the door

Laptops, phones, tablets, monitors, security keys, dongles, chargers and the small mountain of accessories sent out during the hybrid-working era all need to be tracked back in. Without a record of what was issued and to whom, it is difficult to know whether anything is missing until somebody else needs it.

Two things make device recovery less painful. The first is keeping an up-to-date asset register, ideally linked to the standard staff lifecycle process so any new kit is added at the point of issue. The second is having the ability to remotely lock or wipe a device if it is not returned, which is now standard with most modern mobile device management platforms.

This is also the right point to make sure encryption is enabled and verified. A returned laptop with no encryption configured is still a meaningful data risk.

Secure files, shared folders and anything in personal storage

Most leavers will have created or saved files in a mix of locations such as their OneDrive, Teams sites, SharePoint, network shares, sales platforms, or the occasional Dropbox folder. A structured offboarding step should review every shared area the person had access to, transfer ownership of business-critical files, and check that nothing important is sitting somewhere only they could see.

The harder question is what to do about personal storage. If a leaver has used a personal device or a personal cloud account to handle business data, the business needs to know. The ICO’s employment records guidance makes clear that data protection accountability covers all the places business data ends up, not just the ones the employer chose. Asking the question as part of the exit conversation, and following up if anything is found, is part of doing this properly.

Review passwords, shared logins and admin permissions

Shared logins are a fact of life in small businesses. The marketing inbox, the company social media account, and the supplier portal nobody else has set up a profile for. When somebody leaves, every shared password they knew needs to be changed, and any admin rights they held need to be reviewed and reassigned.

Two specific areas to check: saved passwords in browsers, which can quietly preserve access long after an account is closed, and any password manager memberships the leaver had. If those are left in place, the business can find that the leaver still holds the keys to platforms IT thought had been locked down.

Permissions are worth a wider sweep at the same time. The ICO recommends auditing privileged accounts and assigning end dates to access where it is not needed permanently. Someone leaving is a good moment to look across the rest of the team and confirm nobody else is carrying access they no longer need.

Make offboarding a repeatable process

The reason so many small businesses end up with orphaned accounts and unaccounted-for laptops is rarely carelessness. It is that each exit gets handled slightly differently, depending on who is around and how busy the week is. A consistent, written process closes that gap.

A useful baseline is a single checklist that covers accounts, devices, data, passwords and confirmation that each step has been completed and by whom. The checklist should sit with whoever manages the IT function, whether that is an internal lead or an external partner, and trigger automatically when HR confirms a leaver.

The checklist at a glance

When an employee leaves, work through the following:

1. Disable accounts across email, Microsoft 365, cloud platforms, CRMs, shared drives, VPNs and any line-of-business tools they used
2. Recover laptops, phones, tablets, security keys and accessories, and verify encryption on returned devices
3. Review every shared folder and platform they had access to; transfer ownership of business files and ask about any business data held in personal storage
4. Change shared passwords, remove admin rights, and check saved logins in browsers and password managers
5. Document the process so it runs the same way every time, with HR triggering IT and a named owner signing each step off

4TC supports businesses across Bishop’s Stortford and Hertfordshire in setting up structured leaver processes alongside the rest of their IT, so each exit is handled to the same standard without anyone having to remember the steps.

If your business needs a clearer process for removing access, securing devices and protecting company data when staff leave, speak to 4TC about proactive IT support.