What Really Happens to Company Data When an Employee Leaves

When an employee hands in their notice, most companies focus on the handover: knowledge transfer, client communication, and final payroll. But offboarding timelines and system access are not always closely coordinated, leaving gaps in visibility and control.

The employee leaving process unfolds in stages, and each stage brings its own considerations. Here’s a breakdown of the key moments in offboarding, and where alignment matters most.

1. The resignation lands: HR receives the notice and begins the exit process

When an employee resigns, the process typically starts in HR, with a focus on managing the employee’s transition and formal departure.

Here’s what typically happens at this stage:

• Departure date logged: HR records the official last day and begins building the offboarding timeline around it
• Exit interview scheduled: A meeting is arranged to gather feedback and formally close out the employment relationship
• Handover tasks assigned: The outgoing employee is asked to document ongoing projects, client contacts, and institutional knowledge
• Payroll and benefits flagged: Finance and HR coordinate final compensation, accrued leave, and benefit termination dates
• IT has not yet been notified: In most organizations, the resignation triggers an HR workflow; IT receives no automated alert at this stage

Potential risks: Because the resignation is captured in an HR system rather than a shared IT workflow, there is often no automatic trigger to begin deprovision planning. IT may not learn about the departure until days later or, in some cases, not until the employee has already left. During this window, the employee retains full access to every system they have ever been provisioned on.

Discover more with A Practical Guide to HR–IT Communication for Employee Lifecycle Execution.

2. The notice period begins: the employee continues working with full system access

During the notice period, the departing employee continues their day-to-day work. They attend meetings, send emails, access files, and use every tool they were provisioned on.

From a systems perspective, little changes:

• Business-as-usual access: The employee continues logging into all core systems, including SaaS tools, cloud storage, email, and collaboration platforms, with no change to permissions
• Ongoing data activity: Files are opened, edited, and downloaded as part of day-to-day work, with the potential to be copied or moved outside company-controlled environments
• Communication remains active: The employee continues sending and receiving emails and messages, including potentially sensitive client or internal information
• Unmanaged access persists: Any accounts or credentials created outside formal IT processes, such as API tokens, shared logins, or self-provisioned tools, remain active and largely invisible

Potential risks: The notice period is a point where access and activity remain fully active while an employee is transitioning out of the organization. During this time, files may be downloaded, shared, or moved as part of normal work or handover. In some cases, this can include copying information for reference or continuity, without clear visibility into where that data ends up. Because access typically remains unchanged, this activity is not always differentiated from routine usage.

See also: What Happens When Access Is Not Revoked on Time

3. The last day arrives: access and asset recovery are finalized

On the final day of employment, the focus shifts to finalizing access changes and recovering company assets. Depending on how offboarding is structured, IT may already be working from a defined plan or may begin coordinating these actions at this stage.

Here are the typical actions at this stage:

• Equipment return coordinated: IT or HR arranges for the return of the company laptop, phone, and any peripherals
• Account access removed: Access is revoked across known systems, often starting with email and core productivity tools
• User account disabled: The employee’s account is deactivated in the main system used to manage access (such as a directory, identity provider, or individual tools)
• Access review completed: A checklist or system view is used to confirm which tools have been deprovisioned and which still require action
• Device handled: The returned device is prepared for wipe, redeployment, or storage

Potential risks: When deprovisioning is triggered manually on the last day, the process is compressed and error-prone. IT may not have a complete picture of every application the employee accessed, particularly SaaS tools provisioned outside of IT's view. Applications accessed via personal credentials, OAuth tokens, or browser-saved passwords are routinely missed. If the employee's last day falls on a Friday afternoon or before a holiday, the process may be partially completed and left open over the weekend.

Read: The Most Common Offboarding Failures in Remote Teams

4. The device leaves the building: data persists on hardware that is no longer in IT's hands

Whether the employee is remote or in-office, their company device physically departs at or around the time of their exit. What happens to the data on that device depends entirely on whether IT has managed it correctly throughout its lifecycle.

Here is what happens:

• Device collected or shipped back: In-office employees return hardware directly; remote employees receive a return shipping label or prepaid box, adding days or weeks to the timeline
• Local data remains on the device: Any files saved locally (rather than to cloud storage) remain on the disk until it is wiped
• Encryption status determines exposure: If the device was encrypted via Mobile Device Management (MDM) throughout employment, local data is protected, but if it was not, it is readable
• Device enters a return queue: Returned hardware is typically logged and queued for wipe and redeployment, a process that can take days or weeks, depending on team capacity

Potential risks: The gap between device collection and certified data erasure is a common compliance risk. If a device is lost or stolen in transit, or sits unwiped in a return queue, local company data remains accessible. For organizations in regulated industries, this gap is an audit failure waiting to happen. BYOD arrangements compound the problem: IT has no visibility into what company data exists on personal hardware, and no ability to wipe it selectively without the employee's cooperation.

