The Great Offboarding: The UK gap putting you at risk

For years offboarding has been treated as a tick-box exercise. Return the laptop. Disable Slack. Shake hands. Sorted.

But in many companies, ‘former employee’ doesn’t actually mean former access. Somewhere between the exit interview and the IT ticket that never got closed, someone still has a live login to your CRM. Your cloud storage. Your customer data. Maybe the shared password your team never got around to rotating.

Most businesses assume these loose ends are rare. In fact, they’re everywhere – buried across SaaS apps, shared credentials, forgotten permissions and systems nobody fully owns anymore.

Ask yourself this: how many former employees still have access to at least one company system right now? If answering that question requires a spreadsheet or an educated guess, the number is already too high.

The stats make for uncomfortable reading. Data theft spikes 720% in the 24 hours before an employee leaves – while 55% of HR leaders say poor offboarding directly leads to negative public reviews on sites like Glassdoor. 

Despite the stakes, most businesses still manage offboarding through disconnected systems, manual checklists and hope that nothing gets missed. That makes it a gamble every time an employee leaves, not a process.

The problem is that onboarding evolved with modern work. Offboarding didn’t.

The illusion of ‘done’

There's a moment in most offboarding processes that feels like closure. The exit interview is complete. The leaver's last day comes and goes, there are drinks, maybe a card – and then they're gone.

Except they're often not. While the visible parts of offboarding get handled, the invisible parts don't always, especially things like:

• Workspace accounts

• Cloud storage folders

• Social media passwords

• CRM logins

• Dev tools and code repositories

The problem isn’t usually malicious intent or incompetence. It’s that most offboarding processes were built for a completely different era of work. Traditional offboarding was designed for a world where an employee's access lived in two or three programs and IT had full visibility. They’d revoke a badge, close down an email account and call it a day. 

That world is gone. The average UK business now runs on more than 130 SaaS applications – including company-wide, team-level and the ones on a free trial that somehow turned into critical infrastructure. When an employee leaves, nobody thinks to check. Half the time nobody even knows what to check.

The result is access sprawl, a growing mess of open doors that pile up with every hire and never quite close with every exit. Most of the time former employees aren’t lurking around your systems looking for trouble. But all it takes is one account falling into the wrong hands for the damage to spread across your entire network.

The 24-hour compliance window

Data theft spikes 720% in the 24 hours before an employee leaves. Not after - before. That means by the time the exit interview is happening, the moment of most risk may have already been missed. 

Consider what that looks like in practice. A client list downloaded quietly on their last Friday in the office. Pricing data forwarded to a personal email while the leaving card was still doing the rounds. Detailed meeting notes from a highly confidential project.

These aren’t hypothetical threats. They form a common pattern in predictable places. Think sales people heading to a competitor who'd love a copy of your ‘at risk of churn’ customer list and prospect pipeline. Engineers with access to codebases and credentials after their departure. Finance staff who know exactly where payroll data, forecasts and acquisition plans are stored. The risk isn't always evenly distributed across your organisation, but your offboarding process probably treats it as if it is. 

The harder truth is that most of this happens because systems allow it to. An employee in their final week still has the same access they had on day one. Nobody has thought to narrow it down and nothing has been flagged. And so the window stays open, right up until (and sometimes well past) the moment they walk out the door.

The answer isn't to treat every leaver as a threat, but nothing should be left to chance. When offboarding triggers automatic access reviews that are graded by role, seniority and sensitivity, the window shrinks.

Exposure for UK employers

Under UK GDPR, businesses need to be able to prove their former employees are no longer able to access their systems. If regulators investigate after a breach then ‘we think their login was removed’ is not a defence that stands up.

The ICO has made clear that accountability means more than having the right policies on paper. In the event of a dispute – whether that's a regulator investigation or a former employee challenging how their data was handled – businesses will be expected to produce a clear audit trail showing exactly who had open permissions, what happened to that data and when.

Most companies struggle with that, normally because their data is fragmented across too many systems for anyone to have the full picture. Many UK businesses also rely on outsourced IT and payroll providers, which means responsibility for offboarding gets split across multiple vendors and nobody has full ownership of the process.

The stakes are even higher in heavily regulated UK sectors like finance and healthcare. For firms operating under FCA rules, NHS data standards or legal confidentiality obligations, poor offboarding creates exposure far beyond IT. A former employee retaining access to financial records or patient data can quickly turn into a costly legal battle.

Hybrid work has only made the risks harder to contain. When everyone worked from the same building, IT had line of sight. Devices were on the same network and access points were finite. 

Now devices are scattered across home offices, co-working spaces and kitchen tables. Customer contacts live in personal phones. Company files end up synced to private cloud storage. Slack messages sit alongside personal apps on unmanaged devices. Access points have multiplied and the average IT team ends up managing systems they didn't procure and, sometimes, don’t even know exist. 

Closing the loops for good

If onboarding is about granting access and permissions, good offboarding is about revoking them safely without losing data or causing disruption. And without a fully connected system that houses all of your data in one place, you're fighting an uphill battle. 

The problem is that most companies are trying to manage modern offboarding with systems that were never designed to work together. HR has one view. IT has another. Payroll has a third. Nobody sees the whole picture.

That’s why the companies getting this right are moving toward unified systems where a departure triggers every downstream action automatically. Nothing falls through the gap… because there are no gaps.

That matters operationally, legally and it matters for the 62% of employees who say they'd consider returning to a company that offboarded them well – not to mention the 55% whose poor experience eventually surfaces on Glassdoor.

Every business invests in getting people settled in. Far fewer invest in getting them out safely. And yet it's the exit of an employee, not the arrival, that’s the biggest risk to compliance, network security and company IP.

Your onboarding process has an owner and a way to measure whether it's working. It's time your offboarding did too.