Complacency is expensive: Nearly €48 million in fines were imposed on German companies in 2020 for violating the GDPR. In Europe, this figure reached €158 million. Sums that companies lose, among other things, because they do not have former employees return their company devices, restrict access rights, or revoke licenses after offboarding. The reason for this is that data gaps or even data theft due to inadequate offboarding pose a major risk. In contrast to onboarding, companies do not attach the same importance to the offboarding process. They risk a loss of image, legal disputes, and high costs due to penalties in the process – developments that can be avoided. And the urgency is greater than ever.
A study conducted by Microsoft concluded that 40 percent of all employees worldwide is considering leaving their current employer. A well-developed concept that includes all the important steps for each phase helps companies successfully deal with the offboarding process.
Day 1: first day at work
Strictly speaking, offboarding starts on the employee’s first day of work. We should look at onboarding and offboarding less as a linear process and more as a cycle in which things sometimes even run in parallel.
- Both client management and license management are issues that IT service management needs to deal with. Each device issued by an IT department needs to be registered and listed in the inventory. The same applies to software licenses, access rights to programs, including passwords, and release authorizations. At this stage, the IT department lays the foundation for proper offboarding because assets and licenses are transparent and visible throughout the lifecycle. When an employee leaves the company, the IT department does not need to first make a record of it on the last day of work. But rather it can immediately deal with restricting all access rights and having devices returned quickly and comprehensively.
- The focus for security in this phase is placed on encrypting all devices and logging data communications. The greatest risk lost devices or old devices without active management. You can counteract this situation by implementing comprehensive device encryption. Any medium that stores sensitive or highly sensitive data, such as hard disks, folders, external data carriers, requires adequate encryption. Then if a device is lost, it is no longer a problem.
- Logging data communications from day one is an important issue, just like device encryption. Why is that the case? Deviations in data usage can indicate that an employee is siphoning off company data and storing it on a USB flash drive – to potentially use later on for unauthorized purposes elsewhere – despite the fact that company data is protected by law. But a change in the data flow (for example, a few days before the last day working at the company) is only noticeable when one knows the average data consumption. So this means that proactive precautions are needed here, as well.
Day x: employee announces departure
- Day x, the employee announces their departure from the company. It is irrelevant to the IT department why the employee is leaving. However, from this day on, the focus shifts even more to monitoring data consumption. Is the volume of data increasing? Is it necessary to block the account to protect corporate data? Such a drastic step is usually not necessary, but one has to be cautious when it comes to data communications.
- The offboarding phase should also include a reassessment of all devices and licenses to plan to have them blocked and for their return. This is because the IT department can often restrict access rights in advance of the deadline, enabling it to act more quickly on the last day at work. Preparations and transparency are required here, as well. This also makes it easier to restrict access rights ahead of time.
The following example shows how important an orderly offboarding is. A U.K. company laid off nearly 200 employees in an effort to cut costs. One employee started live tweeting the announcement while it was going on; the company had to watch on helplessly as only this employee had access to the platform. This is a problem that does not even arise with proactive management and ensures the company’s ability to act.
Day 0: last day at work
- The employee leaves the company on day 0. The standard procedure is to hand in all devices, as well as for restricting all access rights, at the latest. Ideally, the IT department should also be thinking about the onboarding of new candidates. Onboarding (if job requirements remain the same) and reuse of devices can be streamlined if there is a proper digital handover protocol. Such a protocol needs to include a list of all devices, programs, and access rights.
- In the next step, IT managers prepare the returned devices for reuse. This step ensures that there really is no more data stored on the computer, for example. As an added bonus, reused devices means that the company does not need to purchase new ones, saving yet more costs. After all, employees use the entire range of company-owned devices today – from smartphones to laptops or tablets, including monitors and other hardware. Just in terms of climate protection, it makes sense to prioritize sustainability and reuse.
Then nothing can stand in the way of onboarding a new employee; it is all made possible by conscientious offboarding. Even more important: Strategic offboarding protects corporate data and prevents enormous damage – both in terms of money and a company’s image.
Offboarding process optimization through automation
As we just explained, when an employee leaves a company, it always means a great deal of work for the IT department. If we project this over the course of the year and the number of departing employees, a conscientious implementation of the steps does not seem feasible. But how can the IT department maintain an overview during the process while saving resources? This article provides some insight.