Find out more with: 7 Ways Company Data Can Be Exposed When Employees Leave

5. Access revocation completes: visibility across SaaS applications varies

In the days following departure, teams work to finalize access across systems. Because application usage is not always fully centralized, visibility can vary depending on how tools are managed.

At this stage, remaining access across systems is reviewed and finalized:

• Core systems deprovisioned: Email, Slack, and core productivity tools are typically revoked quickly, as they are the most visible and centrally managed
• Secondary SaaS tools require follow-up: Tools adopted at the team or department level (such as project management platforms, analytics tools, or CRM integrations) may sit outside central IT workflows
• OAuth connections remain linked: Applications authorized via Google or Microsoft OAuth can stay connected unless each integration is explicitly reviewed and revoked
• Shared credentials continue to work: Access based on shared login details remains active unless those credentials are updated
• Browser-saved access persists: Credentials saved in a browser profile on a personal device may still allow access outside the organization

Potential risks: Research consistently shows that a significant portion of SaaS access is never formally provisioned: it accumulates through self-service sign-ups, team-level tool adoption, and OAuth integrations. After an employee leaves, these accounts remain open indefinitely unless someone specifically identifies and closes them. In some documented cases, former employees have accessed company systems weeks or months after their departure date, either by accident or by intent.

See: How Deel IT Simplifies Identity and Access Management for Global Teams

6. After offboarding: maintaining visibility into data and access

After offboarding is complete, the data and systems an employee interacted with remain in place across the organization. Maintaining visibility into how that data is stored, accessed, and documented becomes an ongoing responsibility.

This is most noticeable across the following areas:

• Shared files remain in circulation: Documents created or co-owned in Google Drive, SharePoint, or Notion continue to exist under their existing permissions structure
• Email history is retained: Past email threads involving clients, financial information, or legal matters remain in the employee account or archive unless reviewed
• Audit logs require active review: Activity from the notice period and final day remains available, but typically requires dedicated tooling or processes to analyze
• Compliance requires documentation: In regulated environments, teams may need to demonstrate that access was revoked on time, devices were handled correctly, and offboarding steps were completed as expected
• Inactive accounts may persist: Any accounts not fully deprovisioned remain in the environment until they are identified and addressed

Potential risks: The longer the post-departure period goes unreviewed, the harder it becomes to reconstruct a clear picture of what happened to company data. Ghost accounts that remain active become entry points for credential stuffing attacks or phishing. Compliance teams face the dual problem of proving that revocation happened correctly and explaining any anomalies in access logs during the notice period. Without automated, auditable records, this is almost impossible to demonstrate to a regulator.

See also: Improve IT Compliance with Automated Device Management

Employee data offboarding checklist

Here’s a quick checklist to help plan and track offboarding from the moment a departure is confirmed, keeping access, devices, and data aligned along the way.

Find out more about how to strategically onboard and offboard employees. Download: Strategic IT Onboarding and Offboarding Guide

Ensure seamless and secure offboarding with Deel IT

Every departure creates a window where company data is at risk, and in most organizations, that window stays open far longer than it should.

Deel IT connects HR and IT into a single automated workflow, so that every departure triggers a controlled, auditable data separation process: from the moment a last day is set to the moment a device is certified clean.

Here's what Deel IT does when an employee leaves:

• Automated offboarding triggers from HR data: When a departure date is logged, Deel IT can trigger offboarding workflows based on HR data, reducing the need for manual handoffs between teams
• Application deprovisioning across connected tools: Deel IT revokes access across applications that are integrated and configured within its access management system, helping ensure core systems are addressed during offboarding
• IAM and SSO-connected access revocation: Deprovisioning flows through the employee’s identity provider to disable Single Sign-On (SSO) and update access across connected systems
• Role-Based Access Control (RBAC) throughout employment: Because access is structured by role from day one, deprovisioning is more consistent and easier to manage when an employee leaves
• End-to-end device return and certified erasure: Deel IT manages return logistics for remote employees and supports certified data erasure before devices are redeployed or decommissioned
• Multi-Factor Authentication (MFA) and credential security at offboarding: Access tied to centrally managed authentication systems is revoked as part of the offboarding process
• Audit and activity logs for offboarding actions: Key actions across access management and device workflows are logged with timestamps, supporting audit and compliance review
• Global consistency across 130+ countries: Deel IT supports a standardized offboarding process across regions, helping teams manage access, devices, and workflows consistently for distributed teams

Book a demo to see how Deel IT handles employee offboarding end-to-end.