The Great Offboarding: The Dutch compliance gaps hiding in plain sight

For years offboarding has been treated as a formality. Return the laptop. Disable the account. Shake hands. Done.

But in many companies, ‘former employee’ doesn’t actually mean former access. Somewhere between the exit interview and the IT ticket that never got closed, someone still has a live login to your CRM. Your cloud storage. Your customer data. Maybe the shared password your team never got around to rotating.

Most businesses assume these loose ends are rare. In fact, they’re everywhere – buried across SaaS apps, shared credentials, forgotten permissions and systems nobody fully owns anymore.

Data theft spikes 720% in the 24 hours before an employee leaves – while 55% of HR leaders say poor offboarding directly leads to negative public reviews on sites like Glassdoor and Indeed. 

In the Netherlands, the problem goes further still. The country has one of Europe's highest rates of part-time and hybrid working, which means employees routinely work across personal devices, home networks and shared tools that IT never fully provisioned or controlled. When someone leaves, the access points they leave behind are harder to map than in most other markets.

Despite the stakes, most businesses still manage offboarding through disconnected systems, manual checklists and hope that nothing gets missed. That makes it a gamble every time someone leaves, not a process. 

The problem is that onboarding evolved with modern work. Offboarding didn’t.

The illusion of ‘done’

There's a moment in most offboarding processes that feels like closure. The exit interview is complete. The employee’s last day comes and goes – and then they're gone.

Except they're often not. While the visible parts of offboarding get handled, the invisible parts don't always, especially things like:

• Workspace accounts

• Cloud storage folders

• Social media passwords

• CRM logins

• Dev tools and code repositories

The problem isn’t usually malicious intent or incompetence. It’s that most offboarding processes were built for a completely different era of work. Traditional offboarding was designed for a world where an employee's access lived in two or three programs and IT had full visibility. They’d revoke a badge, close down an email account and move on.

That world is gone. The average business now runs on more than 130 SaaS applications – including company-wide, team-level and the ones on a free trial that somehow turned into critical infrastructure. When an employee leaves, nobody thinks to audit them. Half the time nobody even knows what to audit.

The problem is compounded in the Netherlands by the high proportion of ZZP workers and independent contractors who work alongside permanent staff. Many Dutch businesses blur the lines between employees and contractors when it comes to system access, which means offboarding processes that were already stretched for permanent staff rarely extend to contractors at all.

The result is access sprawl, a growing mess of open doors that multiply with every hire and never quite close with every exit. Most of the time former employees aren’t lurking around your systems looking for trouble. But all it takes is one account falling into the wrong hands for the damage to spread across your entire network.

The 3-month risk window

Under Dutch employment law, notice periods typically run from one to three months depending on length of service. That’s more than long enough for an employee who has decided to leave to cause significant harm if the right controls aren't in place.

Consider what that looks like in practice. A client list downloaded quietly on their last week in the office. Pricing data forwarded to a personal email while the borrel was still being organised. Detailed meeting notes from a highly confidential project.

These are not hypothetical threats. They form a common pattern in predictable places. Think sales people heading to a competitor who'd love a copy of your ‘at risk of churn’ customer list and prospect pipeline. Engineers with access to codebases and credentials after their departure. Finance staff who know exactly where payroll data, forecasts and acquisition plans are stored. The risk isn't always evenly distributed across your organisation, but your offboarding process probably treats it as if it is. 

The harder truth is that most of this happens because systems allow it to. An employee in their final weeks still has the same access they had on day one. Nobody has thought to narrow it down and nothing has been flagged. And so the window stays open, right up until (and sometimes well past) the moment they walk out the door.

The answer isn't to treat every leaver as a threat, but nothing should be left to chance. When offboarding triggers automatic access reviews that are graded by role, seniority and sensitivity, the window shrinks.

Offboarding and data compliance

Dutch data protection law operates under the EU's GDPR framework – known locally as the AVG (Algemene verordening gegevensbescherming) – enforced by the Autoriteit Persoonsgegevens (AP). The AP expects organisations to demonstrate that former employees can no longer access personal data, not simply claim that they can’t.

If the AP investigates following a breach, 'we believe access was removed' will not satisfy the burden of proof. What regulators will expect is a precise, timestamped record of every permission that existed, every system that was accessible and every action taken at the point of departure. That standard of documentation is a legal requirement, not best practice.

But the compliance picture in the Netherlands involves more than AVG alone. 

Under the Wet op de ondernemingsraden (WOR), Dutch works councils – the Ondernemingsraad – have formal consultation rights over the introduction of systems that affect employees, including HR technology and automated processes. Introducing a unified offboarding platform without Ondernemingsraad consultation could create legal exposure and delay implementation significantly.

This means that for many Dutch organisations, implementing automated offboarding isn't simply an IT decision. It requires structured engagement with works council representatives, which takes time and documentation.

Responsibility for offboarding is then further distributed across HR, IT and the Ondernemingsraad, with no single function owning the process end to end. The result is familiar: gaps, delays and documentation that wouldn't survive regulatory scrutiny.

The stakes are higher still in regulated sectors. Financial services firms operating under DNB (De Nederlandsche Bank) and AFM oversight, healthcare organisations bound by the Wet op de geneeskundige behandelingsovereenkomst (WGBO) and legal practices handling confidential client matters all face elevated risk when a departure is not handled precisely. And for organisations that also rely on ZZP contractors in these sectors, the exposure is doubled. Contractor access is rarely tracked with the same rigour as permanent staff and almost never revoked with the same urgency.

A former employee retaining access to client records or patient data, even briefly or inadvertently, can trigger regulatory scrutiny that extends well beyond IT.

The question for Dutch HR and compliance teams is whether their offboarding process is sufficiently precise, documented and defensible to withstand scrutiny – whether that's from the AP, an auditor or an Ondernemingsraad that decides to ask difficult questions.

Closing the loops for good

If onboarding is about granting access and permissions, good offboarding is about revoking them safely. Without data loss, without operational disruption and without legal exposure.

The problem is that most organisations are attempting to manage modern offboarding with systems that were never designed to work together. HR holds one view. IT holds another. The Ondernemingsraad a third. Nobody has the complete picture. And in a country where regulatory expectations are high and works council oversight is real, an incomplete picture is a compliance liability.

The organisations getting this right are moving toward unified platforms where a departure triggers every downstream action automatically. Access is removed. Payroll stops. Equipment is flagged for return. A full audit trail is generated, the kind that satisfies an AP investigation, a DNB audit or an Ondernemingsraad review.

Nothing falls through the gap, because there are no gaps.

That matters operationally. It matters legally. And it matters for the 62% of employees who say they would consider returning to a company that offboarded them well – and the 55% whose poor experience surfaces eventually on Glassdoor or Indeed.

Every business invests in getting people settled in. Far fewer invest in getting them out safely. And yet it's the exit of an employee, not the arrival, that’s the biggest risk to compliance, network security and company IP.

Your onboarding process has an owner and a way to measure whether it's working. It's time your offboarding did too.