Someone hands in their resignation on a Friday. HR sorts out the paperwork. The manager says goodbye. And on Monday, the ex-employee’s email account is still active, their files are still in OneDrive, they still have VPN access, and their password to the accounting system has not changed.
This happens more often than most business owners realise. When a staff member leaves, the IT side of the departure is usually the last thing anyone thinks about. And it creates real risks: data walking out the door, accounts being accessed by someone who no longer works for you, and under POPIA, potential compliance problems.
The risks nobody thinks about until it is too late
When we help clients with offboarding, these are the gaps we find most often:
Email access stays open. The employee’s Microsoft 365 or Google Workspace account remains active. They can still read incoming emails, reply as your company, and access shared mailboxes. In some cases, they set up email forwarding to a personal address before they left, and nobody noticed.
Cloud files are still accessible. OneDrive, Google Drive, Dropbox, whatever your business uses. If the employee’s account is still active, they can still access (and delete) their files. And if they synced company files to a personal device, those files go home with them.
Shared passwords are not changed. Many small businesses share passwords for certain systems: the alarm panel, the office WiFi, the shared email account, a cloud application that does not support individual logins. When someone leaves, all of those shared passwords need changing. They almost never do.
VPN and remote access remain active. If the employee had VPN access to your network, that connection still works until someone disables it. They can access internal systems from anywhere.
Application accounts persist. The accounting software login, the CRM account, the project management tool. Each one needs to be disabled or have its password changed. Small businesses often have a dozen or more applications with separate logins, and nobody keeps a complete list.
What POPIA says about this
Under the Protection of Personal Information Act, your business is responsible for protecting the personal data you hold. That obligation does not pause when someone resigns.
Three POPIA requirements are directly relevant:
Access control (Condition 7). POPIA requires “appropriate, reasonable technical measures” to prevent unauthorised access to personal information. A former employee with active access to client records is a clear gap.
Data minimisation (Condition 2). You should only process personal data for the purpose it was collected. An ex-employee accessing client data has no legitimate business purpose for doing so. Leaving their access open is a compliance failure.
Breach notification. If a former employee accesses or leaks personal data after leaving, that could constitute a data breach requiring notification to the Information Regulator and affected individuals. The fact that you simply forgot to disable their account is not a defence.
This is not theoretical. We have seen cases where a former employee’s email account was used months after they left, either by the person themselves or by someone who compromised the unmaintained account.
For more on how POPIA applies to your IT setup, see our article on POPIA as an IT problem.
The IT offboarding checklist
When a staff member leaves, run through this list on their last day or the day before:
Email:
- Disable the account (do not delete it immediately – you may need the data)
- Remove forwarding rules (check for any rules the employee may have set up)
- Set an auto-reply directing senders to the appropriate person
- Revoke access to shared mailboxes and distribution groups
Cloud storage:
- Transfer ownership of their OneDrive/Google Drive files to their manager
- Check for files shared externally (with personal email addresses or external parties)
- Revoke sharing permissions on company documents
System access:
- Disable their Active Directory or Azure AD account
- Revoke VPN access
- Change shared passwords they knew about (WiFi, alarm, shared accounts)
- Disable their account in every application (accounting, CRM, project tools, etc.)
Devices:
- Collect company laptops, phones, and tablets
- Wipe company data from personal devices if they used their own (BYOD)
- Check for locally stored company files on returned devices
Multi-factor authentication:
- Remove their MFA registration from company accounts
- If they used their personal phone for MFA on company accounts, revoke that device
Documentation:
- Record what was disabled and when
- Note any data transferred to other staff
- Keep records of access revocation for POPIA compliance
What to do with the email account after they leave
This is the question every business wrestles with. The employee is gone, but their email account still receives messages from clients and suppliers.
Do not delete it immediately. There may be important correspondence, files, or contacts in the mailbox that the business needs. Deleting the account destroys all of it.
Disable sign-in but keep the mailbox. In Microsoft 365, you can block sign-in while keeping the mailbox active. This means the employee cannot access it, but the data is preserved and can be accessed by an administrator.
Convert to a shared mailbox. In Microsoft 365, you can convert a former employee’s mailbox to a shared mailbox. This does not require a licence (saving you the monthly cost), and it allows a colleague to access the email without logging in as the former employee.
Set a retention period. Keep the mailbox for a reasonable period – three to six months is common – then archive or delete it. How long depends on your business and what data the account contains. Under POPIA, you should not keep personal data longer than necessary.
Making offboarding routine, not reactive
The reason offboarding is handled badly is that it is reactive. Someone leaves, and then the business scrambles to figure out what access they had.
The fix is simple: maintain a list of every system, application, and account that each employee has access to. When they leave, work through the list. This does not need to be complicated. A spreadsheet is fine. The important thing is that it exists and gets updated when new tools are added or access changes.
If your business is on a managed IT plan, this becomes part of the service. When you tell us someone is leaving, we handle the offboarding checklist and confirm when it is done.
Need help with IT offboarding?
If someone is leaving your business and you are not sure what IT steps to take, we can help. We will make sure access is revoked, data is preserved, and nothing falls through the gaps.
Or call us directly:
Call: 087 820 5005
WhatsApp: 081 526 1626
—
0 Comments