The Great Offboarding: Why Sweden's notice periods are more than a long goodbye

For years offboarding has been treated as a formality. Return the laptop. Disable the account. Shake hands. Done.

But in many companies, ‘former employee’ doesn’t actually mean former access. Somewhere between the exit interview and the IT ticket that never got closed, someone still has a live login to your CRM. Your cloud storage. Your customer data. Maybe the shared password your team never got around to rotating.

Most businesses assume these loose ends are rare. In fact, they’re everywhere – buried across SaaS apps, shared credentials, forgotten permissions and systems nobody fully owns anymore.

Data theft spikes 720% in the 24 hours before an employee leaves – while 55% of HR leaders say poor offboarding directly leads to negative public reviews on sites like LinkedIn and Jobylon. 

The problem runs even deeper in Sweden, where statutory notice periods of up to six months mean departing employees retain system access long after the decision to leave has been made. By the time the exit interview happens, the window of risk may have been open for an uncomfortably long time.

Despite the stakes, most businesses still manage offboarding through disconnected systems, manual checklists and hope that nothing gets missed. That makes it a gamble every time someone leaves, not a process. 

The problem is that onboarding evolved with modern work. Offboarding didn’t.

The illusion of ‘done’

There's a moment in most offboarding processes that feels like closure. The exit interview is complete. The employee’s last day comes and goes – and then they're gone.

Except they're often not. While the visible parts of offboarding get handled, the invisible parts don't always, especially things like:

• Workspace accounts

• Cloud storage folders

• Social media passwords

• CRM logins

• Dev tools and code repositories

The problem isn’t usually malicious intent or incompetence. It’s that most offboarding processes were built for a completely different era of work. Traditional offboarding was designed for a world where an employee's access lived in two or three programs and IT had full visibility. They’d revoke a badge, close down an email account and move on.

That world is gone. The average business now runs on more than 130 SaaS applications – including company-wide, team-level and the ones on a free trial that somehow turned into critical infrastructure. When an employee leaves, nobody thinks to audit them. Half the time nobody even knows what to audit.

The result is access sprawl, a growing mess of open doors that multiply with every hire and never quite close with every exit. Most of the time former employees aren’t lurking around your systems looking for trouble. But all it takes is one account falling into the wrong hands for the damage to spread across your entire network.

The 6-month risk window

Under Lagen om anställningsskydd (LAS), notice periods typically run from one to six months depending on an employee's length of service. An employee who knows they are leaving has weeks or months, not days, of continued access to sensitive systems.

Consider what that looks like in practice. A client list downloaded quietly on their last week in the office. Pricing data forwarded to a personal email while farewell drinks were still being organised. Detailed meeting notes from a highly confidential project.

These are not hypothetical threats. They form a common pattern in predictable places. Think sales people heading to a competitor who'd love a copy of your ‘at risk of churn’ customer list and prospect pipeline. Engineers with access to codebases and credentials after their departure. Finance staff who know exactly where payroll data, forecasts and acquisition plans are stored. The risk isn't always evenly distributed across your organisation, but your offboarding process probably treats it as if it is. 

The harder truth is that most of this happens because systems allow it to. An employee in their final weeks still has the same access they had on day one. Nobody has thought to narrow it down and nothing has been flagged. And so the window stays open, right up until (and sometimes well past) the moment they walk out the door.

The answer isn't to treat every leaver as a threat, but nothing should be left to chance. When offboarding triggers automatic access reviews that are graded by role, seniority and sensitivity, the window shrinks.

Offboarding and data compliance

Swedish data protection law operates under the EU's GDPR framework, enforced domestically by Integritetsskyddsmyndigheten (IMY). The IMY expects organisations to demonstrate, not simply assert, that former employees can no longer access personal data.

If the IMY investigates following a breach, 'we believe access was removed' will not satisfy the burden of proof. What regulators will expect is a precise, timestamped record of every permission that existed, every system that was accessible and every action taken at the point of departure. That standard of documentation is a legal requirement, not best practice.

But Sweden's compliance picture involves more than GDPR alone. 

Sweden has one of the highest trade union membership rates in the world, with fackförbund playing a significant role in workplace processes. Under the Medbestämmandelagen (MBL), employers are required to negotiate with unions before rolling out significant changes to working practices. Depending on how offboarding systems are classified, introducing automated processes without union consultation could create legal exposure.

This means that for many Swedish organisations, implementing a unified offboarding platform isn't simply an IT decision. It requires structured engagement with union representatives, which takes time and documentation.

Responsibility for offboarding is then further distributed across HR, IT and union stakeholders, with no single function owning the process end to end. The result is familiar: gaps, delays and documentation that wouldn't survive regulatory scrutiny.

The stakes are higher still in regulated sectors. Financial services firms operating under Finansinspektionen oversight, healthcare organisations bound by Patientdatalagen and legal practices handling confidential client matters all face elevated risk when a departure is not handled precisely. A former employee retaining access to client records or patient data — even briefly or inadvertently — can trigger regulatory scrutiny that extends well beyond IT.

The question for Swedish HR and compliance teams is whether their offboarding process is sufficiently precise, documented and defensible to withstand scrutiny, whether that’s from the IMY, an auditor or a union representative that decides to ask difficult questions.

Closing the loops for good

If onboarding is about granting access and permissions, good offboarding is about revoking them safely. Without data loss, without operational disruption and without legal exposure.

The problem is that most organisations are attempting to manage modern offboarding with systems that were never designed to work together. HR holds one view. IT holds another. Union representatives a third. Nobody has the complete picture. And in a country where regulatory expectations are high and union oversight is real, an incomplete picture is a compliance liability.

The organisations getting this right are moving toward unified platforms where a departure triggers every downstream action automatically. Access is removed. Payroll stops. Equipment is flagged for return. A full audit trail is generated, the kind that satisfies an IMY investigation, a Finansinspektionen audit or a union review.

Nothing falls through the gap, because there are no gaps.

That matters operationally. It matters legally. And it matters for the 62% of employees who say they would consider returning to a company that offboarded them well – and the 55% whose poor experience surfaces eventually on LinkedIn or Jobylon.

Every business invests in getting people settled in. Far fewer invest in getting them out safely. And yet it's the exit of an employee, not the arrival, that’s the biggest risk to compliance, network security and company IP.

Your onboarding process has an owner and a way to measure whether it's working. It's time your offboarding did too.